From: Thomas Ellmenreich <t.ellmenreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Cc: Thomas Ellmenreich <t.ellmenreich@proxmox.com>
Subject: [PATCH common/proxmox-acme v3 0/2] fix #5978: pem parser: relax parsing of chain entries
Date: Fri, 3 Jul 2026 12:51:31 +0200 [thread overview]
Message-ID: <20260703105133.77817-1-t.ellmenreich@proxmox.com> (raw)
According to RFC 8555, expected certchains should come
without whitespace or explanatory texts inbetween chain
entries. These two patches relax our parser to also
accept text or whitespaces inbetween chain entries.
To make sure that the acme changes work as expected I
setup the pebble acme server [1] locally, and worked
through the acme flow to get a new certificate. I then
manually modified the final certificate to contain
descriptive text which worked without issues.
changes since v2:
- cleaner implementation and correction of mistakes in
check_pem in pve-common
- get_certificate in proxmox-acme now correctly calls
check_pem with the 'multiple' option enabled
- removed ambiguity in the error messages of
get_certificate
- correction of tests, to better compare returned value
to expected value
- performed proper end-to-end test with pebble [1]
- proper formatting (hopefully)
changes since v1:
- Where in v1 check_pem was just a wrapper of split_pem,
they now perform different functions
- split_pem now purely splits the PEM chain into separate
entries and does no further validation. Returning each
entry with its leading text.
- check_pem retains the original functionality, except
when the multiple option is active, in which case it
uses split_pem to get single entries and then calls
itself recursively
- On the ACME side, errors are now captured, wrapped,
and then rethrown.
[1] https://github.com/letsencrypt/pebble
pve-common:
Thomas Ellmenreich (1):
fix #5978: pem parser: relax parsing of chain entries
src/PVE/Certificate.pm | 37 ++++-
test/Makefile | 2 +
test/check_pem_test.pl | 357 +++++++++++++++++++++++++++++++++++++++++
test/split_pem_test.pl | 279 ++++++++++++++++++++++++++++++++
4 files changed, 667 insertions(+), 8 deletions(-)
create mode 100755 test/check_pem_test.pl
create mode 100755 test/split_pem_test.pl
proxmox-acme:
Thomas Ellmenreich (1):
fix #5978: pem parser: relax parsing of chain entries:
src/PVE/ACME.pm | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
Summary over all repositories:
5 files changed, 673 insertions(+), 13 deletions(-)
--
Generated by murpp 0.12.0
next reply other threads:[~2026-07-03 10:52 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-03 10:51 Thomas Ellmenreich [this message]
2026-07-03 10:51 ` [PATCH common v3 1/2] fix #5978: pem parser: relax parsing of chain entries Thomas Ellmenreich
2026-07-03 10:51 ` [PATCH proxmox-acme v3 2/2] fix #5978: pem parser: relax parsing of chain entries: Thomas Ellmenreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260703105133.77817-1-t.ellmenreich@proxmox.com \
--to=t.ellmenreich@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.