Automatically add domains to PMG

Abdelrahman · Jun 29, 2021

Hello,

Does PMG provide API to automatically add domains to "Relay domains, Transport and DKIM Sign?

Thank you

linux · Jul 1, 2021

Hi there, you can do this with the pmgsh functionality at command-line.

You could go via the API as well if that's preferred. Have you read docs/manuals?

For example:

Code:

pmgsh help /config/domains --verbose
pmgsh help /config/transport --verbose

It looks like DKIM would be under pmgconfig, though I haven't looked into it extensively.

Abdelrahman · Jul 4, 2021

linux said:
Hi there, you can do this with the pmgsh functionality at command-line.

You could go via the API as well if that's preferred. Have you read docs/manuals?

For example:

Code:

pmgsh help /config/domains --verbose pmgsh help /config/transport --verbose

It looks like DKIM would be under pmgconfig, though I haven't looked into it extensively.

Thanks a lot!

Abdelrahman · Jul 7, 2021

What's the best way to get/put API calls using URLs with tokens or username and passwords?

https://pmg.proxmox.com/pmg-docs/api-viewer/index.html#/config/domains/{domain}

I tried GET, POST and PUT

https://pmg.xxx.com:8006/api2/json/config/transport/domains/?domain=test.com&comment=test

as "domain" and "comment" required here

but the return result from Postman is
401Unauthorized
Time:3.69 s
Size:197 B
Save Response
Pretty
Raw
Preview
Visualize
Text

I tried with username &password of course but still the same results...
https://pmg.xxx.com:8006/api2/json/...comment=test&username=test@test&password=test

Sorry, I'm not a developer ...

steven99 · Jul 9, 2021

If you just want to run the API URLs in your browser, just login to the node and then run the API url in another browser tab. The API will use your current session cookie for the API calls -- very handy for testing out calls during dev.

Otherwise, if connecting to API from a script, like PHP, you need to create an access ticket and supply that when you are doing calls. https://pmg.proxmox.com/pmg-docs/api-viewer/index.html#/access/ticket - provide username, password, and realm (pmg) in a POST. It will return an access ticket and a CSRF token and you provide that ticket in a PMGAuthCookie cookie with along with CSRFPreventionToken http header that has the CSRP token.

PMG API uses the same, as far as I am aware, API authentication as proxmox ve. So if you find a script for proxmox ve that has the login, you can adapt it for PMG.

@Abdelrahman what is your goal here for the API? I mean do you want to intergrate in to a deployment system, control panel, or ?

Abdelrahman · Jul 10, 2021

steven99 said:
If you just want to run the API URLs in your browser, just login to the node and then run the API url in another browser tab. The API will use your current session cookie for the API calls -- very handy for testing out calls during dev.

Otherwise, if connecting to API from a script, like PHP, you need to create an access ticket and supply that when you are doing calls. https://pmg.proxmox.com/pmg-docs/api-viewer/index.html#/access/ticket - provide username, password, and realm (pmg) in a POST. It will return an access ticket and a CSRF token and you provide that ticket in a PMGAuthCookie cookie with along with CSRFPreventionToken http header that has the CSRP token.

PMG API uses the same, as far as I am aware, API authentication as proxmox ve. So if you find a script for proxmox ve that has the login, you can adapt it for PMG.

@Abdelrahman what is your goal here for the API? I mean do you want to intergrate in to a deployment system, control panel, or ?

I want to create a bash script to automatically add new domains from WHM/cPanel to PMG,
I already tried access/ticket and I got the CSRFPreventionToken

so how can I use this one?
PUT /api2/json/config/domains/{domain}?
https://pmg.proxmox.com:8006/api2/json/config/domains/xxx.com + CSRFPreventionToken + PMGAuthCookie ? ..
I got 401Unauthorized

from Postman

steven99 · Jul 11, 2021

You need to first get the access ticket via curl, wget, whatever and get the PMGAuthCookie and CSFR token into bash script variables. How you get those there is up to you. It returns a json, so you'll need to parse it out. Using the jq tool seems to be a commonly recommended method for json in bash.

Once you have the PMGAuthCookie and CSRF token in bash variables, you do curl, wget, whatever that can pass a cookie and header and do a POST. So for example, curl would be:

Bash:

curl --request POST \
-d "domain=$currentDomain" \
-d "comment=hosted-`hostname`" \
--cookie "$PMGcookie" \
--header "CSRFPreventionToken: $CSRFtoken" \
https://pmg-server.example.com:8006/api2/json/config/domains

Note that we're doing POST here and not PUT and we don't give the domain in the URL. PUT is only for updating an existing domain and using PUT while trying to add will lead to an error .

