mirror of
https://git.proxmox.com/git/pve-manager
synced 2025-11-04 10:23:04 +00:00
1e67b44463
Else, a user would need to renew it first before being able to revoke it, which does not make much sense.. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
383 lines
11 KiB
Perl
383 lines
11 KiB
Perl
package PVE::API2::ACME;
|
|
|
|
use strict;
|
|
use warnings;
|
|
|
|
use PVE::ACME;
|
|
use PVE::CertHelpers;
|
|
use PVE::Certificate;
|
|
use PVE::Exception qw(raise raise_param_exc);
|
|
use PVE::JSONSchema qw(get_standard_option);
|
|
use PVE::NodeConfig;
|
|
use PVE::Tools qw(extract_param);
|
|
|
|
use IO::Handle;
|
|
|
|
use base qw(PVE::RESTHandler);
|
|
|
|
my $acme_account_dir = PVE::CertHelpers::acme_account_dir();
|
|
|
|
__PACKAGE__->register_method ({
|
|
name => 'index',
|
|
path => '',
|
|
method => 'GET',
|
|
permissions => { user => 'all' },
|
|
description => "ACME index.",
|
|
parameters => {
|
|
additionalProperties => 0,
|
|
properties => {
|
|
node => get_standard_option('pve-node'),
|
|
},
|
|
},
|
|
returns => {
|
|
type => 'array',
|
|
items => {
|
|
type => "object",
|
|
properties => {},
|
|
},
|
|
links => [ { rel => 'child', href => "{name}" } ],
|
|
},
|
|
code => sub {
|
|
my ($param) = @_;
|
|
|
|
return [
|
|
{ name => 'certificate' },
|
|
];
|
|
}});
|
|
|
|
my $order_certificate = sub {
|
|
my ($acme, $acme_node_config) = @_;
|
|
|
|
my $plugins = PVE::API2::ACMEPlugin::load_config();
|
|
|
|
print "Placing ACME order\n";
|
|
my ($order_url, $order) = $acme->new_order([ keys %{$acme_node_config->{domains}} ]);
|
|
print "Order URL: $order_url\n";
|
|
for my $auth_url (@{$order->{authorizations}}) {
|
|
print "\nGetting authorization details from '$auth_url'\n";
|
|
my $auth = $acme->get_authorization($auth_url);
|
|
|
|
# force lower case, like get_acme_conf does
|
|
my $domain = lc($auth->{identifier}->{value});
|
|
if ($auth->{status} eq 'valid') {
|
|
print "$domain is already validated!\n";
|
|
} else {
|
|
print "The validation for $domain is pending!\n";
|
|
|
|
my $domain_config = $acme_node_config->{domains}->{$domain};
|
|
die "no config for domain '$domain'\n" if !$domain_config;
|
|
|
|
my $plugin_id = $domain_config->{plugin};
|
|
|
|
my $plugin_cfg = $plugins->{ids}->{$plugin_id};
|
|
die "plugin '$plugin_id' for domain '$domain' not found!\n"
|
|
if !$plugin_cfg;
|
|
|
|
my $data = {
|
|
plugin => $plugin_cfg,
|
|
alias => $domain_config->{alias},
|
|
};
|
|
|
|
my $plugin = PVE::ACME::Challenge->lookup($plugin_cfg->{type});
|
|
$plugin->setup($acme, $auth, $data);
|
|
|
|
print "Triggering validation\n";
|
|
eval {
|
|
die "no validation URL returned by plugin '$plugin_id' for domain '$domain'\n"
|
|
if !defined($data->{url});
|
|
|
|
$acme->request_challenge_validation($data->{url});
|
|
print "Sleeping for 5 seconds\n";
|
|
sleep 5;
|
|
while (1) {
|
|
$auth = $acme->get_authorization($auth_url);
|
|
if ($auth->{status} eq 'pending') {
|
|
print "Status is still 'pending', trying again in 10 seconds\n";
|
|
sleep 10;
|
|
next;
|
|
} elsif ($auth->{status} eq 'valid') {
|
|
print "Status is 'valid', domain '$domain' OK!\n";
|
|
last;
|
|
}
|
|
die "validating challenge '$auth_url' failed - status: $auth->{status}\n";
|
|
}
|
|
};
|
|
my $err = $@;
|
|
eval { $plugin->teardown($acme, $auth, $data) };
|
|
warn "$@\n" if $@;
|
|
die $err if $err;
|
|
}
|
|
}
|
|
print "\nAll domains validated!\n";
|
|
print "\nCreating CSR\n";
|
|
my ($csr, $key) = PVE::Certificate::generate_csr(identifiers => $order->{identifiers});
|
|
|
|
my $finalize_error_cnt = 0;
|
|
print "Checking order status\n";
|
|
while (1) {
|
|
$order = $acme->get_order($order_url);
|
|
if ($order->{status} eq 'pending') {
|
|
print "still pending, trying to finalize order\n";
|
|
# FIXME
|
|
# to be compatible with and without the order ready state we try to
|
|
# finalize even at the 'pending' state and give up after 5
|
|
