From: Shannon Sterz <s.sterz@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH manager] certificate: make sure that any new certificate and key match
Date: Wed, 6 May 2026 13:04:52 +0200 [thread overview]
Message-ID: <20260506110452.166057-1-s.sterz@proxmox.com> (raw)
previously it was possible to upload and set a key and certificate
combination, that did not match each other. this lead to confusing
errors as pveproxy would seemingly start, but not actually serve any
http connections. in a cluster context this leads to "broken pipe"
errors when connecting to such a misconfigured node. since this is
rather confusing, verify that a key and certificate can actually be
used before setting them as the current certificates by loading them
into a TLS context.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
Notes:
this came up in the enterprise support and caused quite a bit of
confusion.
PVE/CertHelpers.pm | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/PVE/CertHelpers.pm b/PVE/CertHelpers.pm
index ee945827f..2fc241c24 100644
--- a/PVE/CertHelpers.pm
+++ b/PVE/CertHelpers.pm
@@ -7,6 +7,8 @@ use PVE::Certificate;
use PVE::JSONSchema;
use PVE::Tools;
+use Net::SSLeay;
+
my $account_prefix = '/etc/pve/priv/acme';
PVE::JSONSchema::register_standard_option(
@@ -81,6 +83,31 @@ sub set_cert_files {
PVE::Tools::file_set_contents($cert_path, $cert);
PVE::Tools::file_set_contents($key_path, $key) if $key;
$info = PVE::Certificate::get_certificate_info($cert_path);
+
+ if (my $method = Net::SSLeay::TLS_method()) {
+ my $ctx = Net::SSLeay::CTX_new_with_method($method);
+
+ eval {
+ Net::SSLeay::CTX_use_certificate_chain_file($ctx, $cert_path)
+ or die "could not load certificate (chain)\n";
+ Net::SSLeay::CTX_use_PrivateKey_file(
+ $ctx,
+ $key_path,
+ Net::SSLeay::FILETYPE_PEM(),
+ ) or die "key does not match the certificate (chain)\n";
+ };
+
+ my $err = $@;
+
+ if ($err) {
+ # clean up invalid certificate and key
+ unlink $cert_path;
+ unlink $key_path;
+ die $err;
+ }
+ } else {
+ warn "no TLS method to verify certificate and key match, continuing anyway\n";
+ }
};
my $err = $@;
--
2.47.3
next reply other threads:[~2026-05-06 11:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-06 11:04 Shannon Sterz [this message]
2026-05-06 11:28 ` [PATCH manager] certificate: make sure that any new certificate and key match Daniel Herzig
2026-05-06 11:54 ` Thomas Lamprecht
2026-05-06 12:39 ` Shannon Sterz
2026-05-06 12:50 ` Superseded: " Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260506110452.166057-1-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.