Let's Encrypt validation workflow for apps

[DavidePrincipi]

Starting from version 4.1.0, the Traefik module extends the set-route action with Let's Encrypt certificate request validation and introduces a new set-certificate action implementation with lets_encrypt:true/false parameter.

The behavior of existing actions remains unchanged. However, applications must comply with the new UX requirements: they must inform the cluster-admin user of failures and display a Traefik restart warning, as illustrated in the UI mockup.

Proposed solution

Implement the UI mockup for the following applications (from the Default repository).

For set-certificate:

• NethVoice Proxy
• Mail
• Ejabberd

For set-route:

• NethVoice
• Kickstart
• NethSecurity-Controller
• Webtop
• Nextcloud
• Mattermost
• Minio
• Piler
• Roundcubemail

Summary of Backend changes:

1. Call set-route with lets_encrypt_check:true to enable the validation error newcert_acme_error.
2. Call set-route with lets_encrypt_cleanup:true to trigger a Traefik restart. The UI must display the restart warning.
3. Call set-certificate set-default-certificate. No flag is required to enable the newcert_acme_error validation.

Note for automatic actions

The import-module, clone-module, and restore-module actions must generally act like the Let's Encrypt toggle is off, because the UI generally does not implement the certificate validation during the related workflows (migration, clone/move, restoration).

See also

• Redesign of the TLS Certificates Page #7544

[DavidePrincipi]

The Traefik fix for set-default-certificate permissions is VERIFIED. Released as Traefik 4.0.1
https://github.com/NethServer/ns8-traefik/releases/tag/4.0.1

[DavidePrincipi]

Released core agent library https://github.com/NethServer/ns8-core/releases/tag/3.12.1