fix #3867: server/api: send emails on certificate renewal failure

the superuser's email will be used to notify them that certificate renewal has failed. Signed-off-by: Stefan Sterz <s.sterz@proxmox.com> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2022-06-14 10:09:45 +02:00 · 2022-06-14 10:09:45 +02:00 · 9e8daa1d10
commit 9e8daa1d10
parent a83283cdf5
2 changed files with 59 additions and 5 deletions
--- a/src/api2/node/certificates.rs
+++ b/src/api2/node/certificates.rs
@ -20,6 +20,7 @@ use pbs_tools::cert;
 use crate::acme::AcmeClient;
 use crate::api2::types::AcmeDomain;
 use crate::config::node::NodeConfig;
+use crate::server::send_certificate_renewal_mail;
 use proxmox_rest_server::WorkerTask;

 pub const ROUTER: Router = Router::new()
@ -544,11 +545,20 @@ fn spawn_certificate_worker(
    let auth_id = rpcenv.get_auth_id().unwrap();

    WorkerTask::spawn(name, None, auth_id, true, move |worker| async move {
-        if let Some(cert) = order_certificate(worker, &node_config).await? {
-            crate::config::set_proxy_certificate(&cert.certificate, &cert.private_key_pem)?;
-            crate::server::reload_proxy_certificate().await?;
-        }
-        Ok(())
+        let work = || async {
+            if let Some(cert) = order_certificate(worker, &node_config).await? {
+                crate::config::set_proxy_certificate(&cert.certificate, &cert.private_key_pem)?;
+                crate::server::reload_proxy_certificate().await?;
+            }
+
+            Ok(())
+        };
+
+        let res = work().await;
+
+        send_certificate_renewal_mail(&res)?;
+
+        res
    })
 }

--- a/src/server/email_notifications.rs
+++ b/src/server/email_notifications.rs
@ -183,6 +183,18 @@ Please visit the web interface for further details:

 "###;

+const ACME_CERTIFICATE_ERR_RENEWAL: &str = r###"
+
+Proxmox Backup Server was not able to renew a TLS certificate.
+
+Error: {{error}}
+
+Please visit the web interface for further details:
+
+<https://{{fqdn}}:{{port}}/#pbsCertificateConfiguration>
+
+"###;
+
 lazy_static::lazy_static! {

    static ref HANDLEBARS: Handlebars<'static> = {
@ -209,6 +221,8 @@ lazy_static::lazy_static! {

            hb.register_template_string("package_update_template", PACKAGE_UPDATES_TEMPLATE)?;

+            hb.register_template_string("certificate_renewal_err_template", ACME_CERTIFICATE_ERR_RENEWAL)?;
+
            Ok(())
        });

@ -507,6 +521,34 @@ pub fn send_updates_available(updates: &[&APTUpdateInfo]) -> Result<(), Error> {
    Ok(())
 }

+/// send email on certificate renewal failure.
+/// `notify` currently only accepts `Notify::Error`.
+pub fn send_certificate_renewal_mail(result: &Result<(), Error>) -> Result<(), Error> {
+    let error: String = match result {
+        Err(e) => e.to_string().into(),
+        _ => return Ok(()),
+    };
+
+    if let Some(email) = lookup_user_email(Userid::root_userid()) {
+        let (fqdn, port) = get_server_url();
+
+        let text = HANDLEBARS.render(
+            "certificate_renewal_err_template",
+            &json!({
+                "fqdn": fqdn,
+                "port": port,
+                "error": error,
+            }),
+        )?;
+
+        let subject = "Could not renew certificate";
+
+        send_job_status_mail(&email, subject, &text)?;
+    }
+
+    Ok(())
+}
+
 /// Lookup users email address
 pub fn lookup_user_email(userid: &Userid) -> Option<String> {
    if let Ok(user_config) = pbs_config::user::cached_config() {
@ -618,4 +660,6 @@ fn test_template_register() {
    assert!(HANDLEBARS.has_template("tape_backup_err_template"));

    assert!(HANDLEBARS.has_template("package_update_template"));
+
+    assert!(HANDLEBARS.has_template("certificate_renewal_err_template"));
 }