Roll out "custom certificate" updates via shell / api?

[ChrisTG74]

Hi,
is it possible to replace "custom certificates" from shell or via api? I'm speaking of this ones here:

My goal is, to do cert-renewal automatically.
What service(s) need to be restarted after exchanging the certs?
Many thanks in advance!

 

[cheiss]

Hi,

you are looking for this API endpoint: https://pve.proxmox.com/pve-docs/api-viewer/index.html#/nodes/{node}/certificates/custom
Or on the shell with pvenode cert set: https://pve.proxmox.com/pve-docs/pvenode.1.html#cli_pvenode_cert_set

 

[ChrisTG74]

Oh, the pvenode commands are also valid for PMG? I didn't expect that. I thought they're only for PVE Nodes.

 

[cheiss]

Oh, my bad - completely overlooked that you are talking about Mail Gateway!

Anyhow, the correct endpoint would be: https://pmg.proxmox.com/pmg-docs/api-viewer/index.html#/nodes/{node}/certificates/custom/{type}
As for the CLI, there is the equivalent pmgconfig cert set: https://pmg.proxmox.com/pmg-docs/pmgconfig.1.html#cli_pmgconfig_cert_set

 

[ChrisTG74]

Thank for your reply.
I have a last question about the parameters the pmgconfig expects here:

pmgconfig cert set <type> <certificates> <key> [OPTIONS] [FORMAT_OPTIONS]
Upload or update custom certificate chain and key.
<type>: <api | smtp>
The TLS certificate type (API or SMTP certificate).

<certificates>: <string>
PEM encoded certificate (chain).

<key>: <string>
PEM encoded private key.

--force <boolean> (default =0)
Overwrite existing custom or ACME certificate files.

--restart <boolean> (default =0)
Restart services.

Does this really mean to pass the whole cert and key as strings here? Or is a filepath expected instead?
Pasting multi-line strings via commands is always a hassle from scripts IMHO.

Thank you.

 

[cheiss]

Yes, the raw certificate/key as strings are expected since pmgconfig mostly just wraps the API a bit more neatly for command-line usage.

But if you already got the files somewhere, you can invoke it e.g. as

pmgconfig cert set api "$(cat /var/lib/certs/cert.pem)" "$(cat /var/lib/certs/key.pem)"

Being able to pass filepaths instead seems like a pretty reasonable thing to have for CLIs, though - feel free to create a feature request over at https://bugzilla.proxmox.com/

 

[ChrisTG74]

I did so: https://bugzilla.proxmox.com/show_bug.cgi?id=7665
Thanks again, I will go with the "cat"-solution for now.

 

[ChrisTG74]

Hm, the syntax with "$(cat ..." does not work:

Unknown option: ---begin private key-----
(...)
<content of file is shown here>
(....)
400 unable to parse option
pmgconfig cert set <type> <certificates> <key> [OPTIONS] [FORMAT_OPTIONS]

 

[ChrisTG74]

Oh, I found out that it already expects file-pathes for the cert and the key! So the docu and the inbuilt help texts are just wrong.
I will update the bugreport