Abdelrahman · Jul 11, 2021

steven99 said:
You need to first get the access ticket via curl, wget, whatever and get the PMGAuthCookie and CSFR token into bash script variables. How you get those there is up to you. It returns a json, so you'll need to parse it out. Using the jq tool seems to be a commonly recommended method for json in bash.

Once you have the PMGAuthCookie and CSRF token in bash variables, you do curl, wget, whatever that can pass a cookie and header and do a POST. So for example, curl would be:

Bash:

curl --request POST \ -d "domain=$currentDomain" \ -d "comment=hosted-`hostname`" \ --cookie "$PMGcookie" \ --header "CSRFPreventionToken: $CSRFtoken" \ https://pmg-server.example.com:8006/api2/json/config/domains

Note that we're doing POST here and not PUT and we don't give the domain in the URL. PUT is only for updating an existing domain and using PUT while trying to add will lead to an error .

Got it .. I just did but I got an empty response, I checked on UI and I didn't see the domain added

Code:

root@pmg:~# curl --request POST \
> -d "domain=xxx.com" \
> -d "comment=hosted-`test`" \
> --cookie "PMG:apis@pmg:60E9F16F::xxxxxxxx" \
> --header "CSRFPreventionToken: xxxxx" \
> https://pmg.domain.com:8006/api2/json/config/domains
root@pmg:~#

what's this means?

steven99 · Jul 11, 2021

You replaced "hostname" with "test" within the tildes and that is likely where the issue is as test is not a valid command. Putting something between tildes ("`") instructs bash to run that as as command and to use that output. You could remove that part if you want and just have the comment be: -d "comment=blah" .

Adding on --verbose to the curl will also help to determine errors from pmg.

Abdelrahman · Jul 12, 2021

steven99 said:
You replaced "hostname" with "test" within the tildes and that is likely where the issue is as test is not a valid command. Putting something between tildes ("`") instructs bash to run that as as command and to use that output. You could remove that part if you want and just have the comment be: -d "comment=blah" .

Adding on --verbose to the curl will also help to determine errors from pmg.

Note: Unnecessary use of -X or --request, POST is already inferred.
* Expire in 0 ms for 6 (transfer 0x56512641afb0)
* Closing connection -1
curl: (3) URL using bad/illegal format or missing URL
Note: Unnecessary use of -X or --request, POST is already inferred.
* Expire in 0 ms for 6 (transfer 0x56512641afb0)
* Expire in 1 ms for 1 (transfer 0x56512641afb0)
* Expire in 0 ms for 1 (transfer 0x56512641afb0)
* Expire in 1 ms for 1 (transfer 0x56512641afb0)
* Expire in 0 ms for 1 (transfer 0x56512641afb0)
* Expire in 0 ms for 1 (transfer 0x56512641afb0)
* Expire in 1 ms for 1 (transfer 0x56512641afb0)
* Expire in 0 ms for 1 (transfer 0x56512641afb0)
* Expire in 0 ms for 1 (transfer 0x56512641afb0)
* Expire in 1 ms for 1 (transfer 0x56512641afb0)
* Expire in 0 ms for 1 (transfer 0x56512641afb0)
* Expire in 0 ms for 1 (transfer 0x56512641afb0)
* Expire in 0 ms for 1 (transfer 0x56512641afb0)
* Trying xxxx...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x56512641afb0)
* Connected to xxxxx (xxxx) port 8006 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=xxxxx
* start date: May 16 03:33:49 2021 GMT
* expire date: Aug 14 03:33:49 2021 GMT
* subjectAltName: host "xxxx" matched cert's "xxxx"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
> POST /api2/json/config/domains HTTP/1.1
> Host: xxxxxxxx
> User-Agent: curl/7.64.0
> Accept: */*
> Cookie: “xxxxxxx==”
> Content-Length: 42
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 42 out of 42 bytes
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/1.1 401 No ticket
< Cache-Control: max-age=0
< Connection: close
< Date: Mon, 12 Jul 2021 14:42:07 GMT
< Pragma: no-cache
< Server: pve-api-daemon/3.0
< Expires: Mon, 12 Jul 2021 14:42:07 GMT
<
* Closing connection 0

steven99 · Jul 13, 2021

Looks like you're are not passing the cookie and header. $currentDomain, $PMGcookie, and $CSRFtoken need to be set before the curl happens .

If you know PHP, it might be easier to take the VE API php examples and adapt them here.

Search

Search

Automatically add domains to PMG

Abdelrahman

Member

linux

Member

Abdelrahman

Member

Abdelrahman

Member

steven99

Member

Abdelrahman

Member

steven99

Member

Abdelrahman

Member

steven99

Member

Abdelrahman

Member

steven99

Member