From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 656881FF13E for ; Fri, 23 Jan 2026 19:52:47 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 6B01313813; Fri, 23 Jan 2026 19:53:05 +0100 (CET) Date: Fri, 23 Jan 2026 19:53:00 +0100 From: Stoiko Ivanov To: Arthur Bied-Charreton Message-ID: <20260123195300.0ae7fcc9@rosa.proxmox.com> In-Reply-To: <20260122105516.135778-1-a.bied-charreton@proxmox.com> References: <20260122105516.135778-1-a.bied-charreton@proxmox.com> X-Mailer: Claws Mail 4.3.1 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1769194321165 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.069 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [setup.pm, rfc-editor.org, file.pm] Subject: Re: [pve-devel] [PATCH pve-cluster] fix #6701: Add keyUsage extension to root CA X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Thanks for tackling this and looking into certificate generation! two suggestions/comments inline: On Thu, 22 Jan 2026 11:55:16 +0100 Arthur Bied-Charreton wrote: > Add the keyUsage[1] extension to the PVE root CA to comply with RFC > 5280. Python started to enforce this as of 3.13 by defaulting to using the > VERIFY_X509_STRICT flag, which breaks clients like Ansible. > > The authorityKeyIdentifier[2] and subjectKeyIdentifier[3] extensions are > not strictly required for fixing this issue, however RFC 5280 mandates > them for conforming CAs, so adding them makes sense as well. > > [1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3 > [2] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1 > [3] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2 > > Signed-off-by: Arthur Bied-Charreton > --- > This fix is not required for PBS and PDM, since they only use self-signed > certificates. mentioning this here provides helpful information - thanks! (PMG also does not create a CA - so should not be affected either (without checking explicitly)) > > You can run the script below to test the changes, should fail with > "CA cert does not include key usage extension" before applying the patch, > and succeed afterwards. > > ``` > #!/usr/bin/env python3 > > import socket > import ssl > import sys > > try: > context = ssl.create_default_context(cafile="/etc/pve/pve-root-ca.pem") > context.check_hostname = True > context.verify_mode = ssl.CERT_REQUIRED > > with socket.create_connection(("localhost", 8006), timeout=10) as sock: > with context.wrap_socket(sock, server_hostname="localhost") as ssock: > print(f"success") > > except ssl.SSLCertVerificationError as e: > print(e) > ``` thanks for the short script - helped a lot in seeing what's needed, and verifying the results. I'd argue that this could even be part of the commit message (more likely to be found again in the future. (best-case would if there's something shorter to achieve the same result). > > src/PVE/Cluster/Setup.pm | 23 +++++++++++++++++++++++ > 1 file changed, 23 insertions(+) > > diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm > index 75d3507..d95a278 100644 > --- a/src/PVE/Cluster/Setup.pm > +++ b/src/PVE/Cluster/Setup.pm > @@ -426,6 +426,25 @@ sub gen_pveca_cert { > my $uuid_str; > UUID::unparse($uuid, $uuid_str); > > + my $sslconf = <<__EOD; > +[req] > +distinguished_name = req_distinguished_name > +x509_extensions = v3_ca > + > +[ req_distinguished_name ] > + > +[ v3_ca ] > +basicConstraints = critical,CA:TRUE > +keyUsage = critical,keyCertSign,cRLSign > +authorityKeyIdentifier = keyid:always,issuer > +subjectKeyIdentifier = hash newer versions of openssl finally have a way of adding extensions without the need to edit the openssl config, or providing overrides in temporary files (or via bash `<(printf...` redirects. (noticed this a while ago when again searching how to add a SAN to a self-signed certificate. Based on /etc/ssl/openssl.cnf on a PVE9 node replacing the config file, by `-addext 'keyUsage=critical,keyCertSign,cRLSign'` on the openssl command-line should be enough (and yields `success` with your script from above on a test-machine) > +__EOD > + > + my $cfgfn = "/tmp/pvesslconf-$$.tmp"; I would consider generating temporary files in /run, or any other directory that is not world-writable. I think there's a number of issues which were caused by potential symlink-races in /tmp. alternatively/additionally - opening with O_CREAT | O_EXCL (see `man 2 open`) might help with the potential for races. pve-common/src/PVE/File.pm has `file_set_contents` which looks like it does the right thing. As you said off-list that this is based on other similar code in pve-cluster - switching those sites too might be a nice additional improvement - though not strictly tied to this patch. A quick look through PVE::Cluster::Setup makes me think that probably most of the temporary config-file additions could also be replaced by one or two `-addext` command-line parameters and a fitting `-subj` (this can contain `organizationName` (as O=) and `organizationalUnitName` (as OU=) I think) > + my $fh = IO::File->new($cfgfn, "w"); > + print $fh $sslconf; > + close($fh); > + > eval { > # wrap openssl with faketime to prevent bug #904 > run_silent_cmd([ > @@ -439,6 +458,8 @@ sub gen_pveca_cert { > '-new', > '-x509', > '-nodes', > + '-config', > + $cfgfn, > '-key', > $pveca_key_fn, > '-out', > @@ -448,6 +469,8 @@ sub gen_pveca_cert { > ]); > }; > > + unlink $cfgfn; > + > die "generating pve root certificate failed:\n$@" if $@; > > return 1; _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel