[pve-devel] [PATCH cluster/common/manager v2 0/10] ACME library and certificate management
Fabian Grünbichler
f.gruenbichler at proxmox.com
Thu Apr 19 14:01:30 CEST 2018
this patch series is implementing the following features:
- certificate utility module (pve-common)
- ACME v9 / Let's Encrypt v2 API client library (pve-common)
- PVE specific Certificate helper utility (pve-manager)
- new per-node configuration file in /etc/pve/nodes/FOO/config and API for managing (pve-manager)
- API for managing ACME accounts (pve-manager)
- API for managing custom and ACME certificate (pve-manager)
high-level changes since v1/RFC:
- pve-common: patches are re-ordered (Certificate helper before ACME)
- pve-common: CSR generation now via Net::SSLeay
- pve-manager: more API annotation / formats / registered options
- more error handling
- more helper methods
- pve-manager/acme: new expiry check for renewal (30 days)
- pve-manager/acme: new 'force' parameter to skip expiry check for renewal
- pve-manager/acme-account: get now returns local info, empty put refreshes from CA
- pve-manager/acme-account: new directories endpoint to return known directories
- API return values have changed for some endpoints
thanks for the feedback Dominik and Wolfgang!
TODOs as follow-ups (in order of importance ;)):
- move de-activated account files to allow re-usal of account/file name
- CLI including service/timer for renewal
- GUI
- documentation
- refactor config file handling together with LXC and Qemu Configs
potential improvements:
- make key type configurable
- ACME challenge plugin infrastructure
- support wildcard certificates (need DNS challenge with Let's Encrypt)
- manage self-signed certificates with same helpers?
- deprecate pvecm updatecerts in favour of new code in pve-manager?
pve-common diff-stat:
Fabian Grünbichler (4):
add Certificate helper
acme: add ACME library
acme: add challenge plugins
build: install ACME files
src/Makefile | 5 +
src/PVE/ACME.pm | 531 +++++++++++++++++++++++++++++++++++++++++++++
src/PVE/ACME/Challenge.pm | 22 ++
src/PVE/ACME/StandAlone.pm | 74 +++++++
src/PVE/Certificate.pm | 396 +++++++++++++++++++++++++++++++++
5 files changed, 1028 insertions(+)
create mode 100644 src/PVE/ACME.pm
create mode 100644 src/PVE/ACME/Challenge.pm
create mode 100644 src/PVE/ACME/StandAlone.pm
create mode 100644 src/PVE/Certificate.pm
pve-cluster diff-stat:
Fabian Grünbichler (1):
cluster: add cfs_lock_acme
data/PVE/Cluster.pm | 8 ++++++++
1 file changed, 8 insertions(+)
pve-manager diff-stat:
Fabian Grünbichler (5):
add CertHelpers utility
add node configuration file and API
add ACME account API endpoints
add ACME certificate API endpoints
add certificates API endpoints
PVE/API2/Makefile | 4 +
PVE/Makefile | 2 +
PVE/API2/ACME.pm | 325 ++++++++++++++++++++++++++++++++++++++++++++
PVE/API2/ACMEAccount.pm | 347 +++++++++++++++++++++++++++++++++++++++++++++++
PVE/API2/Certificates.pm | 205 ++++++++++++++++++++++++++++
PVE/API2/Cluster.pm | 7 +
PVE/API2/NodeConfig.pm | 101 ++++++++++++++
PVE/API2/Nodes.pm | 15 ++
PVE/CertHelpers.pm | 107 +++++++++++++++
PVE/NodeConfig.pm | 205 ++++++++++++++++++++++++++++
10 files changed, 1318 insertions(+)
create mode 100644 PVE/API2/ACME.pm
create mode 100644 PVE/API2/ACMEAccount.pm
create mode 100644 PVE/API2/Certificates.pm
create mode 100644 PVE/API2/NodeConfig.pm
create mode 100644 PVE/CertHelpers.pm
create mode 100644 PVE/NodeConfig.pm
More information about the pve-devel
mailing list