[pve-devel] [PATCH pve-cluster] fix #6701: Add keyUsage extension to root CA

[pve-devel] [PATCH pve-cluster] fix #6701: Add keyUsage extension to root CA

[Arthur Bied-Charreton]

Add the keyUsage[1] extension to the PVE root CA to comply with RFC
5280. Python started to enforce this as of 3.13 by defaulting to using the 
VERIFY_X509_STRICT flag, which breaks clients like Ansible.

The authorityKeyIdentifier[2] and subjectKeyIdentifier[3] extensions are
not strictly required for fixing this issue, however RFC 5280 mandates
them for conforming CAs, so adding them makes sense as well.

[1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
[2] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1
[3] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2

Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
---
This fix is not required for PBS and PDM, since they only use self-signed
certificates.

You can run the script below to test the changes, should fail with
"CA cert does not include key usage extension" before applying the patch,
and succeed afterwards. 

```
#!/usr/bin/env python3

import socket
import ssl
import sys

try:
    context = ssl.create_default_context(cafile="/etc/pve/pve-root-ca.pem")
    context.check_hostname = True
    context.verify_mode = ssl.CERT_REQUIRED

    with socket.create_connection(("localhost", 8006), timeout=10) as sock:
        with context.wrap_socket(sock, server_hostname="localhost") as ssock:
            print(f"success")

except ssl.SSLCertVerificationError as e:
    print(e)
```
    
 src/PVE/Cluster/Setup.pm | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
index 75d3507..d95a278 100644
--- a/src/PVE/Cluster/Setup.pm
+++ b/src/PVE/Cluster/Setup.pm
@@ -426,6 +426,25 @@ sub gen_pveca_cert {
     my $uuid_str;
     UUID::unparse($uuid, $uuid_str);
 
+    my $sslconf = <<__EOD;
+[req]
+distinguished_name = req_distinguished_name
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+
+[ v3_ca ]
+basicConstraints = critical,CA:TRUE
+keyUsage = critical,keyCertSign,cRLSign
+authorityKeyIdentifier = keyid:always,issuer
+subjectKeyIdentifier = hash
+__EOD
+
+    my $cfgfn = "/tmp/pvesslconf-$$.tmp";
+    my $fh = IO::File->new($cfgfn, "w");
+    print $fh $sslconf;
+    close($fh);
+
     eval {
         # wrap openssl with faketime to prevent bug #904
         run_silent_cmd([
@@ -439,6 +458,8 @@ sub gen_pveca_cert {
             '-new',
             '-x509',
             '-nodes',
+            '-config',
+            $cfgfn,
             '-key',
             $pveca_key_fn,
             '-out',
@@ -448,6 +469,8 @@ sub gen_pveca_cert {
         ]);
     };
 
+    unlink $cfgfn;
+
     die "generating pve root certificate failed:\n$@" if $@;
 
     return 1;
-- 
2.47.3


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH pve-cluster] fix #6701: Add keyUsage extension to root CA

[Stoiko Ivanov]

Thanks for tackling this and looking into certificate generation!

two suggestions/comments inline:

On Thu, 22 Jan 2026 11:55:16 +0100
Arthur Bied-Charreton <a.bied-charreton@proxmox.com> wrote:

> Add the keyUsage[1] extension to the PVE root CA to comply with RFC
> 5280. Python started to enforce this as of 3.13 by defaulting to using the 
> VERIFY_X509_STRICT flag, which breaks clients like Ansible.
> 
> The authorityKeyIdentifier[2] and subjectKeyIdentifier[3] extensions are
> not strictly required for fixing this issue, however RFC 5280 mandates
> them for conforming CAs, so adding them makes sense as well.
> 
> [1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
> [2] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1
> [3] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2
> 
> Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
> ---
> This fix is not required for PBS and PDM, since they only use self-signed
> certificates.
mentioning this here provides helpful information - thanks!
(PMG also does not create a CA - so should not be affected either (without
checking explicitly))

> 
> You can run the script below to test the changes, should fail with
> "CA cert does not include key usage extension" before applying the patch,
> and succeed afterwards. 
> 
> ```
> #!/usr/bin/env python3
> 
> import socket
> import ssl
> import sys
> 
> try:
>     context = ssl.create_default_context(cafile="/etc/pve/pve-root-ca.pem")
>     context.check_hostname = True
>     context.verify_mode = ssl.CERT_REQUIRED
> 
>     with socket.create_connection(("localhost", 8006), timeout=10) as sock:
>         with context.wrap_socket(sock, server_hostname="localhost") as ssock:
>             print(f"success")
> 
> except ssl.SSLCertVerificationError as e:
>     print(e)
> ```
thanks for the short script - helped a lot in seeing what's needed, and
verifying the results.
I'd argue that this could even be part of the commit message (more likely
to be found again in the future. (best-case would if there's something
shorter to achieve the same result).

>     
>  src/PVE/Cluster/Setup.pm | 23 +++++++++++++++++++++++
>  1 file changed, 23 insertions(+)
> 
> diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
> index 75d3507..d95a278 100644
> --- a/src/PVE/Cluster/Setup.pm
> +++ b/src/PVE/Cluster/Setup.pm
> @@ -426,6 +426,25 @@ sub gen_pveca_cert {
>      my $uuid_str;
>      UUID::unparse($uuid, $uuid_str);
>  
> +    my $sslconf = <<__EOD;
> +[req]
> +distinguished_name = req_distinguished_name
> +x509_extensions = v3_ca
> +
> +[ req_distinguished_name ]
> +
> +[ v3_ca ]
> +basicConstraints = critical,CA:TRUE
> +keyUsage = critical,keyCertSign,cRLSign
> +authorityKeyIdentifier = keyid:always,issuer
> +subjectKeyIdentifier = hash

newer versions of openssl finally have a way of adding extensions without
the need to edit the openssl config, or providing overrides in temporary
files (or via bash `<(printf...` redirects.
(noticed this a while ago when again searching how to add a SAN to a
self-signed certificate.

Based on /etc/ssl/openssl.cnf on a PVE9 node replacing the config file, by
`-addext 'keyUsage=critical,keyCertSign,cRLSign'` on the openssl
command-line should be enough (and yields `success` with your script from
above on a test-machine)


> +__EOD
> +
> +    my $cfgfn = "/tmp/pvesslconf-$$.tmp";
I would consider generating temporary files in /run, or any other
directory that is not world-writable. I think there's a number of issues
which were caused by potential symlink-races in /tmp.

alternatively/additionally - opening with O_CREAT | O_EXCL (see `man 2
open`) might help with the potential for races.
pve-common/src/PVE/File.pm has `file_set_contents` which looks like it
does the right thing.

As you said off-list that this is based on other similar code in
pve-cluster - switching those sites too might be a nice additional
improvement - though not strictly tied to this patch.

A quick look through PVE::Cluster::Setup makes me think that
probably most of the temporary config-file additions could also be
replaced by one or two `-addext` command-line parameters and a fitting
`-subj` (this can contain `organizationName` (as O=) and
`organizationalUnitName` (as OU=) I think)


> +    my $fh = IO::File->new($cfgfn, "w");
> +    print $fh $sslconf;
> +    close($fh);
> +
>      eval {
>          # wrap openssl with faketime to prevent bug #904
>          run_silent_cmd([
> @@ -439,6 +458,8 @@ sub gen_pveca_cert {
>              '-new',
>              '-x509',
>              '-nodes',
> +            '-config',
> +            $cfgfn,
>              '-key',
>              $pveca_key_fn,
>              '-out',
> @@ -448,6 +469,8 @@ sub gen_pveca_cert {
>          ]);
>      };
>  
> +    unlink $cfgfn;
> +
>      die "generating pve root certificate failed:\n$@" if $@;
>  
>      return 1;



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel