* [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates
@ 2025-09-09 10:04 Fabian Grünbichler
2025-09-09 10:04 ` [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages Fabian Grünbichler
0 siblings, 1 reply; 2+ messages in thread
From: Fabian Grünbichler @ 2025-09-09 10:04 UTC (permalink / raw)
To: pve-devel
if nodes are offline for a longer period of time, they might not be renewed by
pveupdate before they expire. the `verify` call here just serves as an
extra safeguard to prevent accidental overwriting of certificates not actually
signed by the cluster CA, checking the expiry time servers no purpose.
Suggested-by: Stephane Chazelas
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
verified by manually creating an expired and a soon-to-be-expired certificate..
bin/pveupdate | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/bin/pveupdate b/bin/pveupdate
index 757cac868..9984c9369 100755
--- a/bin/pveupdate
+++ b/bin/pveupdate
@@ -111,7 +111,10 @@ eval {
# check if cert is really signed by the ca
# TODO: replace by low level ssleay interface if version 1.86 is available
- PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile', $capath, $certpath]);
+ my $cmd = [
+ '/usr/bin/openssl', 'verify', '-no_check_time', '-CAfile', $capath, '--', $certpath,
+ ];
+ PVE::Tools::run_command($cmd);
print "PVE certificate $msg\n";
# create new certificate
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages
2025-09-09 10:04 [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates Fabian Grünbichler
@ 2025-09-09 10:04 ` Fabian Grünbichler
0 siblings, 0 replies; 2+ messages in thread
From: Fabian Grünbichler @ 2025-09-09 10:04 UTC (permalink / raw)
To: pve-devel
by explicitly checking for already expired certificates and adapting the
message in that case.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
bin/pveupdate | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/bin/pveupdate b/bin/pveupdate
index 9984c9369..c5356c885 100755
--- a/bin/pveupdate
+++ b/bin/pveupdate
@@ -125,7 +125,10 @@ eval {
PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
};
- if (PVE::Certificate::check_expiry($certpath, time() + 14 * 24 * 60 * 60)) {
+ if (PVE::Certificate::check_expiry($certpath)) {
+ # already expired
+ $renew->("expired, renewing...");
+ } elsif (PVE::Certificate::check_expiry($certpath, time() + 14 * 24 * 60 * 60)) {
# expires in next 2 weeks
$renew->("expires soon, renewing...");
} elsif (!PVE::Certificate::check_expiry($certpath, time() + 2 * 365 * 24 * 60 * 60)) {
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-09-09 10:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-09-09 10:04 [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates Fabian Grünbichler
2025-09-09 10:04 ` [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages Fabian Grünbichler
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.