From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 7AFB81FF13F for ; Thu, 18 Jun 2026 13:54:58 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 2756516960; Thu, 18 Jun 2026 13:54:57 +0200 (CEST) From: Shannon Sterz To: pdm-devel@lists.proxmox.com Subject: [PATCH datacenter-manager/proxmox{,-backup} 00/11] TLS Certificate Rotation Date: Thu, 18 Jun 2026 13:54:32 +0200 Message-ID: <20260618115443.48618-1-s.sterz@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1781783631630 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.107 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: BSNFYQVUPMCF3CIA3O5LYSPTVV32OG55 X-Message-ID-Hash: BSNFYQVUPMCF3CIA3O5LYSPTVV32OG55 X-MailFrom: s.sterz@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: this series adds certificate rotation to Proxmox Backup Server and Proxmox Datacenter Manager. currently, both products issue a certificate that is valid for almost 1000 years (365000 days). no cryptographic key can reasonably be considered secure for this amount of time. this series: - allows specifying the lifetime of the certificate when creating one via proxmox-acme-api and reduces the default to 3650 days (almost ten years). - sends and logs reminders 30 days before a certificate expires (pdm currently does not support the notification framework yet, so adding notifications is left as future work here). - refreshes a certificate at the earliest 15 days before it expires, logs and notifies when that happens. - warns on certificates with excessive lifetimes (>3650 days) and documents how to manually update them. - for pdm: exposes cert handling cli methods in proxmox-datacenter-manager-admin. - fixes up some inconsistencies in the ui and docs in regards to pdm's certificate location. ## Testing the easiest way to test this is to manipulate the date of the host with `date --set` and then manually trigger the daily update binary for each product: * PBS: `/usr/lib/x86_64-linux-gnu/proxmox-backup/proxmox-daily-update` * PDM: `/usr/libexec/proxmox/proxmox-datacenter-manager-daily-update` you can then check the logs and the certificate itself to see what happened. specifying the `PBS_LOG` environment variable with the parameter `trace` or `debug` will also enable debug logging here. ## Open Questions + 10 years is still a long time and i'd rather reduce that further down if possible. see the first patch for proxmox-acme-api for more info. + should we remove pre-existing long lasting certificates by ourselves? imo that is too risky at the moment given that an unplanned certificate rotation could cause backups to fail. + notifying every day for 15 days before the renewal might be excessive, see the second commit for pbs. ## Future Work - pve and pdm should be extended to allow automatically updating allowed fingerprints before a new self-signed certificate goes into action. a series demonstrating this for pve<->pdm has already been sent [1]. if this series gets approved, i'll happily adapt the mechanism for pbs<->pve. - pdm should send notifications similar to pbs once support for notifications is added. ## Changelog * v1: https://lore.proxmox.com/pbs-devel/20260422124022.17952-1-s.sterz@proxmox.com/ changes since v1: + dropped a patch for proxmox-yew-comp that got applied already + rebased on current master for all three repos * rfc: https://lore.proxmox.com/pbs-devel/20260407135714.490747-1-s.sterz@proxmox.com/ changes since rfc: + add patches that avoid hard-coding the certificate file name in yew-comp and use the proper filename in pdm + update pdm renewal docs patch to avoid confusion + re-base on current master [1]: https://lore.proxmox.com/pdm-devel/20260611120327.257523-1-s.sterz@proxmox.com/ proxmox: Shannon Sterz (1): acme-api: make self-signed certificate expiry configurable proxmox-acme-api/src/certificate_helpers.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) backup: Shannon Sterz (5): config: use proxmox_acme_api for generating self-signed certificates config: adapt to api change in proxmox_acme_api, add expiry paramter config/server/api: add certificate renewal logic including notifications daily-update/docs: warn on excessive self-signed certificate lifetime backup-manager cli: `cert update` can create auth and csrf key debian/proxmox-backup-server.install | 4 + docs/certificate-management.rst | 31 ++++++ src/api2/node/certificates.rs | 44 +++++++++ src/bin/proxmox-daily-update.rs | 32 +++++++ src/bin/proxmox_backup_manager/cert.rs | 2 + src/config/mod.rs | 96 ++----------------- src/server/notifications/mod.rs | 50 ++++++++++ templates/Makefile | 66 +++++++------ templates/default/cert-refresh-body.txt.hbs | 8 ++ .../default/cert-refresh-subject.txt.hbs | 1 + .../cert-upcoming-refresh-body.txt.hbs | 9 ++ .../cert-upcoming-refresh-subject.txt.hbs | 1 + 12 files changed, 227 insertions(+), 117 deletions(-) create mode 100644 templates/default/cert-refresh-body.txt.hbs create mode 100644 templates/default/cert-refresh-subject.txt.hbs create mode 100644 templates/default/cert-upcoming-refresh-body.txt.hbs create mode 100644 templates/default/cert-upcoming-refresh-subject.txt.hbs datacenter-manager: Shannon Sterz (5): certs: adapt to api change in proxmox_acme_api, add expiry paramter api/auth/bin: add certificate renewal logic cli: expose certificate management endpoints via the cli daily-update/docs: warn on excessive tls certificate validity periods docs/certificates: use correct certificate file name cli/admin/Cargo.toml | 2 + cli/admin/src/cert.rs | 86 +++++++++++++++++++ cli/admin/src/main.rs | 2 + docs/certificate-management.rst | 32 +++++++ server/Cargo.toml | 1 + server/src/api/nodes/certificates.rs | 50 ++++++++++- server/src/auth/certs.rs | 4 +- ...proxmox-datacenter-manager-daily-update.rs | 30 +++++++ 8 files changed, 205 insertions(+), 2 deletions(-) create mode 100644 cli/admin/src/cert.rs Summary over all repositories: 21 files changed, 434 insertions(+), 120 deletions(-) -- Generated by murpp 0.12.0