* [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation
@ 2026-01-26 9:55 Arthur Bied-Charreton
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Arthur Bied-Charreton @ 2026-01-26 9:55 UTC (permalink / raw)
To: pve-devel
The main fix (1/3) adds the keyUsage extension to PVE's root CA, which
is required by RFC 5280.
{2,3}/3 address review feedback [1] by eliminating temporary config
files and moving temp file creation from /tmp to /run to prevent symlink
races.
More details in the commit messages.
[1]
https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t
Arthur Bied-Charreton (3):
fix #6701: Add keyUsage extension to root CA
Convert SSL cert generation config to CLI arguments
Create temporary CSR file in /run instead of /tmp
src/PVE/Cluster/Setup.pm | 45 +++++++++++-----------------------------
1 file changed, 12 insertions(+), 33 deletions(-)
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread* [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA 2026-01-26 9:55 [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Arthur Bied-Charreton @ 2026-01-26 9:55 ` Arthur Bied-Charreton 2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton ` (2 subsequent siblings) 3 siblings, 0 replies; 5+ messages in thread From: Arthur Bied-Charreton @ 2026-01-26 9:55 UTC (permalink / raw) To: pve-devel Add the keyUsage[1] extension to the PVE root CA to comply with RFC 5280, which Python decided to enforce as of 3.13 by adding the VERIFY_X509_STRICT flag, which breaks some clients like Ansible. The authorityKeyIdentifier[2] and subjectKeyIdentifier[3] extensions are required by RFC 5280 as well, however OpenSSL adds them in by default based on /etc/ssl/openssl.cnf, so there is no need for explicitly passing them. Test script: ``` import socket, ssl ctx = ssl.create_default_context(cafile="/etc/pve/pve-root-ca.pem") ctx.wrap_socket(socket.create_connection(("localhost", 8006)), server_hostname="localhost") print("success") ``` [1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3 [2] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1 [3] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2 Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com> Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com> --- src/PVE/Cluster/Setup.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm index 75d3507..4f528ba 100644 --- a/src/PVE/Cluster/Setup.pm +++ b/src/PVE/Cluster/Setup.pm @@ -439,6 +439,8 @@ sub gen_pveca_cert { '-new', '-x509', '-nodes', + '-addext', + 'keyUsage=critical,keyCertSign,cRLSign', '-key', $pveca_key_fn, '-out', -- 2.47.3 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH pve-cluster v2 2/3] Convert SSL cert generation config to CLI arguments 2026-01-26 9:55 [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Arthur Bied-Charreton 2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton @ 2026-01-26 9:55 ` Arthur Bied-Charreton 2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 3/3] Create temporary CSR file in /run instead of /tmp Arthur Bied-Charreton 2026-02-06 11:35 ` [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Stoiko Ivanov 3 siblings, 0 replies; 5+ messages in thread From: Arthur Bied-Charreton @ 2026-01-26 9:55 UTC (permalink / raw) To: pve-devel Replace temporary OpenSSL config file with direct CLI arguments in PVE node SSL cert generation. Changes: - Use '-subj' flag for distinguished name - Use '-addext' flag for cert extensions - Use '-copy_extensions copyall' to copy extensions from CSR to cert - Remove temp config file and cleanup code As suggested here: https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com> Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com> --- src/PVE/Cluster/Setup.pm | 41 +++++++++------------------------------- 1 file changed, 9 insertions(+), 32 deletions(-) diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm index 4f528ba..b9cacfd 100644 --- a/src/PVE/Cluster/Setup.pm +++ b/src/PVE/Cluster/Setup.pm @@ -504,33 +504,6 @@ sub gen_pve_ssl_cert { $names .= ",DNS:$fqdn"; } - my $sslconf = <<__EOD; -RANDFILE = /root/.rnd -extensions = v3_req - -[ req ] -default_bits = 2048 -distinguished_name = req_distinguished_name -req_extensions = v3_req -prompt = no -string_mask = nombstr - -[ req_distinguished_name ] -organizationalUnitName = PVE Cluster Node -organizationName = Proxmox Virtual Environment -commonName = $fqdn - -[ v3_req ] -basicConstraints = CA:FALSE -extendedKeyUsage = serverAuth -subjectAltName = $names -__EOD - - my $cfgfn = "/tmp/pvesslconf-$$.tmp"; - my $fh = IO::File->new($cfgfn, "w"); - print $fh $sslconf; - close($fh); - my $reqfn = "/tmp/pvecertreq-$$.tmp"; unlink $reqfn; @@ -541,18 +514,23 @@ __EOD 'req', '-batch', '-new', - '-config', - $cfgfn, '-key', $pvessl_key_fn, '-out', $reqfn, + '-subj', + "/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=$fqdn", + '-addext', + 'basicConstraints=CA:FALSE', + '-addext', + 'extendedKeyUsage=serverAuth', + '-addext', + "subjectAltName=$names", ]); }; if (my $err = $@) { unlink $reqfn; - unlink $cfgfn; die "unable to generate pve certificate request:\n$err"; } @@ -581,13 +559,12 @@ __EOD 'openssl', 'x509', '-req', '-in', $reqfn, '-days', $daysleft, '-out', $pvessl_cert_fn, '-CAkey', $pveca_key_fn, '-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn, - '-extfile', $cfgfn, + '-copy_extensions', 'copyall', ]); }; my $err = $@; unlink $reqfn or $!{ENOENT} or warn "failed to clean up '$reqfn' - $!"; - unlink $cfgfn or $!{ENOENT} or warn "failed to clean up '$cfgfn' - $!"; die "unable to generate pve ssl certificate:\n$err" if $err; } -- 2.47.3 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH pve-cluster v2 3/3] Create temporary CSR file in /run instead of /tmp 2026-01-26 9:55 [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Arthur Bied-Charreton 2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton 2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton @ 2026-01-26 9:55 ` Arthur Bied-Charreton 2026-02-06 11:35 ` [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Stoiko Ivanov 3 siblings, 0 replies; 5+ messages in thread From: Arthur Bied-Charreton @ 2026-01-26 9:55 UTC (permalink / raw) To: pve-devel Creating temp files in a world-writable directory such as /tmp could expose the config generation to symlink races. Use /run directory instead. As suggested here: https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com> Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com> --- src/PVE/Cluster/Setup.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm index b9cacfd..5ed85ad 100644 --- a/src/PVE/Cluster/Setup.pm +++ b/src/PVE/Cluster/Setup.pm @@ -504,7 +504,7 @@ sub gen_pve_ssl_cert { $names .= ",DNS:$fqdn"; } - my $reqfn = "/tmp/pvecertreq-$$.tmp"; + my $reqfn = "/run/pvecertreq-$$.tmp"; unlink $reqfn; my $pvessl_key_fn = "$pmxcfs_base_dir/nodes/$nodename/pve-ssl.key"; -- 2.47.3 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation 2026-01-26 9:55 [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Arthur Bied-Charreton ` (2 preceding siblings ...) 2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 3/3] Create temporary CSR file in /run instead of /tmp Arthur Bied-Charreton @ 2026-02-06 11:35 ` Stoiko Ivanov 3 siblings, 0 replies; 5+ messages in thread From: Stoiko Ivanov @ 2026-02-06 11:35 UTC (permalink / raw) To: Arthur Bied-Charreton; +Cc: Proxmox VE development discussion Thanks for the quick iteration on this! Changes look good to me - and I consider them an improvement to before. Tested this quickly by: 1) removing pve-root-ca (key and cert), the node's pve-ssl (key and cert) 2) running `pvecm updatecerts --force` 3) installing pve-cluster packages with your patches applied 4) recreating the certificate (point 1+2) again 5) vimdiffing old and new files - changes look sensible (apart from the uuid, only the added keyUsage extension) 6) running the test-script from your commit-message after restarting pveproxy did not read/recheck everything in RFC 5280 though. consider this series Reviewed-by: Stoiko Ivanov <s.ivanov@proxmox.com> Tested-by: Stoiko Ivanov <s.ivanov@proxmox.com> On Mon, 26 Jan 2026 10:55:42 +0100 Arthur Bied-Charreton <a.bied-charreton@proxmox.com> wrote: > The main fix (1/3) adds the keyUsage extension to PVE's root CA, which > is required by RFC 5280. > > {2,3}/3 address review feedback [1] by eliminating temporary config > files and moving temp file creation from /tmp to /run to prevent symlink > races. > > More details in the commit messages. > > [1] > https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t > > Arthur Bied-Charreton (3): > fix #6701: Add keyUsage extension to root CA > Convert SSL cert generation config to CLI arguments > Create temporary CSR file in /run instead of /tmp > > src/PVE/Cluster/Setup.pm | 45 +++++++++++----------------------------- > 1 file changed, 12 insertions(+), 33 deletions(-) > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-02-06 11:35 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2026-01-26 9:55 [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Arthur Bied-Charreton 2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton 2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton 2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 3/3] Create temporary CSR file in /run instead of /tmp Arthur Bied-Charreton 2026-02-06 11:35 ` [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Stoiko Ivanov
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.