[pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates

all lists on lists.proxmox.com
 help / color / mirror / Atom feed

* [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates
@ 2025-09-09 10:04 Fabian Grünbichler
  2025-09-09 10:04 ` [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages Fabian Grünbichler
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2025-09-09 10:04 UTC (permalink / raw)
  To: pve-devel

if nodes are offline for a longer period of time, they might not be renewed by
pveupdate before they expire. the `verify` call here just serves as an
extra safeguard to prevent accidental overwriting of certificates not actually
signed by the cluster CA, checking the expiry time servers no purpose.

Suggested-by: Stephane Chazelas
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
verified by manually creating an expired and a soon-to-be-expired certificate..

 bin/pveupdate | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/bin/pveupdate b/bin/pveupdate
index 757cac868..9984c9369 100755
--- a/bin/pveupdate
+++ b/bin/pveupdate
@@ -111,7 +111,10 @@ eval {
 
         # check if cert is really signed by the ca
         # TODO: replace by low level ssleay interface if version 1.86 is available
-        PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile', $capath, $certpath]);
+        my $cmd = [
+            '/usr/bin/openssl', 'verify', '-no_check_time', '-CAfile', $capath, '--', $certpath,
+        ];
+        PVE::Tools::run_command($cmd);
 
         print "PVE certificate $msg\n";
         # create new certificate
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages
  2025-09-09 10:04 [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates Fabian Grünbichler
@ 2025-09-09 10:04 ` Fabian Grünbichler
  2025-10-22 13:09   ` Fiona Ebner
  2025-10-22 13:09 ` [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates Fiona Ebner
  2025-10-23  8:20 ` [pve-devel] applied-series: " Fabian Grünbichler
  2 siblings, 1 reply; 5+ messages in thread
From: Fabian Grünbichler @ 2025-09-09 10:04 UTC (permalink / raw)
  To: pve-devel

by explicitly checking for already expired certificates and adapting the
message in that case.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 bin/pveupdate | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/bin/pveupdate b/bin/pveupdate
index 9984c9369..c5356c885 100755
--- a/bin/pveupdate
+++ b/bin/pveupdate
@@ -125,7 +125,10 @@ eval {
         PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
     };
 
-    if (PVE::Certificate::check_expiry($certpath, time() + 14 * 24 * 60 * 60)) {
+    if (PVE::Certificate::check_expiry($certpath)) {
+        # already expired
+        $renew->("expired, renewing...");
+    } elsif (PVE::Certificate::check_expiry($certpath, time() + 14 * 24 * 60 * 60)) {
         # expires in next 2 weeks
         $renew->("expires soon, renewing...");
     } elsif (!PVE::Certificate::check_expiry($certpath, time() + 2 * 365 * 24 * 60 * 60)) {
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates
  2025-09-09 10:04 [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates Fabian Grünbichler
  2025-09-09 10:04 ` [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages Fabian Grünbichler
@ 2025-10-22 13:09 ` Fiona Ebner
  2025-10-23  8:20 ` [pve-devel] applied-series: " Fabian Grünbichler
  2 siblings, 0 replies; 5+ messages in thread
From: Fiona Ebner @ 2025-10-22 13:09 UTC (permalink / raw)
  To: Proxmox VE development discussion, Fabian Grünbichler

Am 09.09.25 um 12:05 PM schrieb Fabian Grünbichler:
> if nodes are offline for a longer period of time, they might not be renewed by
> pveupdate before they expire. the `verify` call here just serves as an
> extra safeguard to prevent accidental overwriting of certificates not actually
> signed by the cluster CA, checking the expiry time servers no purpose.
> 
> Suggested-by: Stephane Chazelas
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

Reviewed-by: Fiona Ebner <f.ebner@proxmox.com>

> ---
> verified by manually creating an expired and a soon-to-be-expired certificate..
> 
>  bin/pveupdate | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/bin/pveupdate b/bin/pveupdate
> index 757cac868..9984c9369 100755
> --- a/bin/pveupdate
> +++ b/bin/pveupdate
> @@ -111,7 +111,10 @@ eval {
>  
>          # check if cert is really signed by the ca
>          # TODO: replace by low level ssleay interface if version 1.86 is available
> -        PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile', $capath, $certpath]);
> +        my $cmd = [
> +            '/usr/bin/openssl', 'verify', '-no_check_time', '-CAfile', $capath, '--', $certpath,
> +        ];
> +        PVE::Tools::run_command($cmd);
>  
>          print "PVE certificate $msg\n";
>          # create new certificate



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages
  2025-09-09 10:04 ` [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages Fabian Grünbichler
@ 2025-10-22 13:09   ` Fiona Ebner
  0 siblings, 0 replies; 5+ messages in thread
From: Fiona Ebner @ 2025-10-22 13:09 UTC (permalink / raw)
  To: Proxmox VE development discussion, Fabian Grünbichler

Am 09.09.25 um 12:05 PM schrieb Fabian Grünbichler:
> by explicitly checking for already expired certificates and adapting the
> message in that case.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

Reviewed-by: Fiona Ebner <f.ebner@proxmox.com>

> ---
>  bin/pveupdate | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/bin/pveupdate b/bin/pveupdate
> index 9984c9369..c5356c885 100755
> --- a/bin/pveupdate
> +++ b/bin/pveupdate
> @@ -125,7 +125,10 @@ eval {
>          PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
>      };
>  
> -    if (PVE::Certificate::check_expiry($certpath, time() + 14 * 24 * 60 * 60)) {
> +    if (PVE::Certificate::check_expiry($certpath)) {
> +        # already expired
> +        $renew->("expired, renewing...");
> +    } elsif (PVE::Certificate::check_expiry($certpath, time() + 14 * 24 * 60 * 60)) {
>          # expires in next 2 weeks
>          $renew->("expires soon, renewing...");
>      } elsif (!PVE::Certificate::check_expiry($certpath, time() + 2 * 365 * 24 * 60 * 60)) {



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] applied-series: [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates
  2025-09-09 10:04 [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates Fabian Grünbichler
  2025-09-09 10:04 ` [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages Fabian Grünbichler
  2025-10-22 13:09 ` [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates Fiona Ebner
@ 2025-10-23  8:20 ` Fabian Grünbichler
  2 siblings, 0 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2025-10-23  8:20 UTC (permalink / raw)
  To: pve-devel, Fabian Grünbichler


On Tue, 09 Sep 2025 12:04:47 +0200, Fabian Grünbichler wrote:
> if nodes are offline for a longer period of time, they might not be renewed by
> pveupdate before they expire. the `verify` call here just serves as an
> extra safeguard to prevent accidental overwriting of certificates not actually
> signed by the cluster CA, checking the expiry time servers no purpose.
> 
> 

Applied with Fiona's R-b, thanks!

[1/2] fix #6779: pveupdate: renew already expired certificates
      commit: 6ec35c4ff917512d9091d97b602a0188d435aeeb
[2/2] pveupdate: improve cert renew log messages
      commit: 351df678af73ea63748637ce3859ff87d85090e9

Best regards,
-- 
Fabian Grünbichler <f.gruenbichler@proxmox.com>


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2025-10-23  8:21 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-09-09 10:04 [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates Fabian Grünbichler
2025-09-09 10:04 ` [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages Fabian Grünbichler
2025-10-22 13:09   ` Fiona Ebner
2025-10-22 13:09 ` [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates Fiona Ebner
2025-10-23  8:20 ` [pve-devel] applied-series: " Fabian Grünbichler

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal