From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 610B71FF138 for ; Mon, 15 Jun 2026 13:35:13 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 2823912397; Mon, 15 Jun 2026 13:35:13 +0200 (CEST) Date: Mon, 15 Jun 2026 13:34:36 +0200 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= Subject: Re: [PATCH proxmox-acme 2/2] fix #5978: pem parser: relax parsing of chain entries: To: pve-devel@lists.proxmox.com, Thomas Ellmenreich References: <20260609131549.104216-1-t.ellmenreich@proxmox.com> <20260609131549.104216-3-t.ellmenreich@proxmox.com> In-Reply-To: <20260609131549.104216-3-t.ellmenreich@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.17.0 (https://github.com/astroidmail/astroid) Message-Id: <1781517444.kty0u965x5.astroid@yuna.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1781523225616 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.054 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [acme.pm] Message-ID-Hash: TZQ3SLE3FPUWDMPVJV5XXBANZEJ5YBZ5 X-Message-ID-Hash: TZQ3SLE3FPUWDMPVJV5XXBANZEJ5YBZ5 X-MailFrom: f.gruenbichler@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On June 9, 2026 3:15 pm, Thomas Ellmenreich wrote: > Instead of using a custom regex to parse pem chains, now uses > the pve-common Certificate::check_pem function to do so. This > now allows for additional text and whitespace inbetween the > chain entries. >=20 > Signed-off-by: Thomas Ellmenreich > --- > src/PVE/ACME.pm | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) >=20 > diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm > index e6fb9c2..ff10c22 100644 > --- a/src/PVE/ACME.pm > +++ b/src/PVE/ACME.pm > @@ -530,9 +530,11 @@ sub get_certificate { > if !defined($res); > } > =20 > - if ($res =3D~ /^(-----BEGIN CERTIFICATE-----)(.+)(-----END CERTI= FICATE-----)$/s) { # untaint > - return $1 . $2 . $3; > - } > + my $checked =3D PVE::Certificate::check_pem->($res, no_err =3D> = 1); no_err is actually noerr in PVE::Certificate, so setting it this way has no effect. but I don't think we need to set it here at all, we can simply do return PVE::Certificate::check_pem($res); it will either die (with a hopefully meaningful error), or return the cleaned up PEM data. if you want to customize the error message, something like my $res =3D eval { ... }; die "Server reply does not look like a PEM encoded certificate: $@\n" if $@; return $res; would be a common pattern we use in our code. eval {} is similar to try/catch in other languages, if the code in the body dies with a fatal error, it is stored in $@ which can be checked after. setting noerr is usually reserved for parsing where an error is not fatal. e.g. if we wanted to parse the data here with multiple possible labels, we might set noerr for each attempt and only die with an error if we find no label. > + if (defined $checked) { > + return $checked; > + }=20 nit the last line here has trailing whitespace (you can configure your editor or git to make this more obvious, e.g. mark it as red) > + > die "Server reply does not look like a PEM encoded certificate\n= "; > }; > $self->fatal("POST of '$order->{certificate}' failed - $@", $r) if $= @; > --=20 > 2.47.3 >=20 >=20 >=20 >=20 >=20 >=20