package PVE::CertHelpers; use strict; use warnings; use PVE::Certificate; use PVE::JSONSchema; use PVE::Tools; my $account_prefix = '/etc/pve/priv/acme'; PVE::JSONSchema::register_standard_option('pve-acme-account-name', { description => 'ACME account config file name.', type => 'string', format => 'pve-configid', format_description => 'name', optional => 1, default => 'default', }); PVE::JSONSchema::register_standard_option('pve-acme-account-contact', { type => 'string', format => 'email-list', description => 'Contact email addresses.', }); PVE::JSONSchema::register_standard_option('pve-acme-directory-url', { type => 'string', description => 'URL of ACME CA directory endpoint.', pattern => '^https?://.*', }); my $local_cert_lock = '/var/lock/pve-certs.lock'; sub cert_path_prefix { my ($node) = @_; return "/etc/pve/nodes/${node}/pveproxy-ssl"; } sub default_cert_path_prefix { my ($node) = @_; return "/etc/pve/nodes/${node}/pve-ssl"; } sub cert_lock { my ($timeout, $code, @param) = @_; return PVE::Tools::lock_file($local_cert_lock, $timeout, $code, @param); } sub set_cert_files { my ($cert, $key, $path_prefix, $force) = @_; my ($old_cert, $old_key, $info); my $cert_path = "${path_prefix}.pem"; my $cert_path_tmp = "${path_prefix}.pem.old"; my $key_path = "${path_prefix}.key"; my $key_path_tmp = "${path_prefix}.key.old"; die "Custom certificate file exists but force flag is not set.\n" if !$force && -e $cert_path; die "Custom certificate key file exists but force flag is not set.\n" if !$force && -e $key_path; PVE::Tools::file_copy($cert_path, $cert_path_tmp) if -e $cert_path; PVE::Tools::file_copy($key_path, $key_path_tmp) if -e $key_path; eval { PVE::Tools::file_set_contents($cert_path, $cert); PVE::Tools::file_set_contents($key_path, $key) if $key; $info = PVE::Certificate::get_certificate_info($cert_path); }; my $err = $@; if ($err) { if (-e $cert_path_tmp && -e $key_path_tmp) { eval { warn "Attempting to restore old certificate files..\n"; PVE::Tools::file_copy($cert_path_tmp, $cert_path); PVE::Tools::file_copy($key_path_tmp, $key_path); }; warn "$@\n" if $@; } die "Setting certificate files failed - $err\n" } unlink $cert_path_tmp; unlink $key_path_tmp; return $info; } sub acme_account_dir { return $account_prefix; } sub list_acme_accounts { my $accounts = []; return $accounts if ! -d $account_prefix; PVE::Tools::dir_glob_foreach($account_prefix, qr/[^.]+.*/, sub { my ($name) = @_; push @$accounts, $name if PVE::JSONSchema::pve_verify_configid($name, 1); }); return $accounts; }