[pve-devel] [RFC manager 4/5] add ACME certificate API endpoints

Wolfgang Bumiller w.bumiller at proxmox.com
Fri Apr 13 13:30:29 CEST 2018


On Wed, Apr 11, 2018 at 10:08:50AM +0200, Fabian Grünbichler wrote:
> for creating/ordering a new certificate and renewing respectively
> revoking an existing one.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
>  PVE/API2/Makefile |   1 +
>  PVE/API2/ACME.pm  | 319 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 320 insertions(+)
>  create mode 100644 PVE/API2/ACME.pm
> 
> diff --git a/PVE/API2/Makefile b/PVE/API2/Makefile
> index d72ddd9b..44b9cf7c 100644
> --- a/PVE/API2/Makefile
> +++ b/PVE/API2/Makefile
> @@ -14,6 +14,7 @@ PERLSOURCE = 			\
>  	Pool.pm			\
>  	Tasks.pm		\
>  	Network.pm		\
> +	ACME.pm			\
>  	ACMEAccount.pm		\
>  	NodeConfig.pm		\
>  	Services.pm
> diff --git a/PVE/API2/ACME.pm b/PVE/API2/ACME.pm
> new file mode 100644
> index 00000000..23db9c94
> --- /dev/null
> +++ b/PVE/API2/ACME.pm
> @@ -0,0 +1,319 @@
> +package PVE::API2::ACME;
> +
> +use strict;
> +use warnings;
> +
> +use PVE::ACME;
> +use PVE::ACME::StandAlone;
> +use PVE::CertHelpers;
> +use PVE::Certificate;
> +use PVE::Exception qw(raise raise_param_exc);
> +use PVE::JSONSchema qw(get_standard_option);
> +use PVE::NodeConfig;
> +use PVE::Tools qw(extract_param);
> +
> +use IO::Handle;
> +
> +use base qw(PVE::RESTHandler);
> +
> +__PACKAGE__->register_method ({
> +    name => 'index',
> +    path => '',
> +    method => 'GET',
> +    permissions => { user => 'all' },
> +    description => "ACME index.",
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    node => get_standard_option('pve-node'),
> +	},
> +    },
> +    returns => {
> +	type => 'array',
> +	items => {
> +	    type => "object",
> +	    properties => {},
> +	},
> +	links => [ { rel => 'child', href => "{name}" } ],
> +    },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	return [
> +	    { name => 'certificate' },
> +	];
> +    },
> +});
> +
> +my $order_certificate = sub {
> +    my ($acme, $domains) = @_;
> +    print "Placing ACME order\n";
> +    my ($order_url, $order) = $acme->new_order($domains);
> +    print "Order URL: $order_url\n";
> +    for my $auth_url (@{$order->{authorizations}}) {
> +	print "\nGetting authorization details from '$auth_url'\n";
> +	my $auth = $acme->get_authorization($auth_url);
> +	if ($auth->{status} eq 'valid') {
> +	    print "... already validated!\n";
> +	} else {
> +	    print "... pending!\n";
> +	    print "Setting up webserver\n";
> +	    my $validation = eval { PVE::ACME::StandAlone->setup($acme, $auth) };
> +	    die "failed setting up webserver - $@\n" if $@;
> +
> +	    print "Triggering validation\n";
> +	    eval {
> +	    	$acme->request_challenge_validation($validation->{url}, $validation->{key_auth});
> +	    	while (1) {
> +		    $auth = $acme->get_authorization($auth_url);
> +		    if ($auth->{status} eq 'pending') {
> +		    	print "still pending, trying again in 30 seconds\n";
> +		    	sleep 30;
> +		    	next;
> +		    } elsif ($auth->{status} eq 'valid') {
> +		    	last;
> +		    }
> +		    die "validating challenge '$auth' failed\n";
> +	    	}
> +	    };
> +	    my $err = $@;
> +	    eval { $validation->teardown() };
> +	    warn "$@\n" if $@;
> +	    die $err if $err;
> +	}
> +    }
> +    print "\nAll domains validated!\n";
> +    print "\nCreating CSR\n";
> +    # TODO use proper tmp path
> +    my ($csr, $key) = $acme->new_csr($order, path => '/tmp/');
> +    my $csr_content = PVE::Tools::file_get_contents($csr);
> +    my $key_content = PVE::Tools::file_get_contents($key);
> +    unlink $csr;
> +    unlink $key;
> +
> +    print "Finalizing order\n";
> +    $acme->finalize_order($order, $csr_content);
> +
> +    print "Checking order status\n";
> +    while (1) {
> +    	$order = $acme->get_order($order_url);
> +    	if ($order->{status} eq 'pending') {
> +	    print "still pending, trying again in 30 seconds\n";
> +	    sleep 30;
> +	    next;
> +    	} elsif ($order->{status} eq 'valid') {
> +	    print "valid!\n";
> +	    last;
> +    	}
> +    	die "order status: $order->{status}\n";
> +    }
> +
> +    print "\nDownloading certificate\n";
> +    my $cert = $acme->get_certificate($order);
> +
> +    return ($cert, $key_content);
> +};
