tyler/proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

hot-reload proxy certificate when updating via the API

Browse Source 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2021-05-11 15:54:00 +02:00 committed by Thomas Lamprecht
parent 45b8a0327f
commit fca1cef29f
3 changed files with 24 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/api2/node/certificates.rs
View File

@ -175,12 +175,13 @@ pub fn get_info() -> Result<Vec<CertificateInfo>, Error> {
node: { schema: NODE_SCHEMA }, node: { schema: NODE_SCHEMA },
certificates: { description: "PEM encoded certificate (chain)." }, certificates: { description: "PEM encoded certificate (chain)." },
key: { description: "PEM encoded private key." }, key: { description: "PEM encoded private key." },
// FIXME: widget-toolkit should have an option to disable using these 2 parameters...
restart: { restart: {
description: "Restart proxmox-backup-proxy", description: "UI compatibility parameter, ignored",
type: Boolean,
optional: true, optional: true,
default: false, default: false,
}, },
// FIXME: widget-toolkit should have an option to disable using this parameter...
force: { force: {
description: "Force replacement of existing files.", description: "Force replacement of existing files.",
type: Boolean, type: Boolean,
@ -200,10 +201,9 @@ pub fn get_info() -> Result<Vec<CertificateInfo>, Error> {
protected: true, protected: true,
)] )]
/// Upload a custom certificate. /// Upload a custom certificate.
pub fn upload_custom_certificate( pub async fn upload_custom_certificate(
certificates: String, certificates: String,
key: String, key: String,
restart: bool,
) -> Result<Vec<CertificateInfo>, Error> { ) -> Result<Vec<CertificateInfo>, Error> {
let certificates = X509::stack_from_pem(certificates.as_bytes()) let certificates = X509::stack_from_pem(certificates.as_bytes())
.map_err(|err| format_err!("failed to decode certificate chain: {}", err))?; .map_err(|err| format_err!("failed to decode certificate chain: {}", err))?;
@ -223,7 +223,8 @@ pub fn upload_custom_certificate(
let key = key.private_key_to_pem_pkcs8()?; let key = key.private_key_to_pem_pkcs8()?;
crate::config::set_proxy_certificate(&certificates, &key, restart)?; crate::config::set_proxy_certificate(&certificates, &key)?;
crate::server::reload_proxy_certificate().await?;
get_info() get_info()
} }
@ -233,7 +234,8 @@ pub fn upload_custom_certificate(
properties: { properties: {
node: { schema: NODE_SCHEMA }, node: { schema: NODE_SCHEMA },
restart: { restart: {
description: "Restart proxmox-backup-proxy", description: "UI compatibility parameter, ignored",
type: Boolean,
optional: true, optional: true,
default: false, default: false,
}, },
@ -245,7 +247,7 @@ pub fn upload_custom_certificate(
protected: true, protected: true,
)] )]
/// Delete the current certificate and regenerate a self signed one. /// Delete the current certificate and regenerate a self signed one.
pub fn delete_custom_certificate(restart: bool) -> Result<(), Error> { pub async fn delete_custom_certificate() -> Result<(), Error> {
let cert_path = configdir!("/proxy.pem"); let cert_path = configdir!("/proxy.pem");
// Here we fail since if this fails nothing else breaks anyway // Here we fail since if this fails nothing else breaks anyway
std::fs::remove_file(&cert_path) std::fs::remove_file(&cert_path)
@ -263,10 +265,7 @@ pub fn delete_custom_certificate(restart: bool) -> Result<(), Error> {
} }
crate::config::update_self_signed_cert(true)?; crate::config::update_self_signed_cert(true)?;
crate::server::reload_proxy_certificate().await?;
if restart {
crate::config::reload_proxy()?;
}
Ok(()) Ok(())
} }
@ -535,7 +534,8 @@ fn spawn_certificate_worker(
WorkerTask::spawn(name, None, auth_id, true, move |worker| async move { WorkerTask::spawn(name, None, auth_id, true, move |worker| async move {
if let Some(cert) = order_certificate(worker, &node_config).await? { if let Some(cert) = order_certificate(worker, &node_config).await? {
crate::config::set_proxy_certificate(&cert.certificate, &cert.private_key_pem, true)?; crate::config::set_proxy_certificate(&cert.certificate, &cert.private_key_pem)?;
crate::server::reload_proxy_certificate().await?;
} }
Ok(()) Ok(())
}) })
@ -572,7 +572,7 @@ pub fn revoke_acme_cert(rpcenv: &mut dyn RpcEnvironment) -> Result<String, Error
worker.log("Revoking old certificate"); worker.log("Revoking old certificate");
acme.revoke_certificate(cert_pem.as_bytes(), None).await?; acme.revoke_certificate(cert_pem.as_bytes(), None).await?;
worker.log("Deleting certificate and regenerating a self-signed one"); worker.log("Deleting certificate and regenerating a self-signed one");
delete_custom_certificate(true)?; delete_custom_certificate().await?;
Ok(()) Ok(())
}, },
) )

17
src/config.rs
View File

@ -187,16 +187,12 @@ pub fn update_self_signed_cert(force: bool) -> Result<(), Error> {
let x509 = x509.build(); let x509 = x509.build();
let cert_pem = x509.to_pem()?; let cert_pem = x509.to_pem()?;
set_proxy_certificate(&cert_pem, &priv_pem, false)?; set_proxy_certificate(&cert_pem, &priv_pem)?;
Ok(()) Ok(())
} }
pub(crate) fn set_proxy_certificate( pub(crate) fn set_proxy_certificate(cert_pem: &[u8], key_pem: &[u8]) -> Result<(), Error> {
cert_pem: &[u8],
key_pem: &[u8],
reload: bool,
) -> Result<(), Error> {
let backup_user = crate::backup::backup_user()?; let backup_user = crate::backup::backup_user()?;
let options = CreateOptions::new() let options = CreateOptions::new()
.perm(Mode::from_bits_truncate(0o0640)) .perm(Mode::from_bits_truncate(0o0640))
@ -211,14 +207,5 @@ pub(crate) fn set_proxy_certificate(
replace_file(&cert_path, &cert_pem, options) replace_file(&cert_path, &cert_pem, options)
.map_err(|err| format_err!("error writing certificate file - {}", err))?; .map_err(|err| format_err!("error writing certificate file - {}", err))?;
if reload {
reload_proxy()?;
}
Ok(()) Ok(())
} }
pub(crate) fn reload_proxy() -> Result<(), Error> {
crate::tools::systemd::reload_unit("proxmox-backup-proxy")
.map_err(|err| format_err!("error signaling reload to pbs proxy: {}", err))
}

9
src/server.rs
View File

@ -7,6 +7,7 @@
use anyhow::{format_err, Error}; use anyhow::{format_err, Error};
use lazy_static::lazy_static; use lazy_static::lazy_static;
use nix::unistd::Pid; use nix::unistd::Pid;
use serde_json::Value;
use proxmox::sys::linux::procfs::PidStat; use proxmox::sys::linux::procfs::PidStat;
@ -91,3 +92,11 @@ pub use report::*;
pub mod ticket; pub mod ticket;
pub mod auth; pub mod auth;
pub(crate) async fn reload_proxy_certificate() -> Result<(), Error> {
let proxy_pid = crate::server::read_pid(buildcfg::PROXMOX_BACKUP_PROXY_PID_FN)?;
let sock = crate::server::ctrl_sock_from_pid(proxy_pid);
let _: Value = crate::server::send_raw_command(sock, "{\"command\":\"reload-certificate\"}\n")
.await?;
Ok(())
}