# unsuccessful tries this can be removed when the letsencrypt api
|
|
# definitely has implemented the 'ready' state
|
|
eval {
|
|
$acme->finalize_order($order, PVE::Certificate::pem_to_der($csr));
|
|
};
|
|
if (my $err = $@) {
|
|
die $err if $finalize_error_cnt >= 5;
|
|
|
|
$finalize_error_cnt++;
|
|
warn $err;
|
|
}
|
|
sleep 5;
|
|
next;
|
|
} elsif ($order->{status} eq 'ready') {
|
|
print "Order is ready, finalizing order\n";
|
|
$acme->finalize_order($order, PVE::Certificate::pem_to_der($csr));
|
|
sleep 5;
|
|
next;
|
|
} elsif ($order->{status} eq 'processing') {
|
|
print "still processing, trying again in 30 seconds\n";
|
|
sleep 30;
|
|
next;
|
|
} elsif ($order->{status} eq 'valid') {
|
|
print "valid!\n";
|
|
last;
|
|
}
|
|
die "order status: $order->{status}\n";
|
|
}
|
|
|
|
print "\nDownloading certificate\n";
|
|
my $cert = $acme->get_certificate($order);
|
|
|
|
return ($cert, $key);
|
|
};
|
|
|
|
__PACKAGE__->register_method ({
|
|
name => 'new_certificate',
|
|
path => 'certificate',
|
|
method => 'POST',
|
|
permissions => {
|
|
check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
|
|
},
|
|
description => "Order a new certificate from ACME-compatible CA.",
|
|
protected => 1,
|
|
proxyto => 'node',
|
|
parameters => {
|
|
additionalProperties => 0,
|
|
properties => {
|
|
node => get_standard_option('pve-node'),
|
|
force => {
|
|
type => 'boolean',
|
|
description => 'Overwrite existing custom certificate.',
|
|
optional => 1,
|
|
default => 0,
|
|
},
|
|
},
|
|
},
|
|
returns => {
|
|
type => 'string',
|
|
},
|
|
code => sub {
|
|
my ($param) = @_;
|
|
|
|
my $node = extract_param($param, 'node');
|
|
my $cert_prefix = PVE::CertHelpers::cert_path_prefix($node);
|
|
|
|
raise_param_exc({'force' => "Custom certificate exists but 'force' is not set."})
|
|
if !$param->{force} && -e "${cert_prefix}.pem";
|
|
|
|
my $node_config = PVE::NodeConfig::load_config($node);
|
|
my $acme_node_config = PVE::NodeConfig::get_acme_conf($node_config);
|
|
raise("ACME domain list in node configuration is missing!", 400)
|
|
if !$acme_node_config || !%{$acme_node_config->{domains}};
|
|
|
|
my $rpcenv = PVE::RPCEnvironment::get();
|
|
|
|
my $authuser = $rpcenv->get_user();
|
|
|
|
my $realcmd = sub {
|
|
STDOUT->autoflush(1);
|
|
my $account = $acme_node_config->{account};
|
|
my $account_file = "${acme_account_dir}/${account}";
|
|
die "ACME account config file '$account' does not exist.\n"
|
|
if ! -e $account_file;
|
|
|
|
my $acme = PVE::ACME->new($account_file);
|
|
|
|
print "Loading ACME account details\n";
|
|
$acme->load();
|
|
|
|
my ($cert, $key) = $order_certificate->($acme, $acme_node_config);
|
|
|
|
my $code = sub {
|
|
print "Setting pveproxy certificate and key\n";
|
|
PVE::CertHelpers::set_cert_files($cert, $key, $cert_prefix, $param->{force});
|
|
|
|
print "Restarting pveproxy\n";
|
|
PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
|
|
};
|
|
PVE::CertHelpers::cert_lock(10, $code);
|
|
die "$@\n" if $@;
|
|
};
|
|
|
|
return $rpcenv->fork_worker("acmenewcert", undef, $authuser, $realcmd);
|
|
}});
|
|
|
|
__PACKAGE__->register_method ({
|
|
name => 'renew_certificate',
|
|
path => 'certificate',
|
|
method => 'PUT',
|
|
permissions => {
|
|
check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
|
|
},
|
|
description => "Renew existing certificate from CA.",
|
|
protected => 1,
|
|
proxyto => 'node',
|
|
parameters => {
|
|
additionalProperties => 0,
|
|
properties => {
|
|
node => get_standard_option('pve-node'),
|
|
force => {
|
|
type => 'boolean',
|
|
description => 'Force renewal even if expiry is more than 30 days away.',
|
|
optional => 1,
|
|
default => 0,
|
|
},
|
|
},
|
|
},
|
|
returns => {
|
|
type => 'string',
|
|
},
|
|
code => sub {
|
|
my ($param) = @_;
|
|
|
|
my $node = extract_param($param, 'node');
|
|
my $cert_prefix = PVE::CertHelpers::cert_path_prefix($node);
|
|
|
|
