]>
Commit | Line | Data |
---|---|---|
ac78733c WB |
1 | package PMG::API2::Certificates; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use PVE::Certificate; | |
7 | use PVE::Exception qw(raise raise_param_exc); | |
8 | use PVE::JSONSchema qw(get_standard_option); | |
9 | use PVE::Tools qw(extract_param file_get_contents file_set_contents); | |
10 | ||
11 | use PMG::CertHelpers; | |
12 | use PMG::NodeConfig; | |
a0822f48 | 13 | use PMG::RS::Acme; |
ac78733c WB |
14 | use PMG::RS::CSR; |
15 | ||
16 | use PMG::API2::ACMEPlugin; | |
17 | ||
18 | use base qw(PVE::RESTHandler); | |
19 | ||
20 | my $acme_account_dir = PMG::CertHelpers::acme_account_dir(); | |
21 | ||
22 | sub first_typed_pem_entry : prototype($$) { | |
23 | my ($label, $data) = @_; | |
24 | ||
25 | if ($data =~ /^(-----BEGIN \Q$label\E-----\n.*?\n-----END \Q$label\E-----)$/ms) { | |
26 | return $1; | |
27 | } | |
28 | return undef; | |
29 | } | |
30 | ||
31 | sub pem_private_key : prototype($) { | |
32 | my ($data) = @_; | |
33 | return first_typed_pem_entry('PRIVATE KEY', $data); | |
34 | } | |
35 | ||
36 | sub pem_certificate : prototype($) { | |
37 | my ($data) = @_; | |
38 | return first_typed_pem_entry('CERTIFICATE', $data); | |
39 | } | |
40 | ||
41 | my sub restart_after_cert_update : prototype($) { | |
42 | my ($type) = @_; | |
43 | ||
44 | if ($type eq 'api') { | |
45 | print "Restarting pmgproxy\n"; | |
46 | PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pmgproxy']); | |
d7ce72c8 SI |
47 | |
48 | my $cinfo = PMG::ClusterConfig->new(); | |
49 | if (scalar(keys %{$cinfo->{ids}})) { | |
50 | print "Notify cluster about new fingerprint\n"; | |
51 | PMG::Cluster::trigger_update_fingerprints($cinfo); | |
52 | } | |
ac78733c WB |
53 | } |
54 | }; | |
55 | ||
56 | my sub update_cert : prototype($$$$$) { | |
57 | my ($type, $cert_path, $certificate, $force, $restart) = @_; | |
58 | my $code = sub { | |
59 | print "Setting custom certificate file $cert_path\n"; | |
60 | PMG::CertHelpers::set_cert_file($certificate, $cert_path, $force); | |
61 | ||
62 | restart_after_cert_update($type) if $restart; | |
63 | }; | |
64 | PMG::CertHelpers::cert_lock(10, $code); | |
65 | }; | |
66 | ||
67 | my sub set_smtp : prototype($$) { | |
68 | my ($on, $reload) = @_; | |
69 | ||
70 | my $code = sub { | |
71 | my $cfg = PMG::Config->new(); | |
72 | if (!$cfg->get('mail', 'tls') == !$on) { | |
73 | return; | |
74 | } | |
75 | ||
76 | print "Rewriting postfix config\n"; | |
77 | $cfg->set('mail', 'tls', $on); | |
78 | $cfg->write(); | |
79 | my $changed = $cfg->rewrite_config_postfix(); | |
80 | ||
81 | if ($changed && $reload) { | |
82 | print "Reloading postfix\n"; | |
83 | PMG::Utils::service_cmd('postfix', 'reload'); | |
84 | } | |
85 | }; | |
86 | PMG::Config::lock_config($code, "failed to reload postfix"); | |
87 | } | |
88 | ||
89 | __PACKAGE__->register_method ({ | |
90 | name => 'index', | |
91 | path => '', | |
92 | method => 'GET', | |
93 | permissions => { user => 'all' }, | |
94 | description => "Node index.", | |
95 | parameters => { | |
96 | additionalProperties => 0, | |
97 | properties => { | |
98 | node => get_standard_option('pve-node'), | |
99 | }, | |
100 | }, | |
101 | returns => { | |
102 | type => 'array', | |
103 | items => { | |
104 | type => "object", | |
105 | properties => {}, | |
106 | }, | |
107 | links => [ { rel => 'child', href => "{name}" } ], | |
