[pve-devel] RFC for ACME DNS Challenge V2

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Apr 1 15:25:20 CEST 2020 

some high-level feedback:
- looks much better than previous version already, I think v3 should be 
  the one that makes it :)

- just upgrading triggers the following error on order/renew:

Loading ACME account details
Placing ACME order
Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/foobar

Getting authorization details from 'https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/barbaz'
... pending!
can't open '/etc/pve/priv/plugins.cfg' - No such file or directory      ...propagated at /usr/share/perl5/PVE/ACME.pm line 527.
Task can't open '/etc/pve/priv/plugins.cfg' - No such file or directory         ...propagated at /usr/share/perl5/PVE/ACME.pm line 527.

- Touching that file and repeating:

Loading ACME account details
Placing ACME order
Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/6085187/82472654

Getting authorization details from 'https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/46773730'
... pending!
Died at /usr/share/perl5/PVE/ACME.pm line 527.
Task Died at /usr/share/perl5/PVE/ACME.pm line 527.

what's at line 527?

527    die if $plugin_type eq "standalone";

die without a message ;) also, "standalone" is the (implicit) default, 
so this whole die is probably very wrong?

removing it, and adding a standalone plugin definition to 
/etc/pve/priv/plugins.conf and /etc/pve/local/config seems to work, but 
this needs to be fixed else ALL the configs out there break on upgrade.

it's probably a good idea to just always define a 'standalone: default', 
similar to the always defined local storage, and then use that as 
default plugin id when going from NodeConfig -> ACME if no explicit one 
is defined.

- some more detailed comments as replies to individual patches, a mix of 
  design/architecture improvements and concrete stuff

On March 31, 2020 12:08 pm, Wolfgang Link wrote:
> The acme_sh project is used as a DNS API plugin system.
> So we can reuse the already defiend plugins.
> I add it as a submodule.
> 
> The acme.sh script is replaced by proxmox-acme,
> which contains the function required to operate the DNSAPI plug-ins.
> 
> The login information is saved in the file plugin.cfg
> and passt directly on the proxmox-acme.
> 
> The DNSAPI plugin credentials are not standardized, so each plugin expects different parameters.
> 
> These patches are only tested against the OVH API because of missing alternative possibilities.
> 
> This implementation uses the design that we discuss at the pve-devel list.
> It doesn't have much to do with V1.
> 
> Build conflicts arise due to the code movements.
> The prerequisite for this series is the installation of Curl.
> For this series you have to create the deb packages pve-common, pve-cluster and proxmox-acme.
> Then apply these packages and you can now build and install the pve-manager package.
> 
> The GUI is broken at the moment.
> Fixes will follow shortly.
> Old configurations are converted and can be used without any problems.
> The new configuration must be defined via the CLI.
> 
> For the alias mode a CNAME record is needed
> _acme-challenge.<host>.<domain>.<TLD> 	CNAME 	_acme-challenge.<Alias Target>
> 
> Steps to test.
> 
> 1.) pvenode acme account register default <mail at example.invalid>
> 2.) pvenode acme plugin add <dns|standalone> <plugin_id> --data <login information> 
> 3.) pvenode config set --acme domain=<Domain>,plugin=<plugin_id>[,alias=<alias_domain>]
> 4.) pvenode acme cert order
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
>

More information about the pve-devel mailing list