else the api-viewer's dumper may get a false-positive change every
time we update the schema there
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
we use `get_acme_conf` as higher level sanity checker (e.g. to ensure
that wildcard certificates have a configured DNS plugin)
(adapted from pve-manger (where this is done in the corresponding API
call)
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Let's Encrypt currently only issues wildcard certificates if the
domain ownership is validated via a dns-01 type plugin.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Wildcard DNS names (*.domain.example) are validated through their
base-domain (domain.example) according to the ACME RFC [0].
We store the indirection while parsing the acme config, and check for
an extra validation target during ordering.
This makes it possible to order wildcard certificates which are not
valid for the base-domain.
[0] https://tools.ietf.org/html/rfc8555#section-7.1.3
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
clamav recently started yielding 429 (too many requests) response
codes on even comparatively low attempts to download the complete
signature files (cvd)(see [0]), instead of the incremental changes
(cdiff) (see [1] for some background)
changing the default to scriptedupdates (a.k.a. cdiff download) seems
sensible for most situations.
[0] https://docs.clamav.net/faq/faq-freshclam.html
[1] https://blog.clamav.net/2021/03/clamav-cvds-cdiffs-and-magic-behind.html
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
2 errors were introduced in 4f06ff8ac2:
* a typo in the postgresql service name
* it missed the other uses of the service_name hash, apart from the
lookup_real_service_name sub.
both fixed here
Reported-by: Martin Maurer <martin@proxmox.com>
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
The missing use PMG::Ticket import is problematic during ACME cert
renewal from pmg-daily->PMG::API2::Certificates->renew_acme_cert,
since pmg-daily does not import it.
Reported-by: Martin Maurer <martin@proxmox.com>
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Ported over from commit 8797cc74cd94583130ab4c2f541d1a75b518cfa6
of pve-manager, but with the list of machine-id extracted from PMG
ISOs.
The full map:
PMG 5.0-5 -> "e378bde63ac54872a85af23a8e4dac73"
PMG 5.1-1 -> "932b668d1fad4709b4976d54152d223c"
PMG 5.1-2 -> "931a8410cd034202a26b0e19d56e157a"
PMG 5.2-1 -> "9a1f3c5284e1423c9b0e0ee5819db6c9"
PMG 6.0-1 -> "5472a49c6436426fbebd7881f7b7f13b"
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
To ensure we have the new `upid_normalize_status_type` and the
new http-server listening behavior available
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
like in PVE/PBS
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
[ Thomas: adapt to renamed PVE::Tools helper method ]
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Currently the 'authmode' setting for the spamquarantine is not used
anywhere. According to documentation setting it to 'ldap' should allow
access to the quarantine only with ldap credentials.
This patch addresses the issue by not generating a quarantineticket,
and adapting all links accordingly if the authmode is 'ldap'.
tested by changing the authmode and running
`pmgqm send -receiver <email-address> -debug 1`
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Reviewed-By: Dominik Csapak <d.csapak@proxmox.com>
Tested-By: Dominik Csapak <d.csapak@proxmox.com>
Currently it is possible to add the same domains as different
acmedomainX keys to the node config, which prevents the user from
ordering certificates later.
This patch adds a call to get_acme_conf, which does the semantic
validation (and is also used in all other sites, which read the
config).
Reported in our community forum:
https://forum.proxmox.com/threads/lets-encrypt-cert-on-gui-not-working.91014/
quickly tested in my setup, by successfully adding the same domain
twice without the patch, and failing to do so with it applied.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
It was actually integrated into apt quite a bit before version 2.0
but it does not really hurts and version 2 is available since Q1 2020
on sid, bullseye will have 2.2.x so using (>= 2~) is just fine.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Sometimes pmgpolicy is not done starting up when we try connecting.
Sadly strace on test_greylist.pl makes the problem disappear.
Looping 3 times should work robustly.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Reviewed-By: Dominik Csapak <d.csapak@proxmox.com>
Tested-By: Dominik Csapak <d.csapak@proxmox.com>
With the changes added in f61d54891d
greylisting does the matches based on a configurable netmask, and
does not use the 'Host' column in the cgreylist table anymore.
Drop it now with PMG 7.0
Quickly tested the following scenarios (all successfully):
* Upgrading from a previous version
* Restoring a pmg-backup taken with PMG 5.2 (the greylist table is
excluded from the backup)
* Adding a node with the changes to an existing cluster without the
change
* Adding a node without the changes to a master-node having them
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Reviewed-By: Dominik Csapak <d.csapak@proxmox.com>
Tested-By: Dominik Csapak <d.csapak@proxmox.com>
also add the missing import for 'raise_perm_exc' to avoid having the error about
the undefined subroutine instead of the actual error.
Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
This patch changes the deprecated method used from libarchive-perl.
It needs a versioned dependency bump on libarchive-perl (>= 3.4.0).
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
PMG::Utils::lookup_real_service_name is only called
for translating the service names provided as arguments
to PMG::API2::Nodes::syslog (for fetching the journal
for specific units). Instead of hardcoding the
version getting it with a call to `psql` seems justified.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
in e89b61c519 we introduced a method
taking the address as explicit parameter instead of path component
(local-parts can contain '/'). now we can drop the old paths.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
in e8d909c11f we introduced methods
which take the address to be deleted as parameter instead of path
component (local-parts can contain '/') - now we can drop the old
paths as indicated in 53e5e5da24
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
the domain parameter was a misnomer and was replaced by destination in
cce8e372aa
With a major version change upcoming we can now drop the old
parameter name.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
The termproxy api was adapted to the changes from PVE and PBS
in d9e79ff4b7
We can now drop the 'upgrade' option kept for backwards compatibility
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
LISTEN_IP is defined in /etc/default/pmgproxy.
this depends on the changes in pve-common and pve-http-server (#2997)
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
added changes ported from pve-manager commit
8da3ad7ce8ca9d609f0e5be3860f63f3d1a58889
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
If a user chooses to blacklist a specific sender of a mail, the mail
is highly probably undesired too, so delete it in that case.
The reverse should hold for white listing a mail's sender, deliver it
in that case.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-By: Stoiko Ivanov <s.ivanov@proxmox.com>
Reviewed-By: Stoiko Ivanov <s.ivanov@proxmox.com>
should really not happen, but if (e.g., enum gets adaped) it is good
to know the actual value triggering it.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