108 | }, | |
109 | code => sub { | |
110 | my ($param) = @_; | |
111 | ||
112 | return [ | |
113 | { name => 'acme' }, | |
114 | { name => 'custom' }, | |
115 | { name => 'info' }, | |
116 | { name => 'config' }, | |
117 | ]; | |
118 | }, | |
119 | }); | |
120 | ||
121 | __PACKAGE__->register_method ({ | |
122 | name => 'info', | |
123 | path => 'info', | |
124 | method => 'GET', | |
125 | permissions => { user => 'all' }, | |
126 | proxyto => 'node', | |
127 | protected => 1, | |
128 | description => "Get information about the node's certificates.", | |
129 | parameters => { | |
130 | additionalProperties => 0, | |
131 | properties => { | |
132 | node => get_standard_option('pve-node'), | |
133 | }, | |
134 | }, | |
135 | returns => { | |
136 | type => 'array', | |
137 | items => get_standard_option('pve-certificate-info'), | |
138 | }, | |
139 | code => sub { | |
140 | my ($param) = @_; | |
141 | ||
142 | my $res = []; | |
143 | for my $path (&PMG::CertHelpers::API_CERT, &PMG::CertHelpers::SMTP_CERT) { | |
144 | eval { | |
145 | my $info = PVE::Certificate::get_certificate_info($path); | |
146 | push @$res, $info if $info; | |
147 | }; | |
148 | } | |
149 | return $res; | |
150 | }, | |
151 | }); | |
152 | ||
153 | __PACKAGE__->register_method ({ | |
154 | name => 'custom_cert_index', | |
155 | path => 'custom', | |
156 | method => 'GET', | |
157 | permissions => { user => 'all' }, | |
158 | description => "Certificate index.", | |
159 | parameters => { | |
160 | additionalProperties => 0, | |
161 | properties => { | |
162 | node => get_standard_option('pve-node'), | |
163 | }, | |
164 | }, | |
165 | returns => { | |
166 | type => 'array', | |
167 | items => { | |
168 | type => "object", | |
169 | properties => {}, | |
170 | }, | |
171 | links => [ { rel => 'child', href => "{type}" } ], | |
172 | }, | |
173 | code => sub { | |
174 | my ($param) = @_; | |
175 | ||
176 | return [ | |
177 | { type => 'api' }, | |
178 | { type => 'smtp' }, | |
179 | ]; | |
180 | }, | |
181 | }); | |
182 | ||
183 | __PACKAGE__->register_method ({ | |
184 | name => 'upload_custom_cert', | |
185 | path => 'custom/{type}', | |
186 | method => 'POST', | |
187 | permissions => { check => [ 'admin' ] }, | |
188 | description => 'Upload or update custom certificate chain and key.', | |
189 | protected => 1, | |
190 | proxyto => 'node', | |
191 | parameters => { | |
192 | additionalProperties => 0, | |
193 | properties => { | |
194 | node => get_standard_option('pve-node'), | |
195 | certificates => { | |
196 | type => 'string', | |
197 | format => 'pem-certificate-chain', | |
198 | description => 'PEM encoded certificate (chain).', | |
199 | }, | |
200 | key => { | |
201 | type => 'string', | |
202 | description => 'PEM encoded private key.', | |
203 | format => 'pem-string', | |
204 | optional => 0, | |
205 | }, | |
206 | type => get_standard_option('pmg-certificate-type'), | |
207 | force => { | |
208 | type => 'boolean', | |
209 | description => 'Overwrite existing custom or ACME certificate files.', | |
210 | optional => 1, | |
211 | default => 0, | |
212 | }, | |
213 | restart => { | |
214 | type => 'boolean', | |
215 | description => 'Restart services.', | |
216 | optional => 1, | |
217 | default => 0, | |
218 | }, | |
219 | }, | |
220 | }, | |
221 | returns => get_standard_option('pve-certificate-info'), | |
