The effect and unit of the validation delay was unclear from our
documentation, and the link to the acme.sh documentation didn't explain
it either
Signed-off-by: Folke Gleumes
---
since v1:
* slight rewording suggested by Alex
certificate-management.adoc | 4 +++-
1 file changed, 3 inser
The effect and unit of the validation delay was unclear from our
documentation, and the link to the acme.sh documentation didn't explain
it either
Signed-off-by: Folke Gleumes
---
certificate-management.adoc | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/certif
Forgot the reported by trailer:
Reported-by: Stoiko Ivanov
On Mon, 2024-04-22 at 11:01 +0200, Folke Gleumes wrote:
> When none of the meta fields is set by the directory, the whole
> dictionary is missing from the response, leading to an exception
> when testing for fields
When none of the meta fields is set by the directory, the whole
dictionary is missing from the response, leading to an exception
when testing for fields inside it.
Signed-off-by: Folke Gleumes
---
www/manager6/node/ACME.js | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff
Gave this a test with:
Accept-encoding: deflate
Accept-encoding: deflate, gzip
Accept-encoding: foobar
Everything worked as expected, the first case returned a zlib
compressed file, the second gzip and the third just plaintext.
Consider this
Tested-by: Folke Gleumes
On Wed, 2024-04-17 at 13
This patch series adds the option to set a custom directory for ACME and
enables the user to use external account binding, which is required by
some providers.
manager:
Folke Gleumes (2):
fix #5093: webui: acme: custom directory option
webui: acme: add eab fields
www/manager6/node/ACME.js
Adds fields for eab credentials. By default eab is optional, but if the
directory should report that eab is required, the eab credential fields
are marked as mandatory and prevent the form from being submittable
until credentials are provided.
Signed-off-by: Folke Gleumes
---
www/manager6/node
y on every input.
Signed-off-by: Folke Gleumes
---
changes since v1:
* re-add 'allowBlank: false' to disable the clear trigger
www/manager6/node/ACME.js | 139 +-
1 file changed, 107 insertions(+), 32 deletions(-)
diff --git a/www/manager6/node/ACME.js
?"),
> + actions: [
> + TextButton(
> + onPressed: () => Navigator.of(context).pop(true),
> + child: const Text("Yes")),
> + TextButton(
> + onPressed: () => N
update it whenever
we are touching it [0].
If you haven't done so already, you need to agree to the Harmony CLI
before we can accept your contribution [1].
Gave it a spin and ran some configurations, so you can consider this:
Tested-by: Folke Gleumes
[0] https://pve.proxmox.com
ping
still applies cleanly and works
On Tue, 2024-01-16 at 15:33 +0100, Folke Gleumes wrote:
> This patch series adds the option to set a custom directory for ACME
> and
> enables the user to use external account binding, which is required
> by
> some providers.
>
> Folke
-wise.
Signed-off-by: Folke Gleumes
---
Tested this on an AMD Epyc 7302P v2.
This patch is intended for the bookworm-6.5 branch.
...-Improve-the-erratum-1386-workaround.patch | 83 +++
1 file changed, 83 insertions(+)
create mode 100644
patches/kernel/0017-x86-CPU-AMD-Improve
The original fix disabled the xsaves feature for zen1/2. The issue has
since been fixed in the cpus microcode and this patch keeps the feature enabled
if the microcode version is recent enough to contain the fix.
Signed-off-by: Folke Gleumes
---
Tested this on an AMD Epyc 7302P v2
include 'PVEAPIToken=' prefix in the example for target-endpoint which
is mainly used for remote migrations.
Signed-off-by: Folke Gleumes
---
src/PVE/JSONSchema.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/JSONSchema.pm b/src/PVE/JSONSchema.pm
ind
Based on statements from the openZFS documentation where it is described
as providing "the same level of redundancy and performance as raidz" [0].
[0] https://openzfs.github.io/openzfs-docs/Basic%20Concepts/dRAID%20Howto.html
---
local-zfs.adoc | 2 ++
1 file changed, 2 insertions(+)
diff --git
The keep-env option allows the user to define if the current environment
should be kept when running 'pct enter/exec'. pct will now always set
'--keep-env' or '--clear-env' when calling lxc-attach to anticipate
the upcoming change in default behavior.
Signed-off-by:
The keep-env option allows the user to define if the current environment
should be kept when running 'pct enter/exec'. pct will now always set
'--keep-env' or '--discard-env' when calling lxc-attach to anticipate
the upcoming change in default behavior.
Signed-o
proxmox-perl-rs set's SSL_CERT_{DIR,FILE}, which can break ssl in
containers if their certificate store can't be found in the same spot.
This patch explicitly unsets those variables before starting the
container.
Signed-off-by: Folke Gleumes
---
Changes since v1:
* Add reevaluation
e {
> + $eab_hmac_key = decode_base64url($info{eab}->{hmac_key});
> + }
> $payload{externalAccountBinding} =
> external_account_binding_jws(
> $info{eab}->{kid},
> $eab_hmac_key,
Thanks!
Works as intended, tested with base64, base64url
On Tue, 2024-01-23 at 10:51 +0100, Fabian Grünbichler wrote:
> On January 22, 2024 11:12 am, Folke Gleumes wrote:
> > proxmox-perl-rs set's SSL_CERT_{DIR,FILE}, which can break ssl in
> > containers if their certificate store can't be found in the same
> > spot.
&
proxmox-perl-rs set's SSL_CERT_{DIR,FILE}, which can break ssl in
containers if their certificate store can't be found in the same spot.
This patch explicitly unsets those variables before starting the
container.
Signed-off-by: Folke Gleumes
---
src/PVE/CLI/pct.pm | 11 +
mplement a simple check on
the '/' and '+' characters, to check if base64 or base64url has been
used to encode the key.
Tested-By: Folke Gleumes
On Thu, 2024-01-18 at 18:40 +0800, YU Jincheng wrote:
> Accroding to RFC 8555:
> > The MAC key SHOULD be provided in base64url-
the pebble to the /etc/hosts of your pve instance
5. Use https://pebble:14000/dir as the acme directory for testing, eab
credentials can be found in the config used in step 2
[0] https://github.com/letsencrypt/pebble
On Tue, 2024-01-16 at 15:33 +0100, Folke Gleumes wrote:
> This patch series a
Adds fields for eab credentials. By default eab is optional, but if the
directory should report that eab is required, the eab credential fields
are marked as mandatory and prevent the form from being submittable
until credentials are provided.
Signed-off-by: Folke Gleumes
---
www/manager6/node
y on every input.
Signed-off-by: Folke Gleumes
---
www/manager6/node/ACME.js | 140 +-
1 file changed, 107 insertions(+), 33 deletions(-)
diff --git a/www/manager6/node/ACME.js b/www/manager6/node/ACME.js
index 21137b1a..5b71778a 100644
--- a/www/manager6/node/ACM
This patch series adds the option to set a custom directory for ACME and
enables the user to use external account binding, which is required by
some providers.
Folke Gleumes (2):
fix #5093: webui: acme: custom directory option
webui: acme: add eab fields
www/manager6/node/ACME.js | 168
https://bugzilla.proxmox.com/show_bug.cgi?id=1454
cluster: Folke Gleumes (1):
rrd: add free, buffer/cache and arc size to memory statistics
src/pmxcfs/status.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
common: Folke Gleumes (1):
add more detailed statistics to memory rep
Signed-off-by: Folke Gleumes
---
src/panel/RRDChart.js | 59 +--
1 file changed, 46 insertions(+), 13 deletions(-)
diff --git a/src/panel/RRDChart.js b/src/panel/RRDChart.js
index dc5940c..983437e 100644
--- a/src/panel/RRDChart.js
+++ b/src/panel
Signed-off-by: Folke Gleumes
---
PVE/API2/Nodes.pm| 6 +++---
PVE/API2Tools.pm | 2 +-
PVE/Service/pvestatd.pm | 15 +++
www/manager6/node/Summary.js | 6 --
4 files changed, 19 insertions(+), 10 deletions(-)
diff --git a/PVE/API2/Nodes.pm b/PVE
Signed-off-by: Folke Gleumes
---
src/PVE/ProcFSTools.pm | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/PVE/ProcFSTools.pm b/src/PVE/ProcFSTools.pm
index 3826fcc..5f5d768 100644
--- a/src/PVE/ProcFSTools.pm
+++ b/src/PVE/ProcFSTools.pm
@@ -279,7 +279,10 @@ sub
adding values to the rrd format break compatability with the old file.
Therfore the filename/path had to be changed as well.
Signed-off-by: Folke Gleumes
---
src/pmxcfs/status.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/pmxcfs/status.c b/src/pmxcfs
until now it was only checked at install time, failing the whole
installation
Signed-off-by: Folke Gleumes
---
proxinstall | 6 ++
1 file changed, 6 insertions(+)
diff --git a/proxinstall b/proxinstall
index 01d4cfe..cf8f510 100755
--- a/proxinstall
+++ b/proxinstall
@@ -1526,6 +1526,12
this prevents a lower hdsize to be set, when intermittently adding a
smaller storage device.
Signed-off-by: Folke Gleumes
---
proxinstall | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/proxinstall b/proxinstall
index 4fc31f8..695826d 100755
--- a/proxinstall
+++ b
previously, when opening the dialog multiple times, the maximum was
determined by the previous set value, not the maxium possible for the
storage
Signed-off-by: Folke Gleumes
---
proxinstall | 25 +
1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a
Please ignore this, wrong mailing list
On Tue, 2023-11-14 at 15:07 +0100, Folke Gleumes wrote:
> Following the implementation for pve [0], this implements external
> account
> binding for pmg and pbs.
>
> For pmg, the tos endpoint was replaced with a meta endpoint, for pbs
If the ca demands external account binding credentials, the user will be
asked for them. If a custom directory is used, the user will be asked if
eab should be used.
Signed-off-by: Folke Gleumes
---
src/acme/client.rs | 2 +-
src/bin/proxmox_backup_manager/acme.rs | 51
Optionally allow for setting external account binding credentials at the
account registration endpoint.
Signed-off-by: Folke Gleumes
---
src/acme/client.rs | 7 +-
src/api2/config/acme.rs| 35 +++---
src/bin/proxmox_backup_manager
d-off-by: Folke Gleumes
---
src/directory.rs | 25 +++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/src/directory.rs b/src/directory.rs
index 755ea8c..a9d31f2 100644
--- a/src/directory.rs
+++ b/src/directory.rs
@@ -47,6 +47,18 @@ pub struct Meta {
//
/pve-devel/2023-October/059726.html
acme-rs:
Folke Gleumes (2):
add external account binding
add meta fields returned by the directory
src/account.rs | 28 +++-
src/client.rs| 6 -
src/directory.rs | 25 --
src/eab.rs | 66
interactively ask for external account binding credentials if either:
* the ca requests it
* a custom ca is used
Signed-off-by: Folke Gleumes
---
src/PMG/CLI/pmgconfig.pm | 29 ++---
1 file changed, 26 insertions(+), 3 deletions(-)
diff --git a/src/PMG/CLI/pmgconfig.pm
Signed-off-by: Folke Gleumes
---
src/PMG/API2/ACME.pm | 16 +++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/src/PMG/API2/ACME.pm b/src/PMG/API2/ACME.pm
index 42c9f4e..9e3eb8d 100644
--- a/src/PMG/API2/ACME.pm
+++ b/src/PMG/API2/ACME.pm
@@ -132,6 +132,18
The ToS endpoint ignored data that is needed to detect if EAB needs to
be used. Instead of adding a new endpoint that does the same request,
the tos endpoint is deprecated and replaced by the meta endpoint,
that returns all information returned by the directory.
Signed-off-by: Folke Gleumes
: Folke Gleumes
---
src/account.rs | 28 -
src/eab.rs | 66 ++
src/error.rs | 10
src/lib.rs | 1 +
4 files changed, 99 insertions(+), 6 deletions(-)
create mode 100644 src/eab.rs
diff --git a/src/account.rs
Signed-off-by: Folke Gleumes
---
pmg-rs/src/acme.rs | 18 +-
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/pmg-rs/src/acme.rs b/pmg-rs/src/acme.rs
index b38e1ea..fe1e465 100644
--- a/pmg-rs/src/acme.rs
+++ b/pmg-rs/src/acme.rs
@@ -79,6 +79,7 @@ impl Inner
Signed-off-by: Folke Gleumes
---
src/client.rs | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/client.rs b/src/client.rs
index 78c83a2..53f2688 100644
--- a/src/client.rs
+++ b/src/client.rs
@@ -367,10 +367,14 @@ impl Client {
contact: Vec
caaIdentities was mistakenly labled as a string in a previous patch and
not as an array of strings, as it is defined in the rfc [0].
[0] https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.1
Signed-off-by: Folke Gleumes
---
This is a followup to Thomas correction, regarding the metadata
---
de.po | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/de.po b/de.po
index 3e2ff91..43f5d0c 100644
--- a/de.po
+++ b/de.po
@@ -1138,17 +1138,17 @@ msgstr "Massenstart"
#: pve-manager/www/manager6/Utils.js:1970
#, fuzzy
msgid "Bulk migrate VMs and Containers"
-msgstr
oot=1) the new wording still applies better than the previous.
Signed-off-by: Folke Gleumes
---
After applying, please run make update on proxmox-i18n so updated translations
can be submitted.
www/manager6/Utils.js | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ww
have been tested to work with and without EAB
by using pebble [0] as the CA.
[0] https://github.com/letsencrypt/pebble
acme: Folke Gleumes (1):
fix #4497: add support for external account bindings
src/PVE/ACME.pm | 48 ++--
1 file changed, 42 insert
Since external account binding is advertised the same way as the ToS,
it can be detected when creating an account and asked for if needed.
Signed-off-by: Folke Gleumes
---
No changes in v3
PVE/CLI/pvenode.pm | 26 --
1 file changed, 24 insertions(+), 2 deletions
The ToS endpoint ignored data that is needed to detect if EAB needs to
be used. Instead of adding a new endpoint that does the same request,
the tos endpoint is deprecated and replaced by the meta endpoint,
that returns all information returned by the directory.
Signed-off-by: Folke Gleumes
Besides the switch from tos to meta endpoint, this fixes a visual bug,
where the 'Accept TOS' button would show up, even if no ToS was needed.
Signed-off-by: Folke Gleumes
---
Changes since v2:
fixed tabs/spaces
www/manager6/node/ACME.js | 12
1 file changed, 8 insert
implementation acording to rfc8555 section 7.3.4
Signed-off-by: Folke Gleumes
---
Changes since v2:
Transport eab credentials in the info hash, but don't reuse it as
payload. Instead, needed values are extracted and, if needed, transformed
into a new hash.
While this limits how the info
Signed-off-by: Folke Gleumes
---
No changes in v3
PVE/API2/ACMEAccount.pm | 27 ++-
1 file changed, 26 insertions(+), 1 deletion(-)
diff --git a/PVE/API2/ACMEAccount.pm b/PVE/API2/ACMEAccount.pm
index b790843a..ec4eba24 100644
--- a/PVE/API2/ACMEAccount.pm
+++ b/PVE
The ToS endpoint ignored data that is needed to detect if EAB needs to
be used. Instead of adding a new endpoint that does the same request,
the tos endpoint is deprecated and replaced by the meta endpoint,
that returns all information returned by the directory.
Signed-off-by: Folke Gleumes
implementation acording to rfc855 section 7.3.4
Signed-off-by: Folke Gleumes
---
Changes v1 -> v2:
Switched from including the eab credentials in the info hash,
to passing them in their own variable. This still unfortunately still
breaks the api, but doesn't potentially expose secret
Signed-off-by: Folke Gleumes
---
Changes v1 -> v2:
* renamed api methods so they use '-' instead of '_'
* use 'requires' in api to declare dependency instead of manual check
PVE/API2/ACMEAccount.pm | 23 ++-
1 file changed, 22 insertion
Besides the switch from tos to meta endpoint, this fixes a visual bug,
where the 'Accept TOS' button would show up, even if no ToS was needed.
Signed-off-by: Folke Gleumes
---
No changes in v2
www/manager6/node/ACME.js | 12
1 file changed, 8 insertions(+), 4 deletion
Since external account binding is advertised the same way as the ToS,
it can be detected when creating an account and asked for if needed.
Signed-off-by: Folke Gleumes
---
Changes v1 -> v2:
* If a custom directory is used, ask if EAB should be used, even when not
required by the CA.
PVE/
he CA.
[0] https://github.com/letsencrypt/pebble
acme: Folke Gleumes (1):
fix #4497: add support for external account bindings
src/PVE/ACME.pm | 42 +-
1 file changed, 37 insertions(+), 5 deletions(-)
manager: Folke Gleumes (4):
fix #4497: acme: add s
Besides the switch from tos to meta endpoint, this fixes a visual bug,
where the 'Accept TOS' button would show up, even if no ToS was needed.
Signed-off-by: Folke Gleumes
---
www/manager6/node/ACME.js | 12
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/ww
The ToS endpoint ignored data that is needed to detect if EAB needs to
be used. Instead of adding a new endpoint that does the same request,
the tos endpoint is deprecated and replaced by the meta endpoint,
that returns all information returned by the directory.
Signed-off-by: Folke Gleumes
implementation acording to rfc855 section 7.3.4
Signed-off-by: Folke Gleumes
---
src/PVE/ACME.pm | 43 +++
1 file changed, 35 insertions(+), 8 deletions(-)
diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
index 3f66182..f65729a 100644
--- a/src/PVE/ACME.pm
r the ToS.
The patches have been tested to work with and without EAB
by using pebble [0] as the CA.
[0] https://github.com/letsencrypt/pebble
acme: Folke Gleumes (1):
fix #4497: add support for external account bindings
src/PVE/ACME.pm | 43 +++
1
Since external account binding is advertised the same way as the ToS,
it can be detected when creating an account and asked for if needed.
Signed-off-by: Folke Gleumes
---
PVE/CLI/pvenode.pm | 16 ++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/PVE/CLI/pvenode.pm
Signed-off-by: Folke Gleumes
---
PVE/API2/ACMEAccount.pm | 27 ++-
1 file changed, 26 insertions(+), 1 deletion(-)
diff --git a/PVE/API2/ACMEAccount.pm b/PVE/API2/ACMEAccount.pm
index b790843a..daae18d8 100644
--- a/PVE/API2/ACMEAccount.pm
+++ b/PVE/API2/ACMEAccount.pm
66 matches
Mail list logo
