From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
Cc: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation
Date: Fri, 6 Feb 2026 12:35:41 +0100 [thread overview]
Message-ID: <20260206123541.2f8d6d2a@rosa.proxmox.com> (raw)
In-Reply-To: <20260126100534.86882-3-a.bied-charreton@proxmox.com>
Thanks for the quick iteration on this!
Changes look good to me - and I consider them an improvement to before.
Tested this quickly by:
1) removing pve-root-ca (key and cert), the node's pve-ssl (key and cert)
2) running `pvecm updatecerts --force`
3) installing pve-cluster packages with your patches applied
4) recreating the certificate (point 1+2) again
5) vimdiffing old and new files - changes look sensible (apart from the
uuid, only the added keyUsage extension)
6) running the test-script from your commit-message after restarting
pveproxy
did not read/recheck everything in RFC 5280 though.
consider this series
Reviewed-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Tested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
On Mon, 26 Jan 2026 10:55:42 +0100
Arthur Bied-Charreton <a.bied-charreton@proxmox.com> wrote:
> The main fix (1/3) adds the keyUsage extension to PVE's root CA, which
> is required by RFC 5280.
>
> {2,3}/3 address review feedback [1] by eliminating temporary config
> files and moving temp file creation from /tmp to /run to prevent symlink
> races.
>
> More details in the commit messages.
>
> [1]
> https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t
>
> Arthur Bied-Charreton (3):
> fix #6701: Add keyUsage extension to root CA
> Convert SSL cert generation config to CLI arguments
> Create temporary CSR file in /run instead of /tmp
>
> src/PVE/Cluster/Setup.pm | 45 +++++++++++-----------------------------
> 1 file changed, 12 insertions(+), 33 deletions(-)
>
prev parent reply other threads:[~2026-02-06 11:35 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-26 9:55 Arthur Bied-Charreton
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 3/3] Create temporary CSR file in /run instead of /tmp Arthur Bied-Charreton
2026-02-06 11:35 ` Stoiko Ivanov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260206123541.2f8d6d2a@rosa.proxmox.com \
--to=s.ivanov@proxmox.com \
--cc=a.bied-charreton@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.