* [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA
@ 2026-03-17 14:20 Arthur Bied-Charreton
2026-03-17 14:20 ` [PATCH pve-cluster v3 1/3] " Arthur Bied-Charreton
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Arthur Bied-Charreton @ 2026-03-17 14:20 UTC (permalink / raw)
To: pve-devel
The main fix (1/3) adds the keyUsage extension to PVE's root CA, which
is required by RFC 5280.
{2,3}/3 address review feedback [0] by eliminating temporary config
files and moving temp file creation from /tmp to /run/pve-cluster to prevent symlink
races.
More details in the commit messages.
Changes since v2:
Create temp file in /run/pve-cluster instead of /run, as suggested by
Maximiliano here [1]
[0]
https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t
[1]
https://lore.proxmox.com/pve-devel/s8o7brad0e6.fsf@toolbox/
Arthur Bied-Charreton (3):
fix #6701: Add keyUsage extension to root CA
Convert SSL cert generation config to CLI arguments
Create temporary CSR file in /run instead of /tmp
src/PVE/Cluster/Setup.pm | 45 +++++++++++-----------------------------
1 file changed, 12 insertions(+), 33 deletions(-)
--
2.47.3
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH pve-cluster v3 1/3] fix #6701: Add keyUsage extension to root CA
2026-03-17 14:20 [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
@ 2026-03-17 14:20 ` Arthur Bied-Charreton
2026-03-17 14:20 ` [PATCH pve-cluster v3 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton
` (2 subsequent siblings)
3 siblings, 0 replies; 7+ messages in thread
From: Arthur Bied-Charreton @ 2026-03-17 14:20 UTC (permalink / raw)
To: pve-devel
Add the keyUsage[1] extension to the PVE root CA to comply with RFC
5280, which Python decided to enforce as of 3.13 by adding the
VERIFY_X509_STRICT flag, which breaks some clients like Ansible.
The authorityKeyIdentifier[2] and subjectKeyIdentifier[3] extensions are
required by RFC 5280 as well, however OpenSSL adds them in by default
based on /etc/ssl/openssl.cnf, so there is no need for explicitly
passing them.
Test script:
```
import socket, ssl
ctx = ssl.create_default_context(cafile="/etc/pve/pve-root-ca.pem")
ctx.wrap_socket(socket.create_connection(("localhost", 8006)),
server_hostname="localhost")
print("success")
```
[1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
[2] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1
[3] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2
Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
---
src/PVE/Cluster/Setup.pm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
index 75d3507..4f528ba 100644
--- a/src/PVE/Cluster/Setup.pm
+++ b/src/PVE/Cluster/Setup.pm
@@ -439,6 +439,8 @@ sub gen_pveca_cert {
'-new',
'-x509',
'-nodes',
+ '-addext',
+ 'keyUsage=critical,keyCertSign,cRLSign',
'-key',
$pveca_key_fn,
'-out',
--
2.47.3
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH pve-cluster v3 2/3] Convert SSL cert generation config to CLI arguments
2026-03-17 14:20 [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
2026-03-17 14:20 ` [PATCH pve-cluster v3 1/3] " Arthur Bied-Charreton
@ 2026-03-17 14:20 ` Arthur Bied-Charreton
2026-03-17 16:00 ` Thomas Lamprecht
2026-03-17 14:20 ` [PATCH pve-cluster v3 3/3] Create temporary CSR file in /run instead of /tmp Arthur Bied-Charreton
2026-03-17 16:56 ` superseded: [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
3 siblings, 1 reply; 7+ messages in thread
From: Arthur Bied-Charreton @ 2026-03-17 14:20 UTC (permalink / raw)
To: pve-devel
Replace temporary OpenSSL config file with direct CLI arguments in PVE
node SSL cert generation.
Changes:
- Use '-subj' flag for distinguished name
- Use '-addext' flag for cert extensions
- Use '-copy_extensions copyall' to copy extensions from CSR to cert
- Remove temp config file and cleanup code
As suggested here:
https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t
Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
---
src/PVE/Cluster/Setup.pm | 41 +++++++++-------------------------------
1 file changed, 9 insertions(+), 32 deletions(-)
diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
index 4f528ba..b9cacfd 100644
--- a/src/PVE/Cluster/Setup.pm
+++ b/src/PVE/Cluster/Setup.pm
@@ -504,33 +504,6 @@ sub gen_pve_ssl_cert {
$names .= ",DNS:$fqdn";
}
- my $sslconf = <<__EOD;
-RANDFILE = /root/.rnd
-extensions = v3_req
-
-[ req ]
-default_bits = 2048
-distinguished_name = req_distinguished_name
-req_extensions = v3_req
-prompt = no
-string_mask = nombstr
-
-[ req_distinguished_name ]
-organizationalUnitName = PVE Cluster Node
-organizationName = Proxmox Virtual Environment
-commonName = $fqdn
-
-[ v3_req ]
-basicConstraints = CA:FALSE
-extendedKeyUsage = serverAuth
-subjectAltName = $names
-__EOD
-
- my $cfgfn = "/tmp/pvesslconf-$$.tmp";
- my $fh = IO::File->new($cfgfn, "w");
- print $fh $sslconf;
- close($fh);
-
my $reqfn = "/tmp/pvecertreq-$$.tmp";
unlink $reqfn;
@@ -541,18 +514,23 @@ __EOD
'req',
'-batch',
'-new',
- '-config',
- $cfgfn,
'-key',
$pvessl_key_fn,
'-out',
$reqfn,
+ '-subj',
+ "/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=$fqdn",
+ '-addext',
+ 'basicConstraints=CA:FALSE',
+ '-addext',
+ 'extendedKeyUsage=serverAuth',
+ '-addext',
+ "subjectAltName=$names",
]);
};
if (my $err = $@) {
unlink $reqfn;
- unlink $cfgfn;
die "unable to generate pve certificate request:\n$err";
}
@@ -581,13 +559,12 @@ __EOD
'openssl', 'x509', '-req', '-in', $reqfn, '-days', $daysleft, '-out',
$pvessl_cert_fn,
'-CAkey', $pveca_key_fn, '-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn,
- '-extfile', $cfgfn,
+ '-copy_extensions', 'copyall',
]);
};
my $err = $@;
unlink $reqfn or $!{ENOENT} or warn "failed to clean up '$reqfn' - $!";
- unlink $cfgfn or $!{ENOENT} or warn "failed to clean up '$cfgfn' - $!";
die "unable to generate pve ssl certificate:\n$err" if $err;
}
--
2.47.3
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH pve-cluster v3 3/3] Create temporary CSR file in /run instead of /tmp
2026-03-17 14:20 [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
2026-03-17 14:20 ` [PATCH pve-cluster v3 1/3] " Arthur Bied-Charreton
2026-03-17 14:20 ` [PATCH pve-cluster v3 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton
@ 2026-03-17 14:20 ` Arthur Bied-Charreton
2026-03-17 16:56 ` superseded: [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
3 siblings, 0 replies; 7+ messages in thread
From: Arthur Bied-Charreton @ 2026-03-17 14:20 UTC (permalink / raw)
To: pve-devel
As suggested here [0], creating temp files in a world-writable directory
such as /tmp could expose the config generation to symlink races. Use
the /run/pve-cluster directory instead, which is the rundir created by
the cluster filesystem for this purpose [1].
[0]
https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t
[1]
https://lore.proxmox.com/pve-devel/s8o7brad0e6.fsf@toolbox/
Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Suggested-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
---
src/PVE/Cluster/Setup.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
index b9cacfd..e718611 100644
--- a/src/PVE/Cluster/Setup.pm
+++ b/src/PVE/Cluster/Setup.pm
@@ -504,7 +504,7 @@ sub gen_pve_ssl_cert {
$names .= ",DNS:$fqdn";
}
- my $reqfn = "/tmp/pvecertreq-$$.tmp";
+ my $reqfn = "/run/pve-cluster/pvecertreq-$$.tmp";
unlink $reqfn;
my $pvessl_key_fn = "$pmxcfs_base_dir/nodes/$nodename/pve-ssl.key";
--
2.47.3
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH pve-cluster v3 2/3] Convert SSL cert generation config to CLI arguments
2026-03-17 14:20 ` [PATCH pve-cluster v3 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton
@ 2026-03-17 16:00 ` Thomas Lamprecht
2026-03-17 16:07 ` Arthur Bied-Charreton
0 siblings, 1 reply; 7+ messages in thread
From: Thomas Lamprecht @ 2026-03-17 16:00 UTC (permalink / raw)
To: Arthur Bied-Charreton, pve-devel
Am 17.03.26 um 15:22 schrieb Arthur Bied-Charreton:
> Replace temporary OpenSSL config file with direct CLI arguments in PVE
> node SSL cert generation.
>
> Changes:
> - Use '-subj' flag for distinguished name
> - Use '-addext' flag for cert extensions
> - Use '-copy_extensions copyall' to copy extensions from CSR to cert
> - Remove temp config file and cleanup code
IMO an odd way to write a commit message, especially as I can see most of
that from checking the, well, actual changes below... And only some parts
got picked out.
