From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Thomas Ellmenreich <t.ellmenreich@proxmox.com>,
pve-devel@lists.proxmox.com
Subject: Re: [PATCH proxmox-acme v2 2/2] fix #5978: pem parser: relax parsing of chain entries:
Date: Wed, 24 Jun 2026 13:38:16 +0200 [thread overview]
Message-ID: <4fcddd28-704f-446f-bdf2-6b77afc0e6ad@proxmox.com> (raw)
In-Reply-To: <20260617124251.89036-3-t.ellmenreich@proxmox.com>
Am 17.06.26 um 14:42 schrieb Thomas Ellmenreich:
> Instead of using a custom regex to parse pem chains, now uses
> the pve-common Certificate::check_pem function to do so. This
> now allows for additional text and whitespace inbetween the
> chain entries.
>
> Signed-off-by: Thomas Ellmenreich <t.ellmenreich@proxmox.com>
> ---
> src/PVE/ACME.pm | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
> index e6fb9c2..4b06817 100644
> --- a/src/PVE/ACME.pm
> +++ b/src/PVE/ACME.pm
> @@ -530,10 +530,10 @@ sub get_certificate {
> if !defined($res);
> }
>
> - if ($res =~ /^(-----BEGIN CERTIFICATE-----)(.+)(-----END CERTIFICATE-----)$/s) { # untaint
> - return $1 . $2 . $3;
> - }
> - die "Server reply does not look like a PEM encoded certificate\n";
> + my $parsed = eval { PVE::Certificate::check_pem->($res) };
Why the -> ? That's normally how one calls code references or blessed objects,
but not "normal" methods. As above will call check_perm without arguments and
then try to call the result as code reference with $res as parameter, so this
will always fail FWICT. Was this actually tested end to end?
Also, this fails with certs that are full chains, so this probably should be:
my $parsed = eval { PVE::Certificate::check_pem($res, multiple => 1) };
> + die "Server reply does not look like a PEM encoded certificate: $@\n"
Nit: server is not really _that_ telling here, could be also interpreted as some
API server part of ours (and yes, that wording is somewhat pre-existing in another
error in this method, but still).
> + if $@;
> + return $parsed;
> };
> $self->fatal("POST of '$order->{certificate}' failed - $@", $r) if $@;
> return $return;
next prev parent reply other threads:[~2026-06-24 11:38 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-17 12:42 [PATCH common/proxmox-acme v2 0/2] fix #5978: pem parser: relax parsing of chain entries Thomas Ellmenreich
2026-06-17 12:42 ` [PATCH common v2 1/2] fix #5978: pem parser: relax parsing of chain entries: Thomas Ellmenreich
2026-06-24 9:27 ` Thomas Lamprecht
2026-06-24 10:57 ` Fabian Grünbichler
2026-06-17 12:42 ` [PATCH proxmox-acme v2 2/2] " Thomas Ellmenreich
2026-06-24 10:57 ` Fabian Grünbichler
2026-06-24 11:38 ` Thomas Lamprecht [this message]
2026-06-17 13:21 ` [PATCH common/proxmox-acme v2 0/2] fix #5978: pem parser: relax parsing of chain entries Shannon Sterz
2026-06-18 8:46 ` Thomas Ellmenreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4fcddd28-704f-446f-bdf2-6b77afc0e6ad@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=t.ellmenreich@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.