222 | code => sub { | |
223 | my ($param) = @_; | |
224 | ||
225 | my $type = extract_param($param, 'type'); # also used to know which service to restart | |
226 | my $cert_path = PMG::CertHelpers::cert_path($type); | |
227 | ||
228 | my $certs = extract_param($param, 'certificates'); | |
229 | $certs = PVE::Certificate::strip_leading_text($certs); | |
230 | ||
231 | my $key = extract_param($param, 'key'); | |
232 | if ($key) { | |
233 | $key = PVE::Certificate::strip_leading_text($key); | |
234 | $certs = "$key\n$certs"; | |
235 | } else { | |
236 | my $private_key = pem_private_key($certs); | |
237 | if (!defined($private_key)) { | |
238 | my $old = file_get_contents($cert_path); | |
239 | $private_key = pem_private_key($old); | |
240 | if (!defined($private_key)) { | |
241 | raise_param_exc({ | |
242 | 'key' => "Attempted to upload custom certificate without (existing) key." | |
243 | }) | |
244 | } | |
245 | ||
246 | # copy the old certificate's key: | |
247 | $certs = "$key\n$certs"; | |
248 | } | |
249 | } | |
250 | ||
251 | my $info; | |
252 | ||
253 | PMG::CertHelpers::cert_lock(10, sub { | |
254 | update_cert($type, $cert_path, $certs, $param->{force}, $param->{restart}); | |
255 | }); | |
256 | ||
257 | if ($type eq 'smtp') { | |
258 | set_smtp(1, $param->{restart}); | |
259 | } | |
260 | ||
261 | return $info; | |
262 | }}); | |
263 | ||
264 | __PACKAGE__->register_method ({ | |
265 | name => 'remove_custom_cert', | |
266 | path => 'custom/{type}', | |
267 | method => 'DELETE', | |
268 | permissions => { check => [ 'admin' ] }, | |
269 | description => 'DELETE custom certificate chain and key.', | |
270 | protected => 1, | |
271 | proxyto => 'node', | |
272 | parameters => { | |
273 | additionalProperties => 0, | |
274 | properties => { | |
275 | node => get_standard_option('pve-node'), | |
276 | type => get_standard_option('pmg-certificate-type'), | |
277 | restart => { | |
278 | type => 'boolean', | |
279 | description => 'Restart pmgproxy.', | |
280 | optional => 1, | |
281 | default => 0, | |
282 | }, | |
283 | }, | |
284 | }, | |
285 | returns => { | |
286 | type => 'null', | |
287 | }, | |
288 | code => sub { | |
289 | my ($param) = @_; | |
290 | ||
291 | my $type = extract_param($param, 'type'); | |
292 | my $cert_path = PMG::CertHelpers::cert_path($type); | |
293 | ||
294 | my $code = sub { | |
295 | print "Deleting custom certificate files\n"; | |
296 | unlink $cert_path; | |
297 | PMG::Ticket::generate_api_cert(0) if $type eq 'api'; | |
298 | ||
299 | if ($param->{restart}) { | |
300 | restart_after_cert_update($type); | |
301 | } | |
302 | }; | |
303 | ||
304 | PMG::CertHelpers::cert_lock(10, $code); | |
305 | ||
306 | if ($type eq 'smtp') { | |
307 | set_smtp(0, $param->{restart}); | |
308 | } | |
309 | ||
310 | return undef; | |
311 | }}); | |
312 | ||
313 | __PACKAGE__->register_method ({ | |
314 | name => 'acme_cert_index', | |
315 | path => 'acme', | |
316 | method => 'GET', | |
317 | permissions => { user => 'all' }, | |
318 | description => "ACME Certificate index.", | |
319 | parameters => { | |
320 | additionalProperties => 0, | |
321 | properties => { | |
322 | node => get_standard_option('pve-node'), | |
323 | }, | |
324 | }, | |
325 | returns => { | |
326 | type => 'array', | |
327 | items => { | |
328 | type => "object", | |
329 | properties => {}, | |
330 | }, | |
331 | links => [ { rel => 'child', href => "{type}" } ], | |
332 | }, | |
333 | code => sub { | |
334 | my ($param) = @_; | |
335 | ||
336 | return [ | |
337 | { type => 'api' }, | |
338 | { type => 'smtp' }, | |
339 | ]; | |
340 | }, | |
341 | }); | |
342 | ||
343 | my $order_certificate = sub { | |
344 | my ($acme, $acme_node_config) = @_; | |
345 | ||
346 | my $plugins = PMG::API2::ACMEPlugin::load_config(); | |
347 | ||
348 | print "Placing ACME order\n"; | |
af6b569a | 349 | my ($order_url, $order) = $acme->new_order([ sort keys %{$acme_node_config->{domains}} ]); |
ac78733c WB |
350 | print "Order URL: $order_url\n"; |
351 | for my $auth_url (@{$order->{authorizations}}) { | |
352 | print "\nGetting authorization details from '$auth_url'\n"; | |
353 | my $auth = $acme->get_authorization($auth_url); | |
354 | ||
355 | # force lower case, like get_acme_conf does | |
356 | my $domain = lc($auth->{identifier}->{value}); | |
357 | if ($auth->{status} eq 'valid') { | |
358 | print "$domain is already validated!\n"; | |
359 | } else { | |
360 | print "The validation for $domain is pending!\n"; | |
361 | ||
362 | my $domain_config = $acme_node_config->{domains}->{$domain}; | |
363 | die "no config for domain '$domain'\n" if !$domain_config; | |
364 | ||
365 | my $plugin_id = $domain_config->{plugin}; | |
366 | ||
367 | my $plugin_cfg = $plugins->{ids}->{$plugin_id}; | |
368 | die "plugin '$plugin_id' for domain '$domain' not found!\n" | |
369 | if !$plugin_cfg; | |
370 | ||
371 | my $data = { | |
372 | plugin => $plugin_cfg, | |
373 | alias => $domain_config->{alias}, | |
374 | }; | |
375 | ||
376 | my $plugin = PVE::ACME::Challenge->lookup($plugin_cfg->{type}); | |
377 | $plugin->setup($acme, $auth, $data); | |
378 | ||
379 | print "Triggering validation\n"; | |
380 | eval { | |
381 | die "no validation URL returned by plugin '$plugin_id' for domain '$domain'\n" | |
382 | if !defined($data->{url}); | |
383 | ||
384 | $acme->request_challenge_validation($data->{url}); | |
385 | print "Sleeping for 5 seconds\n"; | |
386 | sleep 5; | |
387 | while (1) { | |
388 | $auth = $acme->get_authorization($auth_url); | |
389 | if ($auth->{status} eq 'pending') { | |
390 | print "Status is still 'pending', trying again in 10 seconds\n"; | |
391 | sleep 10; | |
392 | next; | |
393 | } elsif ($auth->{status} eq 'valid') { | |
394 | print "Status is 'valid', domain '$domain' OK!\n"; | |
395 | last; | |
396 | } | |
c58e1065 TL |
397 | my $error = "validating challenge '$auth_url' failed - status: $auth->{status}"; |
398 | for (@{$auth->{challenges}}) { | |
399 | $error .= ", $_->{error}->{detail}" if $_->{error}->{detail}; | |
400 | } | |
401 | die "$error\n"; | |
ac78733c WB |
402 | } |
403 | }; | |
404 | my $err = $@; | |
405 | eval { $plugin->teardown($acme, $auth, $data) }; | |
406 | warn "$@\n" if $@; | |
407 | die $err if $err; | |
408 | } | |
409 | } | |
410 | print "\nAll domains validated!\n"; | |
411 | print "\nCreating CSR\n"; | |
412 | # Currently we only support dns entries, so extract those from the order: | |
413 | my $san = [ | |
414 | map { | |
415 | $_->{value} | |
416 | } grep { | |
417 | $_->{type} eq 'dns' | |
418 | } $order->{identifiers}->@* | |
419 | ]; | |
420 | die "DNS identifiers are required to generate a CSR.\n" if !scalar @$san; | |
421 | my ($csr_der, $key) = PMG::RS::CSR::generate_csr($san, {}); | |
422 | ||
423 | my $finalize_error_cnt = 0; | |
424 | print "Checking order status\n"; | |
425 | while (1) { | |
426 | $order = $acme->get_order($order_url); | |
427 | if ($order->{status} eq 'pending') { | |
428 | print "still pending, trying to finalize order\n"; | |
429 | # FIXME | |
430 | # to be compatible with and without the order ready state we try to | |
431 | # finalize even at the 'pending' state and give up after 5 | |
432 | # unsuccessful tries this can be removed when the letsencrypt api | |
433 | # definitely has implemented the 'ready' state | |
434 | eval { | |
435 | $acme->finalize_order($order->{finalize}, $csr_der); | |
436 | }; | |
437 | if (my $err = $@) { | |
438 | die $err if $finalize_error_cnt >= 5; | |
439 | ||
440 | $finalize_error_cnt++; | |
441 | warn $err; | |
442 | } | |
443 | sleep 5; | |
444 | next; | |
445 | } elsif ($order->{status} eq 'ready') { | |
446 | print "Order is ready, finalizing order\n"; | |
447 | $acme->finalize_order($order->{finalize}, $csr_der); | |
448 | sleep 5; | |
449 | next; | |
450 | } elsif ($order->{status} eq 'processing') { | |
451 | print "still processing, trying again in 30 seconds\n"; | |
452 | sleep 30; | |
453 | next; | |
454 | } elsif ($order->{status} eq 'valid') { | |
455 | print "valid!\n"; | |
456 | last; | |
457 | } | |
458 | die "order status: $order->{status}\n"; | |
459 | } | |
460 | ||
461 | print "\nDownloading certificate\n"; | |
462 | my $cert = $acme->get_certificate($order->{certificate}); | |
463 | ||
464 | return ($cert, $key); | |
465 | }; | |
466 | ||
467 | # Filter domains and raise an error if the list becomes empty. | |
468 | my $filter_domains = sub { | |
469 | my ($acme_config, $type) = @_; | |
470 | ||
4b01992f | 471 | my $domains = PMG::NodeConfig::filter_domains_by_type($acme_config->{domains}, $type); |
ac78733c | 472 | |
4b01992f | 473 | if (!$domains) { |
ac78733c WB |
474 | raise("No domains configured for type '$type'\n", 400); |
475 | } | |
4b01992f WB |
476 | |
477 | $acme_config->{domains} = $domains; | |
ac78733c WB |
478 | }; |
479 | ||
480 | __PACKAGE__->register_method ({ | |
481 | name => 'new_acme_cert', | |
482 | path => 'acme/{type}', | |
483 | method => 'POST', | |
484 | permissions => { check => [ 'admin' ] }, | |
485 | description => 'Order a new certificate from ACME-compatible CA.', | |
486 | protected => 1, | |
487 | proxyto => 'node', | |
488 | parameters => { | |
489 | additionalProperties => 0, | |
490 | properties => { | |
491 | node => get_standard_option('pve-node'), | |
492 | type => get_standard_option('pmg-certificate-type'), | |
493 | force => { | |
494 | type => 'boolean', | |
495 | description => 'Overwrite existing custom certificate.', | |
496 | optional => 1, | |
497 | default => 0, | |
498 | }, | |
499 | }, | |
500 | }, | |
501 | returns => { | |
502 | type => 'string', | |
503 | }, | |
504 | code => sub { | |
505 | my ($param) = @_; | |
506 | ||
507 | my $type = extract_param($param, 'type'); # also used to know which service to restart | |
508 | my $cert_path = PMG::CertHelpers::cert_path($type); | |
509 | raise_param_exc({'force' => "Custom certificate exists but 'force' is not set."}) | |
510 | if !$param->{force} && -e $cert_path; | |
511 | ||
512 | my $node_config = PMG::NodeConfig::load_config(); | |
513 | my $acme_config = PMG::NodeConfig::get_acme_conf($node_config); | |
514 | raise("ACME domain list in configuration is missing!", 400) | |
259f8a41 | 515 | if !($acme_config && $acme_config->{domains} && $acme_config->{domains}->%*); |
ac78733c WB |
516 | |
517 | $filter_domains->($acme_config, $type); | |
518 | ||
519 | my $rpcenv = PMG::RESTEnvironment->get(); | |
520 | my $authuser = $rpcenv->get_user(); | |
521 | ||
522 | my $realcmd = sub { | |
523 | STDOUT->autoflush(1); | |
524 | my $account = $acme_config->{account}; | |
525 | my $account_file = "${acme_account_dir}/${account}"; | |
526 | die "ACME account config file '$account' does not exist.\n" | |
527 | if ! -e $account_file; | |
528 | ||
529 | print "Loading ACME account details\n"; | |
530 | my $acme = PMG::RS::Acme->load($account_file); | |
531 | ||
532 | my ($cert, $key) = $order_certificate->($acme, $acme_config); | |
533 | my $certificate = "$key\n$cert"; | |
534 | ||
535 | update_cert($type, $cert_path, $certificate, $param->{force}, 1); | |
536 | ||
537 | if ($type eq 'smtp') { | |
538 | set_smtp(1, 1); | |
539 | } | |
540 | ||
541 | die "$@\n" if $@; | |
542 | }; | |
543 | ||
544 | return $rpcenv->fork_worker("acmenewcert", undef, $authuser, $realcmd); | |
545 | }}); | |
546 | ||
547 | __PACKAGE__->register_method ({ | |
548 | name => 'renew_acme_cert', | |
549 | path => 'acme/{type}', | |
550 | method => 'PUT', | |
551 | permissions => { check => [ 'admin' ] }, | |
552 | description => "Renew existing certificate from CA.", | |
553 | protected => 1, | |
554 | proxyto => 'node', | |
555 | parameters => { | |
556 | additionalProperties => 0, | |
557 | properties => { | |
558 | node => get_standard_option('pve-node'), | |
559 | type => get_standard_option('pmg-certificate-type'), | |
560 | force => { | |
561 | type => 'boolean', | |
562 | description => 'Force renewal even if expiry is more than 30 days away.', | |
563 | optional => 1, | |
564 | default => 0, | |
565 | }, | |
566 | }, | |
567 | }, | |
568 | returns => { | |
569 | type => 'string', | |
570 | }, | |
571 | code => sub { | |
572 | my ($param) = @_; | |
573 | ||
574 | my $type = extract_param($param, 'type'); # also used to know which service to restart | |
575 | my $cert_path = PMG::CertHelpers::cert_path($type); | |
576 | ||
577 | raise("No current (custom) certificate found, please order a new certificate!\n") | |
578 | if ! -e $cert_path; | |
579 | ||
580 | my $expires_soon = PVE::Certificate::check_expiry($cert_path, time() + 30*24*60*60); | |
581 | raise_param_exc({'force' => "Certificate does not expire within the next 30 days, and 'force' is not set."}) | |
582 | if !$expires_soon && !$param->{force}; | |
583 | ||
584 | my $node_config = PMG::NodeConfig::load_config(); | |
585 | my $acme_config = PMG::NodeConfig::get_acme_conf($node_config); | |
586 | raise("ACME domain list in configuration is missing!", 400) | |
587 | if !$acme_config || !$acme_config->{domains}->%*; | |
588 | ||
589 | $filter_domains->($acme_config, $type); | |
590 | ||
591 | my $rpcenv = PMG::RESTEnvironment->get(); | |
592 | my $authuser = $rpcenv->get_user(); | |
593 | ||
594 | my $old_cert = PVE::Tools::file_get_contents($cert_path); | |
595 | ||
596 | my $realcmd = sub { | |
597 | STDOUT->autoflush(1); | |
598 | my $account = $acme_config->{account}; | |
599 | my $account_file = "${acme_account_dir}/${account}"; | |
600 | die "ACME account config file '$account' does not exist.\n" | |
601 | if ! -e $account_file; | |
602 | ||
603 | print "Loading ACME account details\n"; | |
604 | my $acme = PMG::RS::Acme->load($account_file); | |
605 | ||
606 | my ($cert, $key) = $order_certificate->($acme, $acme_config); | |
607 | my $certificate = "$key\n$cert"; | |
608 | ||
609 | update_cert($type, $cert_path, $certificate, 1, 1); | |
610 | ||
611 | if (defined($old_cert)) { | |
612 | print "Revoking old certificate\n"; | |
613 | eval { $acme->revoke_certificate($old_cert, undef) }; | |
614 | warn "Revoke request to CA failed: $@" if $@; | |
615 | } | |
616 | }; | |
617 | ||
618 | return $rpcenv->fork_worker("acmerenew", undef, $authuser, $realcmd); | |
619 | }}); | |
620 | ||
621 | __PACKAGE__->register_method ({ | |
622 | name => 'revoke_acme_cert', | |
623 | path => 'acme/{type}', | |
624 | method => 'DELETE', | |
625 | permissions => { check => [ 'admin' ] }, | |
626 | description => "Revoke existing certificate from CA.", | |
627 | protected => 1, | |
628 | proxyto => 'node', | |
629 | parameters => { | |
630 | additionalProperties => 0, | |
631 | properties => { | |
632 | node => get_standard_option('pve-node'), | |
633 | type => get_standard_option('pmg-certificate-type'), | |
634 | }, | |
635 | }, | |
636 | returns => { | |
637 | type => 'string', | |
638 | }, | |
639 | code => sub { | |
640 | my ($param) = @_; | |
641 | ||
642 | my $type = extract_param($param, 'type'); # also used to know which service to restart | |
643 | my $cert_path = PMG::CertHelpers::cert_path($type); | |
644 | ||
645 | my $node_config = PMG::NodeConfig::load_config(); | |
646 | my $acme_config = PMG::NodeConfig::get_acme_conf($node_config); | |
647 | raise("ACME domain list in configuration is missing!", 400) | |
648 | if !$acme_config || !$acme_config->{domains}->%*; | |
649 | ||
650 | $filter_domains->($acme_config, $type); | |
651 | ||
652 | my $rpcenv = PMG::RESTEnvironment->get(); | |
653 | my $authuser = $rpcenv->get_user(); | |
654 | ||
655 | my $cert = PVE::Tools::file_get_contents($cert_path); | |
656 | $cert = pem_certificate($cert) | |
657 | or die "no certificate section found in '$cert_path'\n"; | |
658 | ||
659 | my $realcmd = sub { | |
660 | STDOUT->autoflush(1); | |
661 | my $account = $acme_config->{account}; | |
662 | my $account_file = "${acme_account_dir}/${account}"; | |
663 | die "ACME account config file '$account' does not exist.\n" | |
664 | if ! -e $account_file; | |
665 | ||
666 | print "Loading ACME account details\n"; | |
667 | my $acme = PMG::RS::Acme->load($account_file); | |
668 | ||
669 | print "Revoking old certificate\n"; | |
670 | eval { $acme->revoke_certificate($cert, undef) }; | |
671 | if (my $err = $@) { | |
672 | # is there a better check? | |
673 | die "Revoke request to CA failed: $err" if $err !~ /"Certificate is expired"/; | |
674 | } | |
675 | ||
676 | my $code = sub { | |
677 | print "Deleting certificate files\n"; | |
678 | unlink $cert_path; | |
679 | PMG::Ticket::generate_api_cert(0) if $type eq 'api'; | |
680 | ||
681 | restart_after_cert_update($type); | |
682 | }; | |
683 | ||
684 | PMG::CertHelpers::cert_lock(10, $code); | |
685 | ||
686 | if ($type eq 'smtp') { | |
687 | set_smtp(0, 1); | |
688 | } | |
689 | }; | |
690 | ||
691 | return $rpcenv->fork_worker("acmerevoke", undef, $authuser, $realcmd); | |
692 | }}); | |
693 | ||
694 | 1; |