Also, the 2048 bit is just silently dropped, is that implied somewhere?
Such things should be actually mentioned. Please recheck all settings
yourself to ensure this is a complete change.
> As suggested here:
> https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t
would be good to include some actual rationale, not just the link, as
unlike the changes described above I cannot just get that from the diff
or rest of the commit's info.
>
> Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
> ---
> src/PVE/Cluster/Setup.pm | 41 +++++++++-------------------------------
> 1 file changed, 9 insertions(+), 32 deletions(-)
>
> diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
> index 4f528ba..b9cacfd 100644
> --- a/src/PVE/Cluster/Setup.pm
> +++ b/src/PVE/Cluster/Setup.pm
> @@ -504,33 +504,6 @@ sub gen_pve_ssl_cert {
> $names .= ",DNS:$fqdn";
> }
>
> - my $sslconf = <<__EOD;
> -RANDFILE = /root/.rnd
> -extensions = v3_req
> -
> -[ req ]
> -default_bits = 2048
> -distinguished_name = req_distinguished_name
> -req_extensions = v3_req
> -prompt = no
> -string_mask = nombstr
> -
> -[ req_distinguished_name ]
> -organizationalUnitName = PVE Cluster Node
> -organizationName = Proxmox Virtual Environment
> -commonName = $fqdn
> -
> -[ v3_req ]
> -basicConstraints = CA:FALSE
> -extendedKeyUsage = serverAuth
> -subjectAltName = $names
> -__EOD
> -
> - my $cfgfn = "/tmp/pvesslconf-$$.tmp";
> - my $fh = IO::File->new($cfgfn, "w");
> - print $fh $sslconf;
> - close($fh);
> -
> my $reqfn = "/tmp/pvecertreq-$$.tmp";
> unlink $reqfn;
>
> @@ -541,18 +514,23 @@ __EOD
> 'req',
> '-batch',
> '-new',
> - '-config',
> - $cfgfn,
> '-key',
> $pvessl_key_fn,
> '-out',
> $reqfn,
> + '-subj',
> + "/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=$fqdn",
> + '-addext',
> + 'basicConstraints=CA:FALSE',
> + '-addext',
> + 'extendedKeyUsage=serverAuth',
> + '-addext',
> + "subjectAltName=$names",
> ]);
> };
>
> if (my $err = $@) {
> unlink $reqfn;
> - unlink $cfgfn;
> die "unable to generate pve certificate request:\n$err";
> }
>
> @@ -581,13 +559,12 @@ __EOD
> 'openssl', 'x509', '-req', '-in', $reqfn, '-days', $daysleft, '-out',
> $pvessl_cert_fn,
> '-CAkey', $pveca_key_fn, '-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn,
> - '-extfile', $cfgfn,
> + '-copy_extensions', 'copyall',
> ]);
> };
> my $err = $@;
>
> unlink $reqfn or $!{ENOENT} or warn "failed to clean up '$reqfn' - $!";
> - unlink $cfgfn or $!{ENOENT} or warn "failed to clean up '$cfgfn' - $!";
>
> die "unable to generate pve ssl certificate:\n$err" if $err;
> }
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH pve-cluster v3 2/3] Convert SSL cert generation config to CLI arguments
2026-03-17 16:00 ` Thomas Lamprecht
@ 2026-03-17 16:07 ` Arthur Bied-Charreton
0 siblings, 0 replies; 7+ messages in thread
From: Arthur Bied-Charreton @ 2026-03-17 16:07 UTC (permalink / raw)
To: Thomas Lamprecht; +Cc: pve-devel
On Tue, Mar 17, 2026 at 05:00:20PM +0100, Thomas Lamprecht wrote:
> Am 17.03.26 um 15:22 schrieb Arthur Bied-Charreton:
> > Replace temporary OpenSSL config file with direct CLI arguments in PVE
> > node SSL cert generation.
> >
> > Changes:
> > - Use '-subj' flag for distinguished name
> > - Use '-addext' flag for cert extensions
> > - Use '-copy_extensions copyall' to copy extensions from CSR to cert
> > - Remove temp config file and cleanup code
>
> IMO an odd way to write a commit message, especially as I can see most of
> that from checking the, well, actual changes below... And only some parts
> got picked out.
>
Good point, will rewrite this.
> Also, the 2048 bit is just silently dropped, is that implied somewhere?
> Such things should be actually mentioned. Please recheck all settings
> yourself to ensure this is a complete change.
>
Yes, 2048 is the default (/etc/ssl/openssl.cnf). I should have made that
clear in the commit message. Will add it in v4.
> > As suggested here:
> > https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t
>
> would be good to include some actual rationale, not just the link, as
> unlike the changes described above I cannot just get that from the diff
> or rest of the commit's info.
>
Thanks for the feedback!
>
>
> >
> > Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
> > ---
> > src/PVE/Cluster/Setup.pm | 41 +++++++++-------------------------------
> > 1 file changed, 9 insertions(+), 32 deletions(-)
> >
> > diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
> > index 4f528ba..b9cacfd 100644
> > --- a/src/PVE/Cluster/Setup.pm
> > +++ b/src/PVE/Cluster/Setup.pm
> > @@ -504,33 +504,6 @@ sub gen_pve_ssl_cert {
> > $names .= ",DNS:$fqdn";
> > }
> >
> > - my $sslconf = <<__EOD;
> > -RANDFILE = /root/.rnd
> > -extensions = v3_req
> > -
> > -[ req ]
> > -default_bits = 2048
> > -distinguished_name = req_distinguished_name
> > -req_extensions = v3_req
> > -prompt = no
> > -string_mask = nombstr
> > -
> > -[ req_distinguished_name ]
> > -organizationalUnitName = PVE Cluster Node
> > -organizationName = Proxmox Virtual Environment
> > -commonName = $fqdn
> > -
> > -[ v3_req ]
> > -basicConstraints = CA:FALSE
> > -extendedKeyUsage = serverAuth
> > -subjectAltName = $names
> > -__EOD
> > -
> > - my $cfgfn = "/tmp/pvesslconf-$$.tmp";
> > - my $fh = IO::File->new($cfgfn, "w");
> > - print $fh $sslconf;
> > - close($fh);
> > -
> > my $reqfn = "/tmp/pvecertreq-$$.tmp";
> > unlink $reqfn;
> >
> > @@ -541,18 +514,23 @@ __EOD
> > 'req',
> > '-batch',
> > '-new',
> > - '-config',
> > - $cfgfn,
> > '-key',
> > $pvessl_key_fn,
> > '-out',
> > $reqfn,
> > + '-subj',
> > + "/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=$fqdn",
> > + '-addext',
> > + 'basicConstraints=CA:FALSE',
> > + '-addext',
> > + 'extendedKeyUsage=serverAuth',
> > + '-addext',
> > + "subjectAltName=$names",
> > ]);
> > };
> >
> > if (my $err = $@) {
> > unlink $reqfn;
> > - unlink $cfgfn;
> > die "unable to generate pve certificate request:\n$err";
> > }
> >
> > @@ -581,13 +559,12 @@ __EOD
> > 'openssl', 'x509', '-req', '-in', $reqfn, '-days', $daysleft, '-out',
> > $pvessl_cert_fn,
> > '-CAkey', $pveca_key_fn, '-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn,
> > - '-extfile', $cfgfn,
> > + '-copy_extensions', 'copyall',
> > ]);
> > };
> > my $err = $@;
> >
> > unlink $reqfn or $!{ENOENT} or warn "failed to clean up '$reqfn' - $!";
> > - unlink $cfgfn or $!{ENOENT} or warn "failed to clean up '$cfgfn' - $!";
> >
> > die "unable to generate pve ssl certificate:\n$err" if $err;
> > }
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* superseded: [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA
2026-03-17 14:20 [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
` (2 preceding siblings ...)
2026-03-17 14:20 ` [PATCH pve-cluster v3 3/3] Create temporary CSR file in /run instead of /tmp Arthur Bied-Charreton
@ 2026-03-17 16:56 ` Arthur Bied-Charreton
3 siblings, 0 replies; 7+ messages in thread
From: Arthur Bied-Charreton @ 2026-03-17 16:56 UTC (permalink / raw)
To: pve-devel
superseded by: https://lore.proxmox.com/all/20260317165358.620306-1-a.bied-charreton@proxmox.com/T/#t
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2026-03-17 16:56 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-03-17 14:20 [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
2026-03-17 14:20 ` [PATCH pve-cluster v3 1/3] " Arthur Bied-Charreton
2026-03-17 14:20 ` [PATCH pve-cluster v3 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton
2026-03-17 16:00 ` Thomas Lamprecht
2026-03-17 16:07 ` Arthur Bied-Charreton
2026-03-17 14:20 ` [PATCH pve-cluster v3 3/3] Create temporary CSR file in /run instead of /tmp Arthur Bied-Charreton
2026-03-17 16:56 ` superseded: [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.