From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gate001.proxmox.com (gate001.proxmox.com [IPv6:2a0f:8001:1:32::40]) by lore.proxmox.com (Postfix) with ESMTPS id 757041FF142 for ; Fri, 03 Jul 2026 12:52:41 +0200 (CEST) Received: from gate001.proxmox.com (localhost.localdomain [127.0.0.1]) by gate001.proxmox.com (Proxmox) with ESMTP id A354F213B9; Fri, 03 Jul 2026 12:52:40 +0200 (CEST) From: Thomas Ellmenreich To: pve-devel@lists.proxmox.com Subject: [PATCH common/proxmox-acme v3 0/2] fix #5978: pem parser: relax parsing of chain entries Date: Fri, 3 Jul 2026 12:51:31 +0200 Message-ID: <20260703105133.77817-1-t.ellmenreich@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1783075948072 X-SPAM-LEVEL: Spam detection results: 0 DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment (newer systems) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: 4PKATNTWJI7DTNEDHZDJZFJTP4MIOZCE X-Message-ID-Hash: 4PKATNTWJI7DTNEDHZDJZFJTP4MIOZCE X-MailFrom: t.ellmenreich@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Thomas Ellmenreich X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: According to RFC 8555, expected certchains should come without whitespace or explanatory texts inbetween chain entries. These two patches relax our parser to also accept text or whitespaces inbetween chain entries. To make sure that the acme changes work as expected I setup the pebble acme server [1] locally, and worked through the acme flow to get a new certificate. I then manually modified the final certificate to contain descriptive text which worked without issues. changes since v2: - cleaner implementation and correction of mistakes in check_pem in pve-common - get_certificate in proxmox-acme now correctly calls check_pem with the 'multiple' option enabled - removed ambiguity in the error messages of get_certificate - correction of tests, to better compare returned value to expected value - performed proper end-to-end test with pebble [1] - proper formatting (hopefully) changes since v1: - Where in v1 check_pem was just a wrapper of split_pem, they now perform different functions - split_pem now purely splits the PEM chain into separate entries and does no further validation. Returning each entry with its leading text. - check_pem retains the original functionality, except when the multiple option is active, in which case it uses split_pem to get single entries and then calls itself recursively - On the ACME side, errors are now captured, wrapped, and then rethrown. [1] https://github.com/letsencrypt/pebble pve-common: Thomas Ellmenreich (1): fix #5978: pem parser: relax parsing of chain entries src/PVE/Certificate.pm | 37 ++++- test/Makefile | 2 + test/check_pem_test.pl | 357 +++++++++++++++++++++++++++++++++++++++++ test/split_pem_test.pl | 279 ++++++++++++++++++++++++++++++++ 4 files changed, 667 insertions(+), 8 deletions(-) create mode 100755 test/check_pem_test.pl create mode 100755 test/split_pem_test.pl proxmox-acme: Thomas Ellmenreich (1): fix #5978: pem parser: relax parsing of chain entries: src/PVE/ACME.pm | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) Summary over all repositories: 5 files changed, 673 insertions(+), 13 deletions(-) -- Generated by murpp 0.12.0