use warnings;
use PVE::ACME;
-use PVE::ACME::StandAlone;
use PVE::CertHelpers;
use PVE::Certificate;
use PVE::Exception qw(raise raise_param_exc);
}});
my $order_certificate = sub {
- my ($acme, $domains) = @_;
+ my ($acme, $acme_node_config) = @_;
+
+ my $plugins = PVE::API2::ACMEPlugin::load_config();
+
print "Placing ACME order\n";
- my ($order_url, $order) = $acme->new_order($domains);
+ my ($order_url, $order) = $acme->new_order([ keys %{$acme_node_config->{domains}} ]);
print "Order URL: $order_url\n";
for my $auth_url (@{$order->{authorizations}}) {
print "\nGetting authorization details from '$auth_url'\n";
my $auth = $acme->get_authorization($auth_url);
+
+ # force lower case, like get_acme_conf does
+ my $domain = lc($auth->{identifier}->{value});
if ($auth->{status} eq 'valid') {
- print "... already validated!\n";
+ print "$domain is already validated!\n";
} else {
- print "... pending!\n";
- print "Setting up webserver\n";
- my $validation = eval { PVE::ACME::StandAlone->setup($acme, $auth) };
- die "failed setting up webserver - $@\n" if $@;
+ print "The validation for $domain is pending!\n";
+
+ my $domain_config = $acme_node_config->{domains}->{$domain};
+ die "no config for domain '$domain'\n" if !$domain_config;
+
+ my $plugin_id = $domain_config->{plugin};
+
+ my $plugin_cfg = $plugins->{ids}->{$plugin_id};
+ die "plugin '$plugin_id' for domain '$domain' not found!\n"
+ if !$plugin_cfg;
+
+ my $data = {
+ plugin => $plugin_cfg,
+ alias => $domain_config->{alias},
+ };
+
+ my $plugin = PVE::ACME::Challenge->lookup($plugin_cfg->{type});
+ $plugin->setup($acme, $auth, $data);
print "Triggering validation\n";
eval {
- $acme->request_challenge_validation($validation->{url}, $validation->{key_auth});
+ die "no validation URL returned by plugin '$plugin_id' for domain '$domain'\n"
+ if !defined($data->{url});
+
+ $acme->request_challenge_validation($data->{url});
print "Sleeping for 5 seconds\n";
sleep 5;
while (1) {
$auth = $acme->get_authorization($auth_url);
if ($auth->{status} eq 'pending') {
- print "Status is still 'pending', trying again in 30 seconds\n";
- sleep 30;
+ print "Status is still 'pending', trying again in 10 seconds\n";
+ sleep 10;
next;
} elsif ($auth->{status} eq 'valid') {
- print "Status is 'valid'!\n";
+ print "Status is 'valid', domain '$domain' OK!\n";
last;
}
- die "validating challenge '$auth_url' failed\n";
+ die "validating challenge '$auth_url' failed - status: $auth->{status}\n";
}
};
my $err = $@;
- eval { $validation->teardown() };
+ eval { $plugin->teardown($acme, $auth, $data) };
warn "$@\n" if $@;
die $err if $err;
}
print "\nCreating CSR\n";
my ($csr, $key) = PVE::Certificate::generate_csr(identifiers => $order->{identifiers});
- print "Finalizing order\n";
- $acme->finalize_order($order, PVE::Certificate::pem_to_der($csr));
-
+ my $finalize_error_cnt = 0;
print "Checking order status\n";
while (1) {
$order = $acme->get_order($order_url);
if ($order->{status} eq 'pending') {
- print "still pending, trying again in 30 seconds\n";
+ print "still pending, trying to finalize order\n";
+ # FIXME
+ # to be compatible with and without the order ready state we try to
+ # finalize even at the 'pending' state and give up after 5
+ # unsuccessful tries this can be removed when the letsencrypt api
+ # definitely has implemented the 'ready' state
+ eval {
+ $acme->finalize_order($order, PVE::Certificate::pem_to_der($csr));
+ };
+ if (my $err = $@) {
+ die $err if $finalize_error_cnt >= 5;
+
+ $finalize_error_cnt++;
+ warn $err;
+ }
+ sleep 5;
+ next;
+ } elsif ($order->{status} eq 'ready') {
+ print "Order is ready, finalizing order\n";
+ $acme->finalize_order($order, PVE::Certificate::pem_to_der($csr));
+ sleep 5;
+ next;
+ } elsif ($order->{status} eq 'processing') {
+ print "still processing, trying again in 30 seconds\n";
sleep 30;
next;
} elsif ($order->{status} eq 'valid') {
name => 'new_certificate',
path => 'certificate',
method => 'POST',
+ permissions => {
+ check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+ },
description => "Order a new certificate from ACME-compatible CA.",
protected => 1,
proxyto => 'node',
if !$param->{force} && -e "${cert_prefix}.pem";
my $node_config = PVE::NodeConfig::load_config($node);
- raise("ACME settings in node configuration are missing!", 400)
- if !$node_config || !$node_config->{acme};
- my $acme_node_config = PVE::NodeConfig::parse_acme($node_config->{acme});
+ my $acme_node_config = PVE::NodeConfig::get_acme_conf($node_config);
raise("ACME domain list in node configuration is missing!", 400)
- if !$acme_node_config;
+ if !$acme_node_config || !%{$acme_node_config->{domains}};
my $rpcenv = PVE::RPCEnvironment::get();
my $realcmd = sub {
STDOUT->autoflush(1);
- my $account = $acme_node_config->{account} // 'default';
+ my $account = $acme_node_config->{account};
my $account_file = "${acme_account_dir}/${account}";
die "ACME account config file '$account' does not exist.\n"
if ! -e $account_file;
print "Loading ACME account details\n";
$acme->load();
- my ($cert, $key) = $order_certificate->($acme, $acme_node_config->{domains});
+ my ($cert, $key) = $order_certificate->($acme, $acme_node_config);
my $code = sub {
print "Setting pveproxy certificate and key\n";
name => 'renew_certificate',
path => 'certificate',
method => 'PUT',
+ permissions => {
+ check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+ },
description => "Renew existing certificate from CA.",
protected => 1,
proxyto => 'node',
if !$expires_soon && !$param->{force};
my $node_config = PVE::NodeConfig::load_config($node);
- raise("ACME settings in node configuration are missing!", 400)
- if !$node_config || !$node_config->{acme};
- my $acme_node_config = PVE::NodeConfig::parse_acme($node_config->{acme});
+ my $acme_node_config = PVE::NodeConfig::get_acme_conf($node_config);
raise("ACME domain list in node configuration is missing!", 400)
- if !$acme_node_config;
+ if !$acme_node_config || !%{$acme_node_config->{domains}};
my $rpcenv = PVE::RPCEnvironment::get();
my $realcmd = sub {
STDOUT->autoflush(1);
- my $account = $acme_node_config->{account} // 'default';
+ my $account = $acme_node_config->{account};
my $account_file = "${acme_account_dir}/${account}";
die "ACME account config file '$account' does not exist.\n"
if ! -e $account_file;
print "Loading ACME account details\n";
$acme->load();
- my ($cert, $key) = $order_certificate->($acme, $acme_node_config->{domains});
+ my ($cert, $key) = $order_certificate->($acme, $acme_node_config);
my $code = sub {
print "Setting pveproxy certificate and key\n";
name => 'revoke_certificate',
path => 'certificate',
method => 'DELETE',
+ permissions => {
+ check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+ },
description => "Revoke existing certificate from CA.",
protected => 1,
proxyto => 'node',
my $cert_prefix = PVE::CertHelpers::cert_path_prefix($node);
my $node_config = PVE::NodeConfig::load_config($node);
- raise("ACME settings in node configuration are missing!", 400)
- if !$node_config || !$node_config->{acme};
- my $acme_node_config = PVE::NodeConfig::parse_acme($node_config->{acme});
+ my $acme_node_config = PVE::NodeConfig::get_acme_conf($node_config);
raise("ACME domain list in node configuration is missing!", 400)
- if !$acme_node_config;
+ if !$acme_node_config || !%{$acme_node_config->{domains}};
my $rpcenv = PVE::RPCEnvironment::get();
my $realcmd = sub {
STDOUT->autoflush(1);
- my $account = $acme_node_config->{account} // 'default';
+ my $account = $acme_node_config->{account};
my $account_file = "${acme_account_dir}/${account}";
die "ACME account config file '$account' does not exist.\n"
if ! -e $account_file;