raise("No current (custom) certificate found, please order a new certificate!\n")
|
|
if ! -e "${cert_prefix}.pem";
|
|
|
|
my $expires_soon = PVE::Certificate::check_expiry("${cert_prefix}.pem", time() + 30*24*60*60);
|
|
raise_param_exc({'force' => "Certificate does not expire within the next 30 days, and 'force' is not set."})
|
|
if !$expires_soon && !$param->{force};
|
|
|
|
my $node_config = PVE::NodeConfig::load_config($node);
|
|
my $acme_node_config = PVE::NodeConfig::get_acme_conf($node_config);
|
|
raise("ACME domain list in node configuration is missing!", 400)
|
|
if !$acme_node_config || !%{$acme_node_config->{domains}};
|
|
|
|
my $rpcenv = PVE::RPCEnvironment::get();
|
|
|
|
my $authuser = $rpcenv->get_user();
|
|
|
|
my $old_cert = PVE::Tools::file_get_contents("${cert_prefix}.pem");
|
|
|
|
my $realcmd = sub {
|
|
STDOUT->autoflush(1);
|
|
my $account = $acme_node_config->{account};
|
|
my $account_file = "${acme_account_dir}/${account}";
|
|
die "ACME account config file '$account' does not exist.\n"
|
|
if ! -e $account_file;
|
|
|
|
my $acme = PVE::ACME->new($account_file);
|
|
|
|
print "Loading ACME account details\n";
|
|
$acme->load();
|
|
|
|
my ($cert, $key) = $order_certificate->($acme, $acme_node_config);
|
|
|
|
my $code = sub {
|
|
print "Setting pveproxy certificate and key\n";
|
|
PVE::CertHelpers::set_cert_files($cert, $key, $cert_prefix, 1);
|
|
|
|
print "Restarting pveproxy\n";
|
|
PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
|
|
};
|
|
PVE::CertHelpers::cert_lock(10, $code);
|
|
die "$@\n" if $@;
|
|
|
|
print "Revoking old certificate\n";
|
|
eval { $acme->revoke_certificate($old_cert) };
|
|
warn "Revoke request to CA failed: $@" if $@;
|
|
};
|
|
|
|
return $rpcenv->fork_worker("acmerenew", undef, $authuser, $realcmd);
|
|
}});
|
|
|
|
__PACKAGE__->register_method ({
|
|
name => 'revoke_certificate',
|
|
path => 'certificate',
|
|
method => 'DELETE',
|
|
permissions => {
|
|
check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
|
|
},
|
|
description => "Revoke existing certificate from CA.",
|
|
protected => 1,
|
|
proxyto => 'node',
|
|
parameters => {
|
|
additionalProperties => 0,
|
|
properties => {
|
|
node => get_standard_option('pve-node'),
|
|
},
|
|
},
|
|
returns => {
|
|
type => 'string',
|
|
},
|
|
code => sub {
|
|
my ($param) = @_;
|
|
|
|
my $node = extract_param($param, 'node');
|
|
my $cert_prefix = PVE::CertHelpers::cert_path_prefix($node);
|
|
|
|
my $node_config = PVE::NodeConfig::load_config($node);
|
|
my $acme_node_config = PVE::NodeConfig::get_acme_conf($node_config);
|
|
raise("ACME domain list in node configuration is missing!", 400)
|
|
if !$acme_node_config || !%{$acme_node_config->{domains}};
|
|
|
|
my $rpcenv = PVE::RPCEnvironment::get();
|
|
|
|
my $authuser = $rpcenv->get_user();
|
|
|
|
my $cert = PVE::Tools::file_get_contents("${cert_prefix}.pem");
|
|
|
|
my $realcmd = sub {
|
|
STDOUT->autoflush(1);
|
|
my $account = $acme_node_config->{account};
|
|
my $account_file = "${acme_account_dir}/${account}";
|
|
die "ACME account config file '$account' does not exist.\n"
|
|
if ! -e $account_file;
|
|
|
|
my $acme = PVE::ACME->new($account_file);
|
|
|
|
print "Loading ACME account details\n";
|
|
$acme->load();
|
|
|
|
print "Revoking old certificate\n";
|
|
eval { $acme->revoke_certificate($cert) };
|
|
if (my $err = $@) {
|
|
# is there a better check?
|
|
die "Revoke request to CA failed: $err" if $err !~ /"Certificate is expired"/;
|
|
}
|
|
|
|
my $code = sub {
|
|
print "Deleting certificate files\n";
|
|
unlink "${cert_prefix}.pem";
|
|
unlink "${cert_prefix}.key";
|
|
|
|
print "Restarting pveproxy to revert to self-signed certificates\n";
|
|
PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
|
|
};
|
|
|
|
PVE::CertHelpers::cert_lock(10, $code);
|
|
die "$@\n" if $@;
|
|
};
|
|
|
|
return $rpcenv->fork_worker("acmerevoke", undef, $authuser, $realcmd);
|
|
}});
|
|
|
|
1;
|