[pve-devel] [RFC cluster/common/manager 0/10] ACME library and certificate management

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Apr 11 10:08:41 CEST 2018 

this patch series is a rough first draft implementing the following features:

- Certificate utility module (pve-common)
- ACME v9 / Let's Encrypt v2 API client library (pve-common)
- PVE specific Certificate helper utility (pve-manager)
- new per-node configuration file in /etc/pve/nodes/FOO/config and API for managing (pve-manager)
- API for managing ACME accounts (pve-manager)
- API for managing custom and ACME certificate (pve-manager)

ACME account related API endpoints:

GET /cluster/acme/tos
  retrieves TermsOfService from an ACME directory endpoint

POST /cluster/acme/account
  register new ACME account (and save in /etc/pve/priv/acme/ under a name)

PUT /cluster/acme/account/{name}
  update ACME account with new data

GET /cluster/acme/account/{name}
  refresh ACME account information

DELETE /cluster/acme/account/{name}
  deactivate ACME account

Node config related API endpoints:

GET /nodes/{node}/config
  get node configuration

PUT /nodes/{node}/config
  update node configuration

Certificate related API endpoints:

GET /nodes/{node}/certificates/info
  retrieve information about self-signed and custom/ACME certificates

POST /nodes/{node}/certificates/custom
  upload custom certificate (chain) and key

DELETE /nodes/{node}/certificates/custom
  delete custom certificate files and revert to self-signed certificates

POST /nodes/{node}/certificates/acme/certificate
  order new certificate from ACME CA (according to node configuration)

PUT /nodes/{node}/certificates/acme/certificate
  renew existing ACME certificate (according to node configuration)

DELETE /nodes/{node}/certificates/acme/certificate
  revoke existing ACME certificate (according to node configuration)

the /nodes/{node}/certificates/acme/certificate endpoint is intentionally not
just /nodes/{nora}/certificates/acme to reserve some namespace for future
expansion.

TODOs / rough edges in the current RFC state:
- CLI for node configuration and certificate handling ('pvenode' with
  subcommands?)
- replace CSR generation via openssl binary with Net::SSLeay and move to
  Certificate.pm (no more temp files needed)
- timer/service for periodic checks and auto-renewal
- ACME challenge plugin infrastructure (registry, loading, matching with
  challenges)
- GUI
- documentation
- StandAlone challenge 'plugin' uses Simple::HTTP::Server::CGI
- ...

future improvements:
- make key type configurable
- make challenge plugin configurable
- support wildcard certificates (need DNS challenge with Let's Encrypt)
- manage self-signed certificates with same helpers?
- deprecate pvecm updatecerts in favour of new code in pve-manager?
- ...

diffstats:

pve-cluster:

Fabian Grünbichler (1):
  cluster: add cfs_lock_acme

 data/PVE/Cluster.pm | 8 ++++++++
 1 file changed, 8 insertions(+)

pve-common:

Fabian Grünbichler (4):
  acme: add ACME library
  acme: add challenge plugins
  build: install ACME files
  add Certificate helper

 src/Makefile               |   5 +
 src/PVE/ACME.pm            | 619 +++++++++++++++++++++++++++++++++++++++++++++
 src/PVE/ACME/Challenge.pm  |  22 ++
 src/PVE/ACME/StandAlone.pm |  74 ++++++
 src/PVE/Certificate.pm     | 120 +++++++++
 5 files changed, 840 insertions(+)
 create mode 100644 src/PVE/ACME.pm
 create mode 100644 src/PVE/ACME/Challenge.pm
 create mode 100644 src/PVE/ACME/StandAlone.pm
 create mode 100644 src/PVE/Certificate.pm

pve-manager:

Fabian Grünbichler (5):
  add CertHelpers utility
  add node configuration file and API
  add ACME account API endpoints
  add ACME certificate API endpoints
  add certificates API endpoints

 PVE/API2/Makefile        |   4 +
 PVE/Makefile             |   2 +
 PVE/API2/ACME.pm         | 319 +++++++++++++++++++++++++++++++++++++++++++++++
 PVE/API2/ACMEAccount.pm  | 278 +++++++++++++++++++++++++++++++++++++++++
 PVE/API2/Certificates.pm | 202 ++++++++++++++++++++++++++++++
 PVE/API2/Cluster.pm      |   7 ++
 PVE/API2/NodeConfig.pm   |  99 +++++++++++++++
 PVE/API2/Nodes.pm        |  15 +++
 PVE/CertHelpers.pm       | 104 +++++++++++++++
 PVE/NodeConfig.pm        | 205 ++++++++++++++++++++++++++++++
 10 files changed, 1235 insertions(+)
 create mode 100644 PVE/API2/ACME.pm
 create mode 100644 PVE/API2/ACMEAccount.pm
 create mode 100644 PVE/API2/Certificates.pm
 create mode 100644 PVE/API2/NodeConfig.pm
 create mode 100644 PVE/CertHelpers.pm
 create mode 100644 PVE/NodeConfig.pm

-- 
2.14.2

More information about the pve-devel mailing list