[pve-devel] (no subject)

Wolfgang Link w.link at proxmox.com
Thu Apr 16 07:18:17 CEST 2020 

>From Wolfgang Link <w.link at proxmox.com> # This line is ignored.
From: Wolfgang Link <w.link at proxmox.com>
Reply-To: 
Subject:  RFC for ACME DNS Challenge V3
In-Reply-To: 

The acme_sh project is used as a DNS API plugin system.
So we can reuse the already defiend plugins.
It is used as subplugins.

The acme.sh script is replaced by proxmox-acme,
which contains the function required to operate the DNSAPI plug-ins.

The login information is saved in the file plugin.cfg.
The values are encoded in base64 and transferred directly to proxmox-acme.
There they are decoded again

The DNSAPI plugin credentials are not standardized, so each plugin expects different parameters.

These patches are only tested against the OVH API because of missing alternative possibilities.

The V3 is mainly based on V2, but has the improvements of Fabian's feedback.
For more information see  below.

Build conflicts arise due to the code movements.
The prerequisite for this series is the installation of Curl.
For this series you have to create the deb packages pve-common, pve-cluster and proxmox-acme.
Then apply these packages and you can now build and install the pve-manager package.

The GUI works at the moment only with the standalone Plugin(HTTP Challenge).

For the alias mode a CNAME record is needed
_acme-challenge.<host>.<domain>.<TLD> 	CNAME 	_acme-challenge.<Alias Target>

Steps to test.

1.) pvenode acme account register default <mail at example.invalid>
2.) pvenode acme plugin add <dns|standalone> <plugin_id> --data <login information> 
3.) pvenode config set --acme domain=<Domain>,plugin=<plugin_id>[,alias=<alias_domain>]
4.) pvenode acme cert order

[Patch V3 cluster] Add ACME plugin config file to cluster files
V2 -> V3 Change path of plugin conf

[Patch V2 acme 01/13] Add Debian Buildsystem config
V2 -> V3 Add a hint that acme.sh is GPL-3 

[Patch V3 common] Move the code to proxmox-acme and add a dependency
V2 -> V3 No Change

note(Fabian G.): this one requires a breaks+replaces on the other side 
(proxmox-acme), and a version bump here (so that proxmox-acme can have 
an appropriate versioned depends).

since the other two pve-common are independent I already applied them - 
otherwise this one should have probably been 3/3 

[Patch V3 manager 1/8] Use the plugin architecture.
V2 -> V3 Make proxmox-acme independent of PVE code.
      	 The data used by the plugins is collected in this patch.
	 
[Patch V2 acme 02/13] Copy the needed function form acme.sh
V2 -> V3 No Change

[Patch V3 manager 2/8] Extend node config in the acme section.

V2 -> V3 Start Additional Domains with 0 and do not change acme desc.

[Patch V2 acme 03/13] Remove unnecessary Code and fixes.
V2 -> V3 No Change

[Patch V3 manager 3/8] Remove unused code
V2 -> V3 No Change

[Patch V3 manager 4/8] Add function that selects the desired plugin.
New

[Patch V2 acme 04/13] Add funtion to set DNSAPI variable
V2 -> V3 Decode values
      	 Use a different splitting method because cutting with base64 does not work.

[Patch V3 manager 5/8] Adapt acme node config parser and rename the
V2 -> V3 Rename function.
      	 Remove the conversion from the old Acme configuration as it is no longer required.

[Patch V2 acme 05/13] Implement feature setup and teardown
V2 -> V3 change path of dnsapi

[Patch V3 manager 6/8] Add libproxmox-acme-perl to pveversion
V2 -> V3 No Change

Note: needs a version dependency?

[Patch V2 acme 06/13] Add submodule acme.sh for DNS plugins
V2 -> V3 change path

[Patch V3 manager 7/8] Create ACME Plugin config.
V2 -> V3 Move the code from proxmox-acme here to make it independent.
      	 Add base64 encoding for plugin data.

[Patch V2 acme 07/13] Move code from pve-common
V2 -> V3 change path in the Makefile

[Patch V3 manager 8/8] Add libproxmox-acme to the dependencies.
V2 -> V3 No Change

Note: needs a version dependency?

[Patch V2 acme 08/13] Refactor extract_callenge for code reuse.
V2 -> V3 Move in Challange.pm 

[Patch V2 acme 09/13] Create the plugin config.
V2 -> V3 No Change

[Patch V2 acme 10/13] Use-the-caller-s-data-instead-of-extracting-it-yours
New

[Patch V2 acme 11/13] Add DNSChallenge Plugin
V2 -> V3 Use the caller's data to extract the data themselves.

[Patch V2 acme 12/13] Add debug mode
V2 -> V3 No Change

[Patch V2 acme 13/13] Implement function to resolve all subplugins
New

More information about the pve-devel mailing list