[pve-devel] applied-series: (no subject)

Sun May 3 19:15:06 CEST 2020

On 4/16/20 7:18 AM, Wolfgang Link wrote:
> From Wolfgang Link <w.link at proxmox.com> # This line is ignored.
> From: Wolfgang Link <w.link at proxmox.com>
> Reply-To: 
> Subject:  RFC for ACME DNS Challenge V3
> In-Reply-To: 
> 
> The acme_sh project is used as a DNS API plugin system.
> So we can reuse the already defiend plugins.
> It is used as subplugins.
> 
> The acme.sh script is replaced by proxmox-acme,
> which contains the function required to operate the DNSAPI plug-ins.
> 
> The login information is saved in the file plugin.cfg.
> The values are encoded in base64 and transferred directly to proxmox-acme.
> There they are decoded again
> 
> The DNSAPI plugin credentials are not standardized, so each plugin expects different parameters.
> 
> These patches are only tested against the OVH API because of missing alternative possibilities.
> 
> The V3 is mainly based on V2, but has the improvements of Fabian's feedback.
> For more information see  below.
> 
> Build conflicts arise due to the code movements.
> The prerequisite for this series is the installation of Curl.
> For this series you have to create the deb packages pve-common, pve-cluster and proxmox-acme.
> Then apply these packages and you can now build and install the pve-manager package.
> 
> The GUI works at the moment only with the standalone Plugin(HTTP Challenge).
> 
> For the alias mode a CNAME record is needed
> _acme-challenge.<host>.<domain>.<TLD> 	CNAME 	_acme-challenge.<Alias Target>
> 
> Steps to test.
> 
> 1.) pvenode acme account register default <mail at example.invalid>
> 2.) pvenode acme plugin add <dns|standalone> <plugin_id> --data <login information> 
> 3.) pvenode config set --acme domain=<Domain>,plugin=<plugin_id>[,alias=<alias_domain>]
> 4.) pvenode acme cert order
> 

applied series from Fabians tree with followups and have thrown a few on top
of that, among others:
 * stricter checking on write, else one could write the same domain multiple times
   but get node config complained (died) then.
 * check if plugin is defined when setting it for a domain
 * adding validation-delay for DNS plugins, so that the request for validation can be
   delayed, e.g., to ensure initial DNS propagation (commit message for details)
 * reduction of delays between validation request and checking said request
 * reduction of per-node domains of maximal 5, increasing is way easier than
   decreasing after all :)
 * creating of observed files base directory in pve-cluster, as else adding an
   plugin failed if the /etc/pve/priv/acme directory didn't already exists
 * fixing various leftover cruft from copying the whole plugin handling over
   from pve-storage's content API
 * various smaller and mid-size cleanups here and there

Those are the obvious from me coming in my mind, the ones from Fabian are
separate, but I cannot bother to search and list them out for now.

A plugin CRUD gui should be pretty easy to do, maybe an hour task for Dominik
on Monday ;-) The rest would be then pretty straight forward to integrate.

A big thanks to Fabian for keeping up initially when I was a bit^W^W totally out
of time, and smoothing some rough edges.