> +
> +__PACKAGE__->register_method ({
> +    name => 'new_certificate',
> +    path => 'certificate',
> +    method => 'POST',
> +    description => "Order a new certificate from ACME-compatible CA.",
> +    protected => 1,
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    node => get_standard_option('pve-node'),
> +	    force => {
> +		type => 'boolean',
> +		description => 'Overwrite existing custom certificate.',
> +		optional => 1,
> +		default => 0,
> +	    },
> +	},
> +    },
> +    returns => {
> +	type => 'string',
> +    },
> +    code => sub {
> +	my ($param) = @_;
> +	
> +	my $node = extract_param($param, 'node');
> +	my $cert_prefix = PVE::CertHelpers::cert_path_prefix($node);
> +
> +	raise_param_exc({'force' => "Custom certificate exists but 'force' is not set."})
> +	    if !$param->{force} && -e "${cert_prefix}.pem";
> +
> +	my $node_config = PVE::NodeConfig::load_config($node);
> +	raise("ACME settings in node configuration are missing!", 400)
> +	    if !$node_config || !$node_config->{acme};
> +	my $acme_node_config = PVE::NodeConfig::parse_acme($node_config->{acme});
> +	raise("ACME domain list in node configuration is missing!", 400)
> +	    if !$acme_node_config;
> +
> +	my $rpcenv = PVE::RPCEnvironment::get();
> +
> +	my $authuser = $rpcenv->get_user();
> +
> +	my $realcmd = sub {
> +	    STDOUT->autoflush(1);
> +	    my $account = $acme_node_config->{account} // 'default';
> +	    my $account_file = PVE::CertHelpers::get_acme_account_file($account);
> +	    die "ACME account config file '$account' does not exist.\n"
> +		if ! -e $account_file;
> +
> +	    my $acme = PVE::ACME->new($account_file);
> +
> +	    print "Loading ACME account details\n";
> +	    $acme->load();
> +
> +	    my ($cert, $key) = $order_certificate->($acme, $acme_node_config->{domains});
> +
> +	    my $code = sub {
> +		print "Setting pveproxy certificate and key\n";
> +		PVE::CertHelper::set_cert_files($cert, $key, $cert_prefix, $param->{force});
> +
> +		print "Restarting pveproxy\n";
> +		PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
> +	    };
> +	    PVE::CertHelpers::cert_lock(10, $code);
> +	    die "$@\n" if $@;
> +	};
> +
> +	return $rpcenv->fork_worker("acmenewcert", undef, $authuser, $realcmd);
> +    },
> +});
> +
> +__PACKAGE__->register_method ({
> +    name => 'renew_certificate',
> +    path => 'certificate',
> +    method => 'PUT',
> +    description => "Renew existing certificate from CA.",
> +    protected => 1,
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    node => get_standard_option('pve-node'),
> +	},
> +    },
> +    returns => {
> +	type => 'string',
> +    },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	my $node = extract_param($param, 'node');
> +	my $cert_prefix = PVE::CertHelpers::cert_path_prefix($node);
> +
> +	my $node_config = PVE::NodeConfig::load_config($node);
> +	raise("ACME settings in node configuration are missing!", 400)
> +	    if !$node_config || !$node_config->{acme};
> +	my $acme_node_config = PVE::NodeConfig::parse_acme($node_config->{acme});
> +	raise("ACME domain list in node configuration is missing!", 400)
> +	    if !$acme_node_config;
> +
> +	my $rpcenv = PVE::RPCEnvironment::get();
> +
> +	my $authuser = $rpcenv->get_user();
> +
> +	my $old_cert = PVE::Tools::file_get_contents("${cert_prefix}.pem");
> +
> +	my $realcmd = sub {
> +	    STDOUT->autoflush(1);
> +	    my $account = $acme_node_config->{account} // 'default';
> +	    my $account_file = PVE::CertHelpers::get_acme_account_file($account);
> +	    die "ACME account config file '$account' does not exist.\n"
> +		if ! -e $account_file;
> +
> +	    my $acme = PVE::ACME->new($account_file);
> +
> +	    print "Loading ACME account details\n";
> +	    $acme->load();
> +
> +	    my ($cert, $key) = $order_certificate->($acme, $acme_node_config->{domains});
> +
> +	    my $code = sub {
> +		print "Setting pveproxy certificate and key\n";
> +		PVE::CertHelper::set_cert_files($cert, $key, $cert_prefix, 1);
> +
> +		print "Restarting pveproxy\n";
> +		PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
> +	    };
> +	    PVE::CertHelpers::cert_lock(10, $code);
> +	    die "$@\n" if $@;
> +
> +	    print "Revoking old certificate\n";
> +            $acme->revoke_certificate($old_cert);

Should probably be in an eval {} (looks like it used to be given
the extra spaces?)? Otherwise the renewal task will show up as having
failed just because the old certificate wasn't revoked?

> +	};
> +
> +	return $rpcenv->fork_worker("acmerenew", undef, $authuser, $realcmd);
> +    },
> +});
> +
> +__PACKAGE__->register_method ({
> +    name => 'revoke_certificate',
> +    path => 'certificate',
> +    method => 'DELETE',
> +    description => "Revoke existing certificate from CA.",
> +    protected => 1,
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    node => get_standard_option('pve-node'),
> +	},
> +    },
> +    returns => {
> +	type => 'string',
> +    },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	my $node = extract_param($param, 'node');
> +	my $cert_prefix = PVE::CertHelpers::cert_path_prefix($node);
> +
> +	my $node_config = PVE::NodeConfig::load_config($node);
> +	raise("ACME settings in node configuration are missing!", 400)
> +	    if !$node_config || !$node_config->{acme};
> +	my $acme_node_config = PVE::NodeConfig::parse_acme($node_config->{acme});
> +	raise("ACME domain list in node configuration is missing!", 400)
> +	    if !$acme_node_config;
> +
> +	my $rpcenv = PVE::RPCEnvironment::get();
> +
> +	my $authuser = $rpcenv->get_user();
> +
> +	my $cert = PVE::Tools::file_get_contents("${cert_prefix}.pem");
> +
> +	my $realcmd = sub {
> +	    STDOUT->autoflush(1);
> +	    my $account = $acme_node_config->{account} // 'default';
> +	    my $account_file = PVE::CertHelpers::get_acme_account_file($account);
> +	    die "ACME account config file '$account' does not exist.\n"
> +		if ! -e $account_file;
> +
> +	    my $acme = PVE::ACME->new($account_file);
> +
> +	    print "Loading ACME account details\n";
> +	    $acme->load();
> +
> +	    print "Revoking old certificate\n";
> +	    $acme->revoke_certificate($cert);
> +
> +	    my $code = sub {
> +		print "Deleting certificate files\n";
> +		unlink "${cert_prefix}.pem";
> +		unlink "${cert_prefix}.key";
> +
> +		print "Restarting pveproxy to revert to self-signed certificates\n";
> +		PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
> +	    };
> +
> +	    PVE::CertHelpers::cert_lock(10, $code);
> +	    die "$@\n" if $@;
> +	};
> +
> +	return $rpcenv->fork_worker("acmerevoke", undef, $authuser, $realcmd);
> +    },
> +});
> +
> +1;
> -- 
> 2.14.2




More information about the pve-devel mailing list