From: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH pve-cluster v2 2/3] Convert SSL cert generation config to CLI arguments
Date: Mon, 26 Jan 2026 10:55:46 +0100 [thread overview]
Message-ID: <20260126100534.86882-7-a.bied-charreton@proxmox.com> (raw)
In-Reply-To: <20260126100534.86882-3-a.bied-charreton@proxmox.com>
Replace temporary OpenSSL config file with direct CLI arguments in PVE
node SSL cert generation.
Changes:
- Use '-subj' flag for distinguished name
- Use '-addext' flag for cert extensions
- Use '-copy_extensions copyall' to copy extensions from CSR to cert
- Remove temp config file and cleanup code
As suggested here:
https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t
Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
---
src/PVE/Cluster/Setup.pm | 41 +++++++++-------------------------------
1 file changed, 9 insertions(+), 32 deletions(-)
diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
index 4f528ba..b9cacfd 100644
--- a/src/PVE/Cluster/Setup.pm
+++ b/src/PVE/Cluster/Setup.pm
@@ -504,33 +504,6 @@ sub gen_pve_ssl_cert {
$names .= ",DNS:$fqdn";
}
- my $sslconf = <<__EOD;
-RANDFILE = /root/.rnd
-extensions = v3_req
-
-[ req ]
-default_bits = 2048
-distinguished_name = req_distinguished_name
-req_extensions = v3_req
-prompt = no
-string_mask = nombstr
-
-[ req_distinguished_name ]
-organizationalUnitName = PVE Cluster Node
-organizationName = Proxmox Virtual Environment
-commonName = $fqdn
-
-[ v3_req ]
-basicConstraints = CA:FALSE
-extendedKeyUsage = serverAuth
-subjectAltName = $names
-__EOD
-
- my $cfgfn = "/tmp/pvesslconf-$$.tmp";
- my $fh = IO::File->new($cfgfn, "w");
- print $fh $sslconf;
- close($fh);
-
my $reqfn = "/tmp/pvecertreq-$$.tmp";
unlink $reqfn;
@@ -541,18 +514,23 @@ __EOD
'req',
'-batch',
'-new',
- '-config',
- $cfgfn,
'-key',
$pvessl_key_fn,
'-out',
$reqfn,
+ '-subj',
+ "/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=$fqdn",
+ '-addext',
+ 'basicConstraints=CA:FALSE',
+ '-addext',
+ 'extendedKeyUsage=serverAuth',
+ '-addext',
+ "subjectAltName=$names",
]);
};
if (my $err = $@) {
unlink $reqfn;
- unlink $cfgfn;
die "unable to generate pve certificate request:\n$err";
}
@@ -581,13 +559,12 @@ __EOD
'openssl', 'x509', '-req', '-in', $reqfn, '-days', $daysleft, '-out',
$pvessl_cert_fn,
'-CAkey', $pveca_key_fn, '-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn,
- '-extfile', $cfgfn,
+ '-copy_extensions', 'copyall',
]);
};
my $err = $@;
unlink $reqfn or $!{ENOENT} or warn "failed to clean up '$reqfn' - $!";
- unlink $cfgfn or $!{ENOENT} or warn "failed to clean up '$cfgfn' - $!";
die "unable to generate pve ssl certificate:\n$err" if $err;
}
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2026-01-26 10:11 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-26 9:55 [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Arthur Bied-Charreton
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
2026-01-26 9:55 ` Arthur Bied-Charreton [this message]
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 3/3] Create temporary CSR file in /run instead of /tmp Arthur Bied-Charreton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260126100534.86882-7-a.bied-charreton@proxmox.com \
--to=a.bied-charreton@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.