From: Shannon Sterz <s.sterz@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH manager v2] cert helpers: make sure that any new certificate and key match
Date: Wed, 6 May 2026 14:48:32 +0200 [thread overview]
Message-ID: <20260506124832.246682-1-s.sterz@proxmox.com> (raw)
previously it was possible to upload and set a key and certificate
combination, that did not match each other. this lead to confusing
errors as pveproxy would seemingly start, but not actually serve any
http connections. in a cluster context this leads to "broken pipe"
errors when connecting to such a misconfigured node. since this is
rather confusing, verify that a key and certificate can actually be
used before setting them as the current certificates by loading them
into a TLS context.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
Notes:
this came up in the enterprise support and caused quite a bit of
confusion.
changes since v1 (thanks @ Thomas Lamprecht):
- use `NET::SSLeay::die_now` instead of `die` to potentially return
more useful debugging information.
- add error handling when removing invalid keys/certificates fails.
PVE/CertHelpers.pm | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/PVE/CertHelpers.pm b/PVE/CertHelpers.pm
index ee945827f..202dec0ee 100644
--- a/PVE/CertHelpers.pm
+++ b/PVE/CertHelpers.pm
@@ -7,6 +7,8 @@ use PVE::Certificate;
use PVE::JSONSchema;
use PVE::Tools;
+use Net::SSLeay qw(die_now);
+
my $account_prefix = '/etc/pve/priv/acme';
PVE::JSONSchema::register_standard_option(
@@ -81,6 +83,31 @@ sub set_cert_files {
PVE::Tools::file_set_contents($cert_path, $cert);
PVE::Tools::file_set_contents($key_path, $key) if $key;
$info = PVE::Certificate::get_certificate_info($cert_path);
+
+ if (my $method = Net::SSLeay::TLS_method()) {
+ my $ctx = Net::SSLeay::CTX_new_with_method($method);
+
+ eval {
+ Net::SSLeay::CTX_use_certificate_chain_file($ctx, $cert_path)
+ or die_now("could not load certificate (chain) ($!)");
+ Net::SSLeay::CTX_use_PrivateKey_file(
+ $ctx,
+ $key_path,
+ Net::SSLeay::FILETYPE_PEM(),
+ ) or die_now("key does not match the certificate (chain) ($!)");
+ };
+
+ my $err = $@;
+
+ if ($err) {
+ # clean up invalid certificate and key
+ unlink $cert_path or $!{ENOENT} or warn "failed to clean-up $cert_path - $!\n";
+ unlink $key_path or $!{ENOENT} or warn "failed to clean-up $key_path - $!\n";
+ die $err;
+ }
+ } else {
+ warn "no TLS method to verify certificate and key match, continuing anyway\n";
+ }
};
my $err = $@;
--
2.47.3
next reply other threads:[~2026-05-06 12:49 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-06 12:48 Shannon Sterz [this message]
2026-05-06 13:59 ` applied: [PATCH manager v2] cert helpers: make sure that any new certificate and key match Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260506124832.246682-1-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.