feat(vm201): wildcard *.roa auto-renew via cPanel DNS-01 hook

Fix expirare cert wildcard *.roa.romfast.ro (incident 2026-05-31): renewal-ul era [Manual] DNS-01, nu rula din Scheduled Task -> 61 erori -> expirat. Subdomeniile Dokploy (efactura.roa etc.) dadeau ERR_CERT_DATE_INVALID. - cpanel-acme-dns.ps1: hook win-ACME DNS-01 (cPanel UAPI mass_edit_zone, fallback ZoneEdit) care pune/sterge TXT _acme-challenge automat - cpanel-dns.config.example.json: template (token-ul real e gitignored) - monitor-ssl-certificates.sh: sentinel efactura.roa (wildcard) + alerta in loc de auto-renew prin guest-exec (dezactivat) - README + doc cert: flux DNS-01 cPanel + acces OpenSSH VM 201 Renewal nou roa-wildcard-cpanel, auto, due 2026-08-19; vechiul [Manual] anulat. Cert live valid pana 2026-09-23. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-25 13:23:54 +00:00
parent e8d1889364
commit a41e9d81cf
6 changed files with 305 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,7 @@ input/
 .vscode/
 *.swp
 *.swo
+
+# Secrets - real cPanel DNS hook config holds an API token (template is committed)
+cpanel-dns.config.json
+**/cpanel-dns.config.json
--- a/proxmox/vm201-windows/README.md
+++ b/proxmox/vm201-windows/README.md
@@ -166,7 +166,12 @@ format manifest, workflow publicare, riscuri backup).
 - **Locație:** `C:\Tools\win-acme\`
 - **Scop:** Certificate Let's Encrypt automate
 - **Task Scheduler:** Reînnoire automată zilnică (verificare)
- **Certificate Storage:** LocalMachine\My (Certificate Store)
+- **Certificate Storage:** LocalMachine\My (Certificate Store); certul wildcard în store-ul `WebHosting`
+- **Renewal-uri:**
+  - `roa.romfast.ro`, `dokploy`, `gitea`, `roa2web`, `roa-qr` → validare **HTTP-01** (sursă IIS, auto)
+  - `roa-wildcard-cpanel` (`*.roa.romfast.ro`) → validare **DNS-01** prin hook cPanel
+    (`cpanel-acme-dns.ps1`), instalat pe site `roa-apps` (ID 6). Vezi incidentul de
+    expirare 2026-05-31 și setup-ul complet în `vm201-certificat-letsencrypt-iis.md`.

 #### 4. WinNUT Client
 - **Versiune:** WinNUT-Client-2.x
@@ -185,6 +190,16 @@ format manifest, workflow publicare, riscuri backup).
 - **Network Level Authentication:** Enabled
 - **Acces:** `mstsc /v:roacentral` (din rețea locală)

+#### 6. OpenSSH Server
+- **Serviciu:** `sshd` (OpenSSH_for_Windows_9.5), port 22, DefaultShell = PowerShell
+- **Acces admin din claude-agent (LXC 171):** `ssh romfast@10.0.20.122 '<powershell>'`
+  (sesiune elevată — High Mandatory Level)
+- **Chei admin:** `C:\ProgramData\ssh\administrators_authorized_keys`
+  (ACL strict: doar `SYSTEM:F` + `BUILTIN\Administrators:F`, owner `BUILTIN\Administrators`,
+  fără moștenire — altfel sshd respinge/resetează)
+- **Notă:** `Administrator` peste SSH dă „Connection reset" (cont dezactivat) → folosește `romfast`.
+  Guest agent QEMU are `guest-exec` dezactivat, deci SSH e singura cale de execuție remote.
+
 ---

 ## 🌐 Configurare Rețea
@@ -339,6 +354,12 @@ cd C:\Tools\win-acme
 iisreset
 ```

+> **Wildcard `*.roa.romfast.ro`:** NU se validează prin HTTP-01 (ca celelalte), ci prin
+> **DNS-01** cu hook-ul cPanel `cpanel-acme-dns.ps1`. Dacă expiră, verifică renewal-ul
+> `roa-wildcard-cpanel` (`.\wacs.exe --list`) și config-ul `cpanel-dns.config.json`.
+> Sentinel în monitorizare: `efactura.roa.romfast.ro`. Detalii: secțiunea „Wildcard …
+> Reînnoire Automată DNS-01 (cPanel)" din `vm201-certificat-letsencrypt-iis.md`.
+
 **Documentație completă:** `vm201-certificat-letsencrypt-iis.md`

 ---
@@ -408,6 +429,7 @@ ssh root@10.0.20.201 "qm delsnapshot 201 pre-update-snapshot"
 - **Verificare certificate (Windows):** `scripts/check-ssl-certificates.ps1`
 - **Monitorizare certificate (Proxmox):** `scripts/monitor-ssl-certificates.sh`
 - **Setup site-uri IIS noi (Dokploy):** `scripts/setup-new-iis-sites.ps1`
+- **Hook DNS-01 wildcard cPanel (win-ACME):** `scripts/cpanel-acme-dns.ps1` (+ template `cpanel-dns.config.example.json`; config-ul real cu token NU e în git)

 ### Configurații IIS
 - **web.config roa-qr.romfast.ro:** `iis-configs/roa-qr.web.config`
@@ -514,6 +536,6 @@ qm migrate 201 pvemini --online

 ---

-**Ultima actualizare:** 2026-03-02
+**Ultima actualizare:** 2026-06-25
 **Autor:** Marius Mutu
 **Proiect:** ROMFASTSQL - VM 201 Documentation
--- a/proxmox/vm201-windows/docs/vm201-certificat-letsencrypt-iis.md
+++ b/proxmox/vm201-windows/docs/vm201-certificat-letsencrypt-iis.md
@@ -249,6 +249,66 @@ Get-ScheduledTask | Where-Object {$_.TaskName -like "*SSL*" -or $_.TaskName -lik
 grep ssl /etc/crontab
 ```

