[pve-devel] [PATCH acme v3 0/5] fix #4497: add support for external account bindings

Folke Gleumes f.gleumes at proxmox.com
Tue Oct 31 10:05:09 CET 2023

Changes since v2:
 * reverted the new_account abi to be non breaking

Changes since v1:
 * fixed nit's
 * expanded meta endpoint by all return values defined in the rfc
 * expanded new_account signature by field for eab credentials
 * allow for eab even if not required

This patch series adds functionality to use acme directiories
that require the use of external account binding, as specified
in rfc 8555 section 7.3.4.

To avoid code duplication and redundant calls to the CA,
the `/cluster/acme/tos` endpoint has been deprecated and
it's function will be covered by the new `/cluster/acme/meta`
endpoint, which exposes all meta information provided by the CA,
including the flag indicating that EAB needs to be used.
The underlying call to the CA remains the same.

The CLI interface will only ask for the EAB credentials if needed,
similar to how it works for the ToS.

The patches have been tested to work with and without EAB
by using pebble [0] as the CA.

[0] https://github.com/letsencrypt/pebble

acme: Folke Gleumes (1):
  fix #4497: add support for external account bindings

 src/PVE/ACME.pm | 48 ++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 42 insertions(+), 6 deletions(-)

manager: Folke Gleumes (4):
  fix #4497: acme: add support for external account bindings
  api/acme: deprecate tos endpoint in favor of meta
  fix #4497: cli/acme: detect eab and ask for credentials
  ui/acme: switch to new meta endpoint

 PVE/API2/ACMEAccount.pm   | 83 ++++++++++++++++++++++++++++++++++++++-
 PVE/CLI/pvenode.pm        | 26 +++++++++++-
 www/manager6/node/ACME.js | 12 ++++--
 3 files changed, 113 insertions(+), 8 deletions(-)


More information about the pve-devel mailing list