[PATCH proxmox-backup 02/10] config: use proxmox_acme_api for generating self-signed certificates

all lists on lists.proxmox.com
 help / color / mirror / Atom feed

From: Shannon Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox-backup 02/10] config: use proxmox_acme_api for generating self-signed certificates
Date: Tue,  7 Apr 2026 15:57:06 +0200	[thread overview]
Message-ID: <20260407135714.490747-3-s.sterz@proxmox.com> (raw)
In-Reply-To: <20260407135714.490747-1-s.sterz@proxmox.com>

to avoid duplicating almost identical code here, re-use the version
from `proxmox_acme_api::create_self_signed_cert`. proxmox backup
server already depends on `proxmox_acme_api` and the code is identical
apart from handling arguments. no functional change intended.

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 src/config/mod.rs | 93 ++++-------------------------------------------
 1 file changed, 7 insertions(+), 86 deletions(-)

diff --git a/src/config/mod.rs b/src/config/mod.rs
index 2de76bb1..3d48a25e 100644
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@@ -5,9 +5,6 @@
 
 use anyhow::{bail, format_err, Error};
 use nix::sys::stat::Mode;
-use openssl::pkey::PKey;
-use openssl::rsa::Rsa;
-use openssl::x509::X509Builder;
 use std::path::Path;
 
 use proxmox_lang::try_block;
@@ -89,92 +86,16 @@ pub fn update_self_signed_cert(force: bool) -> Result<(), Error> {
     if key_path.exists() && cert_path.exists() && !force {
         return Ok(());
     }
-
-    let rsa = Rsa::generate(4096).unwrap();
-
-    let priv_pem = rsa.private_key_to_pem()?;
-
-    let mut x509 = X509Builder::new()?;
-
-    x509.set_version(2)?;
-
-    let today = openssl::asn1::Asn1Time::days_from_now(0)?;
-    x509.set_not_before(&today)?;
-    let expire = openssl::asn1::Asn1Time::days_from_now(365 * 1000)?;
-    x509.set_not_after(&expire)?;
-
-    let nodename = proxmox_sys::nodename();
-    let mut fqdn = nodename.to_owned();
-
     let resolv_conf = crate::api2::node::dns::read_etc_resolv_conf()?;
-    if let Some(search) = resolv_conf["search"].as_str() {
-        fqdn.push('.');
-        fqdn.push_str(search);
-    }
 
-    // we try to generate an unique 'subject' to avoid browser problems
-    //(reused serial numbers, ..)
-    let uuid = proxmox_uuid::Uuid::generate();
+    let (priv_key, cert) = proxmox_acme_api::create_self_signed_cert(
+        "Proxmox Backup Server",
+        proxmox_sys::nodename(),
+        resolv_conf["search"].as_str(),
+    )?;
 
-    let mut subject_name = openssl::x509::X509NameBuilder::new()?;
-    subject_name.append_entry_by_text("O", "Proxmox Backup Server")?;
-    subject_name.append_entry_by_text("OU", &format!("{uuid:X}"))?;
-    subject_name.append_entry_by_text("CN", &fqdn)?;
-    let subject_name = subject_name.build();
-
-    x509.set_subject_name(&subject_name)?;
-    x509.set_issuer_name(&subject_name)?;
-
-    let bc = openssl::x509::extension::BasicConstraints::new(); // CA = false
-    let bc = bc.build()?;
-    x509.append_extension(bc)?;
-
-    let usage = openssl::x509::extension::ExtendedKeyUsage::new()
-        .server_auth()
-        .build()?;
-    x509.append_extension(usage)?;
-
-    let context = x509.x509v3_context(None, None);
-
-    let mut alt_names = openssl::x509::extension::SubjectAlternativeName::new();
-
-    alt_names.ip("127.0.0.1");
-    alt_names.ip("::1");
-
-    alt_names.dns("localhost");
-
-    if nodename != "localhost" {
-        alt_names.dns(nodename);
-    }
-    if nodename != fqdn {
-        alt_names.dns(&fqdn);
-    }
-
-    let alt_names = alt_names.build(&context)?;
-
-    x509.append_extension(alt_names)?;
-
-    let pub_pem = rsa.public_key_to_pem()?;
-    let pubkey = PKey::public_key_from_pem(&pub_pem)?;
-
-    x509.set_pubkey(&pubkey)?;
-
-    let context = x509.x509v3_context(None, None);
-    let ext = openssl::x509::extension::SubjectKeyIdentifier::new().build(&context)?;
-    x509.append_extension(ext)?;
-
-    let context = x509.x509v3_context(None, None);
-    let ext = openssl::x509::extension::AuthorityKeyIdentifier::new()
-        .keyid(true)
-        .build(&context)?;
-    x509.append_extension(ext)?;
-
-    let privkey = PKey::from_rsa(rsa)?;
-
-    x509.sign(&privkey, openssl::hash::MessageDigest::sha256())?;
-
-    let x509 = x509.build();
-    let cert_pem = x509.to_pem()?;
+    let cert_pem = cert.to_pem()?;
+    let priv_pem = priv_key.private_key_to_pem_pkcs8()?;
 
     set_proxy_certificate(&cert_pem, &priv_pem)?;
 
-- 
2.47.3

next prev parent reply	other threads:[~2026-04-07 13:57 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-07 13:57 [RFC datacenter-manager/proxmox{,-backup} 00/10] TLS Certificate Rotation Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox 01/10] acme-api: make self-signed certificate expiry configurable Shannon Sterz
2026-04-07 13:57 ` Shannon Sterz [this message]
2026-04-07 13:57 ` [PATCH proxmox-backup 03/10] config: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 04/10] config/server/api: add certificate renewal logic including notifications Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 05/10] daily-update/docs: warn on excessive self-signed certificate lifetime Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 06/10] backup-manager cli: `cert update` can create auth and csrf key Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 07/10] certs: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 08/10] api/auth/bin: add certificate renewal logic Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 09/10] cli: expose certificate management endpoints via the cli Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 10/10] daily-update/docs: warn on excessive tls certificate validity periods Shannon Sterz
2026-04-07 15:29   ` Shannon Sterz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260407135714.490747-3-s.sterz@proxmox.com \
    --to=s.sterz@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal