From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 605551FF136
	for <inbox@lore.proxmox.com>; Mon, 26 Jan 2026 11:11:30 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 7C77C9015;
	Mon, 26 Jan 2026 11:11:50 +0100 (CET)
From: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Mon, 26 Jan 2026 10:55:46 +0100
Message-ID: <20260126100534.86882-7-a.bied-charreton@proxmox.com>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20260126100534.86882-3-a.bied-charreton@proxmox.com>
References: <20260126100534.86882-3-a.bied-charreton@proxmox.com>
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.070 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery
 methods
 RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_NONE                0.001 SPF: sender does not publish an SPF Record
Subject: [pve-devel] [PATCH pve-cluster v2 2/3] Convert SSL cert generation
 config to CLI arguments
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

Replace temporary OpenSSL config file with direct CLI arguments in PVE
node SSL cert generation.

Changes:
- Use '-subj' flag for distinguished name
- Use '-addext' flag for cert extensions
- Use '-copy_extensions copyall' to copy extensions from CSR to cert
- Remove temp config file and cleanup code

As suggested here:
https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t

Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
---
 src/PVE/Cluster/Setup.pm | 41 +++++++++-------------------------------
 1 file changed, 9 insertions(+), 32 deletions(-)

diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
index 4f528ba..b9cacfd 100644
--- a/src/PVE/Cluster/Setup.pm
+++ b/src/PVE/Cluster/Setup.pm
@@ -504,33 +504,6 @@ sub gen_pve_ssl_cert {
         $names .= ",DNS:$fqdn";
     }
 
-    my $sslconf = <<__EOD;
-RANDFILE = /root/.rnd
-extensions = v3_req
-
-[ req ]
-default_bits = 2048
-distinguished_name = req_distinguished_name
-req_extensions = v3_req
-prompt = no
-string_mask = nombstr
-
-[ req_distinguished_name ]
-organizationalUnitName = PVE Cluster Node
-organizationName = Proxmox Virtual Environment
-commonName = $fqdn
-
-[ v3_req ]
-basicConstraints = CA:FALSE
-extendedKeyUsage = serverAuth
-subjectAltName = $names
-__EOD
-
-    my $cfgfn = "/tmp/pvesslconf-$$.tmp";
-    my $fh = IO::File->new($cfgfn, "w");
-    print $fh $sslconf;
-    close($fh);
-
     my $reqfn = "/tmp/pvecertreq-$$.tmp";
     unlink $reqfn;
 
@@ -541,18 +514,23 @@ __EOD
             'req',
             '-batch',
             '-new',
-            '-config',
-            $cfgfn,
             '-key',
             $pvessl_key_fn,
             '-out',
             $reqfn,
+            '-subj',
+            "/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=$fqdn",
+            '-addext',
+            'basicConstraints=CA:FALSE',
+            '-addext',
+            'extendedKeyUsage=serverAuth',
+            '-addext',
+            "subjectAltName=$names",
         ]);
     };
 
     if (my $err = $@) {
         unlink $reqfn;
-        unlink $cfgfn;
         die "unable to generate pve certificate request:\n$err";
     }
 
@@ -581,13 +559,12 @@ __EOD
             'openssl', 'x509', '-req', '-in', $reqfn, '-days', $daysleft, '-out',
             $pvessl_cert_fn,
             '-CAkey', $pveca_key_fn, '-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn,
-            '-extfile', $cfgfn,
+            '-copy_extensions', 'copyall',
         ]);
     };
     my $err = $@;
 
     unlink $reqfn or $!{ENOENT} or warn "failed to clean up '$reqfn' - $!";
-    unlink $cfgfn or $!{ENOENT} or warn "failed to clean up '$cfgfn' - $!";
 
     die "unable to generate pve ssl certificate:\n$err" if $err;
 }
-- 
2.47.3


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel