From 4a57db55921c37587cb1ccb79e4394ab93805623 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Fri, 27 Apr 2018 14:02:14 +0200 Subject: [PATCH] pveupdate: add ACME certificate renewal MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit renew certificate if an acme config entry and a custom certificate exists on the local node and the certificate expires soon. Signed-off-by: Fabian Grünbichler --- bin/pveupdate | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/bin/pveupdate b/bin/pveupdate index 952a54a4..5a42ce73 100755 --- a/bin/pveupdate +++ b/bin/pveupdate @@ -7,6 +7,9 @@ use IO::File; use File::Find; use File::stat; +use PVE::CertHelpers; +use PVE::Certificate; +use PVE::NodeConfig; use PVE::INotify; use PVE::Cluster; use PVE::APLInfo; @@ -14,6 +17,7 @@ use PVE::SafeSyslog; use PVE::RPCEnvironment; use PVE::API2::Subscription; use PVE::API2::APT; +use PVE::API2::ACME; initlog ('pveupdate', 'daemon'); @@ -51,6 +55,23 @@ if (my $err = $@) { syslog ('err', "update apt database failed: $err"); } +eval { + my $node_config = PVE::NodeConfig::load_config($nodename); + if ($node_config && $node_config->{acme}) { + my $cert = PVE::CertHelpers::cert_path_prefix($nodename).".pem"; + if (-e $cert) { + if (PVE::Certificate::check_expiry($cert, time() + 30*24*60*60)) { + PVE::API2::ACME->renew_certificate({ node => $nodename }); + } else { + syslog ('info', 'Custom certificate does not expire soon, skipping ACME renewal.'); + } + } else { + syslog ('info', 'ACME config found for node, but no custom certificate exists. Skipping ACME renewal until initial certificate has been deployed.'); + } + } +}; +syslog ('err', "Renewing ACME certificate failed: $@") if $@; + sub cleanup_tasks { my $taskdir = "/var/log/pve/tasks";