From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 64F411FF13F for ; Thu, 18 Jun 2026 13:55:24 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 37C2516A90; Thu, 18 Jun 2026 13:55:24 +0200 (CEST) From: Shannon Sterz To: pdm-devel@lists.proxmox.com Subject: [PATCH proxmox 01/11] acme-api: make self-signed certificate expiry configurable Date: Thu, 18 Jun 2026 13:54:33 +0200 Message-ID: <20260618115443.48618-2-s.sterz@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260618115443.48618-1-s.sterz@proxmox.com> References: <20260618115443.48618-1-s.sterz@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1781783631735 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.107 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: QHJKDPOU7EDPZEXTC76QYI6SWHQJQJRO X-Message-ID-Hash: QHJKDPOU7EDPZEXTC76QYI6SWHQJQJRO X-MailFrom: s.sterz@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: and change the default from 365000 days (almost 1000 years) to 3650 days (almost 10 years). almost 1000 years is excessive, as no practical cryptographic key can reasonably be considered safe for that amount of time. almost 10 years should still give plenty of time to prepare for certificate changes. Signed-off-by: Shannon Sterz --- Notes: imo, we could go down even more. as far as i am aware there is no real limit that is being enforced here for self-signed certificates from a browser perspective. they are already trusted on an exemption-basis anyway. however, certificates signed by public CAs will only be valid for a maximum of 47 days by 2029 [1]. hence, i would personally either adopt the same limit or go down to a year, as a sensible middle-ground. certificate rotation should really be automated even in self-signed scenarios. we also had cases in the past, where customers already ran into issue because they wanted to limit the lifetime of their certificates below 30 days [2]. meaning that there is a need out there for shorter lived certificates (though, in that case a custom CA & ACME setup was used). [1]: https://github.com/cabforum/servercert/pull/553 [2]: https://bugzilla.proxmox.com/show_bug.cgi?id=6372 proxmox-acme-api/src/certificate_helpers.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/proxmox-acme-api/src/certificate_helpers.rs b/proxmox-acme-api/src/certificate_helpers.rs index 3921b18e..9c55d30e 100644 --- a/proxmox-acme-api/src/certificate_helpers.rs +++ b/proxmox-acme-api/src/certificate_helpers.rs @@ -214,6 +214,7 @@ pub fn create_self_signed_cert( product_name: &str, nodename: &str, domain: Option<&str>, + expire: Option, ) -> Result<(PKey, X509), Error> { let rsa = Rsa::generate(4096).unwrap(); @@ -223,7 +224,7 @@ pub fn create_self_signed_cert( let today = openssl::asn1::Asn1Time::days_from_now(0)?; x509.set_not_before(&today)?; - let expire = openssl::asn1::Asn1Time::days_from_now(365 * 1000)?; + let expire = openssl::asn1::Asn1Time::days_from_now(expire.unwrap_or(365 * 10))?; x509.set_not_after(&expire)?; let mut fqdn = nodename.to_owned(); -- 2.47.3