+## Wildcard `*.roa.romfast.ro` — Reînnoire Automată DNS-01 (cPanel)
+
+> **Incident 2026-05-31:** wildcardul a expirat. Renewal-ul win-acme era de tip
+> `[Manual]` (DNS-01 cu TXT pus de mână) → nu rula din Scheduled Task → ~60 de
+> erori consecutive → expirare. Subdomeniile Dokploy (`efactura.roa…`, `space.roa…`)
+> dădeau `ERR_CERT_DATE_INVALID`. Monitorizarea nu prindea pentru că `*.roa` nu era
+> în lista de domenii verificate (era doar `roa.romfast.ro`, un cert separat).
+
+Wildcardul **nu** poate folosi HTTP-01 (ca site-urile 1–6); necesită **DNS-01**.
+DNS-ul `romfast.ro` e pe **hosting.com (cPanel)**, fără plugin nativ în win-acme,
+deci folosim hook-ul de script `cpanel-acme-dns.ps1` care pune/șterge TXT-ul prin
+cPanel API.
+
+### Setup (o singură dată, pe VM 201 ca Administrator)
+
+1. cPanel → **Manage API Tokens** → creează token cu drept de editare DNS.
+2. Copiază pe VM 201:
+   - `scripts/cpanel-acme-dns.ps1` → `C:\Tools\win-acme\cpanel-acme-dns.ps1`
+   - `scripts/cpanel-dns.config.example.json` → `C:\Tools\win-acme\cpanel-dns.config.json`
+     și completează `Hostname`, `User`, `ApiToken`. **Nu commite** fișierul real
+     (e în `.gitignore`).
+3. Test manual:
+   ```powershell
+   cd C:\Tools\win-acme
+   .\cpanel-acme-dns.ps1 create _acme-challenge.roa.romfast.ro testvalue123
+   # verifică TXT-ul în cPanel Zone Editor, apoi:
+   .\cpanel-acme-dns.ps1 delete _acme-challenge.roa.romfast.ro testvalue123
+   ```
+4. Recreează renewal-ul wildcard:
+   ```
+   .\wacs.exe   (ca Administrator)
+   M  → Create renewal (full options)
+        Source:       Manual  → *.roa.romfast.ro
+        Validation:   dns-01 → "Create verification records with your own script"
+            Run create: Powershell.exe -File C:\Tools\win-acme\cpanel-acme-dns.ps1
+            Create args : create {RecordName} {Token}
+            Run delete: Powershell.exe -File C:\Tools\win-acme\cpanel-acme-dns.ps1
+            Delete args : delete {RecordName} {Token}
+        Store:        Windows Certificate Store (My)
+        Installation: IIS → site "roa-apps"   (re-leagă certul automat pe binding)
+   ```
+5. Confirmă Scheduled task (rulând `wacs.exe` ca admin) → reînnoire 100% automată.
+
+### Verificare
+```bash
+echo | openssl s_client -connect efactura.roa.romfast.ro:443 \
+  -servername efactura.roa.romfast.ro 2>/dev/null | openssl x509 -noout -dates
+```
+
+### Monitorizare
+`monitor-ssl-certificates.sh` include acum `efactura.roa.romfast.ro` ca **sentinel**
+pentru wildcard (Site ID `WILDCARD`). Dacă expiră, scriptul **alertează** (nu mai
+încearcă auto-renew prin guest-exec, care e dezactivat) → intervenție pe VM 201.
+
+> **Securitate:** tokenul cPanel ajunge pe VM 201. Dă-i drepturi cât mai granulare
+> (doar DNS). Dacă panoul e vechi și expune doar API2 ZoneEdit, setează
+> `"LegacyZoneEdit": true` în config.
+
+---
+
 ## Note Importante

 - **SNI este OBLIGATORIU** pentru multiple certificate pe același IP:port
--- a/proxmox/vm201-windows/scripts/cpanel-acme-dns.ps1
+++ b/proxmox/vm201-windows/scripts/cpanel-acme-dns.ps1
@@ -0,0 +1,192 @@
+<#
+.SYNOPSIS
+    win-acme DNS-01 validation hook for cPanel-hosted zones (hosting.com).
+
+.DESCRIPTION
+    Creates / deletes the _acme-challenge TXT record via the cPanel API so the
+    wildcard certificate *.roa.romfast.ro renews FULLY UNATTENDED (no manual TXT).
+
+    Replaces the old "[Manual]" validation of the wildcard renewal in win-acme,
+    which could not run from the scheduled task and accumulated 60+ errors until
+    the certificate expired (incident 2026-05-31, see README).
+
+    Authentication uses a cPanel API token (cPanel -> Manage API Tokens), passed
+    as the header:  Authorization: cpanel <USER>:<TOKEN>
+
+    Modern panels (cPanel & WHM v90+) -> UAPI DNS::mass_edit_zone (default).
+    Legacy panels (only API2 ZoneEdit) -> set "LegacyZoneEdit": true in config.
+
+.PARAMETER Action
+    create | delete   (win-acme calls the script once for each)
+
+.PARAMETER RecordName
+    Full record name, e.g. _acme-challenge.roa.romfast.ro   (win-acme {RecordName})
+
+.PARAMETER Token
+    TXT value to publish, supplied by the ACME server        (win-acme {Token})
+
+.NOTES
+    Place on VM 201 at:  C:\Tools\win-acme\cpanel-acme-dns.ps1
+    Credentials live in: C:\Tools\win-acme\cpanel-dns.config.json  (NEVER commit)
+    Template:            cpanel-dns.config.example.json
+
+    Configure the renewal with "wacs.exe" (as Administrator):
+        M  -> Create renewal (full options)
+        Source:       Manual            -> *.roa.romfast.ro
+        Validation:   dns-01 -> "Create verification records with your own script"
+            Run create: Powershell.exe -File C:\Tools\win-acme\cpanel-acme-dns.ps1
+            Create args : create {RecordName} {Token}
+            Run delete: Powershell.exe -File C:\Tools\win-acme\cpanel-acme-dns.ps1
+            Delete args : delete {RecordName} {Token}
+        Store:        Windows Certificate Store (My)
+        Installation: IIS -> site "roa-apps"   (re-binds the cert automatically)
+
+    Manual test before wiring into win-acme:
+        .\cpanel-acme-dns.ps1 create _acme-challenge.roa.romfast.ro testvalue123
+        (check the TXT appears in cPanel Zone Editor, then:)
+        .\cpanel-acme-dns.ps1 delete _acme-challenge.roa.romfast.ro testvalue123
+#>
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory)][ValidateSet('create', 'delete')][string]$Action,
+    [Parameter(Mandatory)][string]$RecordName,
+    [Parameter(Mandatory)][string]$Token
+)
+
+$ErrorActionPreference = 'Stop'
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+
+# --- load config -----------------------------------------------------------
+$cfgPath = Join-Path $PSScriptRoot 'cpanel-dns.config.json'
+if (-not (Test-Path $cfgPath)) {
+    throw "Missing config: $cfgPath  (copy cpanel-dns.config.example.json and fill it in)"
+}
+$cfg = Get-Content $cfgPath -Raw | ConvertFrom-Json
+
+# Tolerate Hostname pasted as a URL ("https://host/cpanel", "host:2083", ...):
+# keep only the bare hostname.
+$cpHost = ($cfg.Hostname -replace '^\s*https?://', '') -replace '/.*$', '' -replace ':\d+\s*$', ''
+$cpPort = if ($cfg.Port) { $cfg.Port } else { 2083 }
+$cpUser = $cfg.User
+$cpTok  = $cfg.ApiToken
+$ttl    = if ($cfg.Ttl) { [int]$cfg.Ttl } else { 300 }
+$legacy = [bool]$cfg.LegacyZoneEdit
+
+if (-not $cpHost -or -not $cpUser -or -not $cpTok) {
+    throw "Config incomplete: Hostname, User and ApiToken are required in $cfgPath"
+}
+
+$headers = @{ Authorization = "cpanel ${cpUser}:${cpTok}" }
+$base    = "https://${cpHost}:${cpPort}"
+$dname   = $RecordName.TrimEnd('.') + '.'          # cPanel wants FQDN with trailing dot
+
+function Invoke-Uapi {
+    param([string]$Module, [string]$Func, [hashtable]$Params)
+    $qs = ($Params.GetEnumerator() | ForEach-Object {
+            "$($_.Key)=$([uri]::EscapeDataString([string]$_.Value))"
+        }) -join '&'
+    $uri = "$base/execute/$Module/$Func"
+    if ($qs) { $uri += "?$qs" }
+    $r = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get
+    if ($r.errors) { throw "cPanel UAPI ${Module}::${Func} -> $($r.errors -join '; ')" }
+    return $r
+}
+
+# Find the apex zone managed by cPanel that the record belongs to.
+# _acme-challenge.roa.romfast.ro -> tries roa.romfast.ro, then romfast.ro
+function Resolve-Zone {
+    param([string]$fqdn)
+    $labels = $fqdn.TrimEnd('.').Split('.')
+    for ($i = 1; $i -le $labels.Count - 2; $i++) {
+        $cand = ($labels[$i..($labels.Count - 1)]) -join '.'
+        try {
+            $r = Invoke-Uapi 'DNS' 'parse_zone' @{ zone = $cand }
+            if ($r.data) { return [pscustomobject]@{ Zone = $cand; Data = $r.data } }
+        }
+        catch { }
+    }
+    throw "No cPanel-managed zone found for $fqdn"
+}
+
+function Get-ZoneSerial {
+    param($zoneData)
+    foreach ($l in $zoneData) {
+        if ($l.type -eq 'record' -and $l.record_type -eq 'SOA') {
+            $vals = $l.data_b64 | ForEach-Object {
+                [Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($_))
+            }
+            return [int64]$vals[2]   # SOA: primary, hostmaster, SERIAL, refresh, ...
+        }
+    }
+    throw 'SOA serial not found in parsed zone'
+}
+
+# ---------------------------------------------------------------------------
+# Legacy path: cPanel API2 ZoneEdit (only if panel lacks UAPI DNS module)
+# ---------------------------------------------------------------------------
+if ($legacy) {
+    $z = Resolve-Zone $RecordName
+    $name = $RecordName.TrimEnd('.')
+    if ($Action -eq 'create') {
+        $uri = "$base/json-api/cpanel?cpanel_jsonapi_user=$cpUser&cpanel_jsonapi_apiversion=2" +
+               "&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=add_zone_record" +
+               "&domain=$($z.Zone)&name=$([uri]::EscapeDataString($name))&type=TXT" +
+               "&txtdata=$([uri]::EscapeDataString($Token))&ttl=$ttl"
+        $r = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get
+        if ($r.cpanelresult.error) { throw $r.cpanelresult.error }
+        Write-Host "[create] TXT $name added to $($z.Zone) (legacy ZoneEdit)"
+    }
+    else {
+        $look = "$base/json-api/cpanel?cpanel_jsonapi_user=$cpUser&cpanel_jsonapi_apiversion=2" +
+                "&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=fetchzone_records&domain=$($z.Zone)&type=TXT"
+        $r = Invoke-RestMethod -Uri $look -Headers $headers -Method Get
+        $hits = @($r.cpanelresult.data | Where-Object {
+                ($_.name.TrimEnd('.') -eq $name) -and ($_.txtdata -eq $Token)
+            } | Sort-Object { [int]$_.line } -Descending)
+        foreach ($rec in $hits) {
+            $del = "$base/json-api/cpanel?cpanel_jsonapi_user=$cpUser&cpanel_jsonapi_apiversion=2" +
+                   "&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=remove_zone_record&domain=$($z.Zone)&line=$($rec.line)"
+            Invoke-RestMethod -Uri $del -Headers $headers -Method Get | Out-Null
+            Write-Host "[delete] TXT line $($rec.line) removed from $($z.Zone) (legacy ZoneEdit)"
+        }
+    }
+    return
+}
+
+# ---------------------------------------------------------------------------
+# Modern path: UAPI DNS::mass_edit_zone (serial-checked, atomic)
+# ---------------------------------------------------------------------------
+if ($Action -eq 'create') {
+    $z = Resolve-Zone $RecordName
+    $serial = Get-ZoneSerial $z.Data
+    # mass_edit_zone wants 'add' as a raw JSON record object (NOT base64).
+    $rec = @{ dname = $dname; ttl = $ttl; record_type = 'TXT'; data = @($Token) } | ConvertTo-Json -Compress
+    Invoke-Uapi 'DNS' 'mass_edit_zone' @{ zone = $z.Zone; serial = $serial; add = $rec } | Out-Null
+    Write-Host "[create] TXT $dname = $Token added to zone $($z.Zone)"
+}
+else {
+    # Re-parse before each removal: line_index and serial shift after every edit.
+    for ($pass = 0; $pass -lt 10; $pass++) {
+        $z = Resolve-Zone $RecordName
+        $serial = Get-ZoneSerial $z.Data
+        # parse_zone returns names RELATIVE to the zone (e.g. "_acme-challenge.roa"),
+        # so match against both the absolute and the zone-relative form.
+        $want = $RecordName.TrimEnd('.')
+        $wantRel = $want -replace ('\.' + [regex]::Escape($z.Zone) + '$'), ''
+        $idx = $null
+        foreach ($l in $z.Data) {
+            if ($l.type -eq 'record' -and $l.record_type -eq 'TXT') {
+                $n = ([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($l.dname_b64))).TrimEnd('.')
+                $d = $l.data_b64 | ForEach-Object {
+                    [Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($_))
+                }
+                if ((($n -eq $want) -or ($n -eq $wantRel)) -and ($d -contains $Token)) {
+                    $idx = $l.line_index; break
+                }
+            }
+        }
+        if ($null -eq $idx) { break }
+        Invoke-Uapi 'DNS' 'mass_edit_zone' @{ zone = $z.Zone; serial = $serial; remove = $idx } | Out-Null
+        Write-Host "[delete] TXT line $idx removed from zone $($z.Zone)"
+    }
+}
--- a/proxmox/vm201-windows/scripts/cpanel-dns.config.example.json
+++ b/proxmox/vm201-windows/scripts/cpanel-dns.config.example.json
@@ -0,0 +1,9 @@
+{
+  "_comment": "Copy to cpanel-dns.config.json on VM 201 (C:\\Tools\\win-acme\\). NEVER commit the real file - it holds the cPanel API token.",
+  "Hostname": "your-server.hosting.com",
+  "Port": 2083,
+  "User": "cpanel_account_username",
+  "ApiToken": "PASTE_CPANEL_API_TOKEN_HERE",
+  "Ttl": 300,
+  "LegacyZoneEdit": false
+}
--- a/proxmox/vm201-windows/scripts/monitor-ssl-certificates.sh
+++ b/proxmox/vm201-windows/scripts/monitor-ssl-certificates.sh
@@ -13,15 +13,22 @@ LOG_FILE="/var/log/ssl-monitor.log"
 EMAIL_TO="root"  # Proxmox trimite la adresa configurata

 # Domenii de verificat
+# NOTA: efactura.roa.romfast.ro este un SENTINEL pentru certificatul wildcard
+#       *.roa.romfast.ro. Wildcardul nu poate fi testat direct, asa ca verificam
+#       un subdomeniu real acoperit de el. Site ID "WILDCARD" => doar ALERTA,
+#       fara auto-renew (wildcardul e DNS-01, reinnoit de cpanel-acme-dns.ps1 pe
+#       VM 201; auto-renew prin guest-exec nu mai functioneaza - exec dezactivat).
+#       Context: incident expirare wildcard 2026-05-31 (vezi README VM 201).
 DOMAINS=(
    "roa.romfast.ro"
    "dokploy.romfast.ro"
    "gitea.romfast.ro"
    "roa2web.romfast.ro"
+    "efactura.roa.romfast.ro"
 )

 # Site IDs pentru fiecare domeniu (in aceeasi ordine)
-SITE_IDS=(1 2 3 4)
+SITE_IDS=(1 2 3 4 "WILDCARD")

 log() {
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
@@ -52,6 +59,14 @@ force_renew_certificate() {
    local site_id=$1
    local domain=$2

+    # Wildcard (*.roa) = DNS-01, reinnoit automat de cpanel-acme-dns.ps1 pe VM 201.
+    # Nu incercam auto-renew aici (nu e HTTP-01/siteid si guest-exec e dezactivat) -
+    # doar semnalam ca a expirat ca sa intervina cineva pe VM 201.
+    if ! [[ "$site_id" =~ ^[0-9]+$ ]]; then
+        log "ALERTA: $domain (wildcard *.roa) necesita interventie manuala pe VM 201 - verifica renewal-ul win-acme cu validare cPanel (cpanel-acme-dns.ps1)"
+        return 1
+    fi
+
    log "Fortez reinstalare certificat pentru $domain (Site ID: $site_id)..."

    # Executa pe VM 201 prin Proxmox guest agent