all lists on lists.proxmox.com
 help / color / mirror / Atom feed
* [PATCH manager v2] cert helpers: make sure that any new certificate and key match
@ 2026-05-06 12:48 Shannon Sterz
  2026-05-06 13:59 ` applied: " Thomas Lamprecht
  0 siblings, 1 reply; 2+ messages in thread
From: Shannon Sterz @ 2026-05-06 12:48 UTC (permalink / raw)
  To: pve-devel

previously it was possible to upload and set a key and certificate
combination, that did not match each other. this lead to confusing
errors as pveproxy would seemingly start, but not actually serve any
http connections. in a cluster context this leads to "broken pipe"
errors when connecting to such a misconfigured node. since this is
rather confusing, verify that a key and certificate can actually be
used before setting them as the current certificates by loading them
into a TLS context.

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---

Notes:
    this came up in the enterprise support and caused quite a bit of
    confusion.
    
    changes since v1 (thanks @ Thomas Lamprecht):
    
    - use `NET::SSLeay::die_now` instead of `die` to potentially return
      more useful debugging information.
    - add error handling when removing invalid keys/certificates fails.

 PVE/CertHelpers.pm | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/PVE/CertHelpers.pm b/PVE/CertHelpers.pm
index ee945827f..202dec0ee 100644
--- a/PVE/CertHelpers.pm
+++ b/PVE/CertHelpers.pm
@@ -7,6 +7,8 @@ use PVE::Certificate;
 use PVE::JSONSchema;
 use PVE::Tools;
 
+use Net::SSLeay qw(die_now);
+
 my $account_prefix = '/etc/pve/priv/acme';
 
 PVE::JSONSchema::register_standard_option(
@@ -81,6 +83,31 @@ sub set_cert_files {
         PVE::Tools::file_set_contents($cert_path, $cert);
         PVE::Tools::file_set_contents($key_path, $key) if $key;
         $info = PVE::Certificate::get_certificate_info($cert_path);
+
+        if (my $method = Net::SSLeay::TLS_method()) {
+            my $ctx = Net::SSLeay::CTX_new_with_method($method);
+
+            eval {
+                Net::SSLeay::CTX_use_certificate_chain_file($ctx, $cert_path)
+                    or die_now("could not load certificate (chain) ($!)");
+                Net::SSLeay::CTX_use_PrivateKey_file(
+                    $ctx,
+                    $key_path,
+                    Net::SSLeay::FILETYPE_PEM(),
+                ) or die_now("key does not match the certificate (chain) ($!)");
+            };
+
+            my $err = $@;
+
+            if ($err) {
+                # clean up invalid certificate and key
+                unlink $cert_path or $!{ENOENT} or warn "failed to clean-up $cert_path - $!\n";
+                unlink $key_path or $!{ENOENT} or warn "failed to clean-up $key_path - $!\n";
+                die $err;
+            }
+        } else {
+            warn "no TLS method to verify certificate and key match, continuing anyway\n";
+        }
     };
     my $err = $@;
 
-- 
2.47.3





^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-06 14:00 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-06 12:48 [PATCH manager v2] cert helpers: make sure that any new certificate and key match Shannon Sterz
2026-05-06 13:59 ` applied: " Thomas Lamprecht

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal