[pve-devel] [v3 manager 7/7] pveupdate: add ACME certificate renewal
Fabian Grünbichler
f.gruenbichler at proxmox.com
Fri Apr 27 14:02:14 CEST 2018
renew certificate if an acme config entry and a custom certificate
exists on the local node and the certificate expires soon.
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
this seems like a good place until the pvestatd refactoring..
bin/pveupdate | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/bin/pveupdate b/bin/pveupdate
index 952a54a4..5a42ce73 100755
--- a/bin/pveupdate
+++ b/bin/pveupdate
@@ -7,6 +7,9 @@ use IO::File;
use File::Find;
use File::stat;
+use PVE::CertHelpers;
+use PVE::Certificate;
+use PVE::NodeConfig;
use PVE::INotify;
use PVE::Cluster;
use PVE::APLInfo;
@@ -14,6 +17,7 @@ use PVE::SafeSyslog;
use PVE::RPCEnvironment;
use PVE::API2::Subscription;
use PVE::API2::APT;
+use PVE::API2::ACME;
initlog ('pveupdate', 'daemon');
@@ -51,6 +55,23 @@ if (my $err = $@) {
syslog ('err', "update apt database failed: $err");
}
+eval {
+ my $node_config = PVE::NodeConfig::load_config($nodename);
+ if ($node_config && $node_config->{acme}) {
+ my $cert = PVE::CertHelpers::cert_path_prefix($nodename).".pem";
+ if (-e $cert) {
+ if (PVE::Certificate::check_expiry($cert, time() + 30*24*60*60)) {
+ PVE::API2::ACME->renew_certificate({ node => $nodename });
+ } else {
+ syslog ('info', 'Custom certificate does not expire soon, skipping ACME renewal.');
+ }
+ } else {
+ syslog ('info', 'ACME config found for node, but no custom certificate exists. Skipping ACME renewal until initial certificate has been deployed.');
+ }
+ }
+};
+syslog ('err', "Renewing ACME certificate failed: $@") if $@;
+
sub cleanup_tasks {
my $taskdir = "/var/log/pve/tasks";
--
2.14.2
More information about the pve-devel
mailing list