From: "Shannon Sterz" <s.sterz@proxmox.com>
To: "Shannon Sterz" <s.sterz@proxmox.com>, <pbs-devel@lists.proxmox.com>
Subject: Re: [RFC datacenter-manager/proxmox{,-backup} 00/10] TLS Certificate Rotation
Date: Wed, 22 Apr 2026 14:42:24 +0200 [thread overview]
Message-ID: <DHZOX4PMLN83.2BTDKGFW1VVOA@proxmox.com> (raw)
In-Reply-To: <20260407135714.490747-1-s.sterz@proxmox.com>
Superseded-by: https://lore.proxmox.com/pbs-devel/20260422124022.17952-1-s.sterz@proxmox.com/T/#t
On Tue Apr 7, 2026 at 3:57 PM CEST, Shannon Sterz wrote:
> this series adds certificate rotation to Proxmox Backup Server and Proxmox
> Datacenter Manager. currently, both products issue a certificate that is valid
> for almost 1000 years (365000 days). no cryptographic key can reasonably be
> considered secure for this amount of time. this series:
>
> - allows specifying the lifetime of the certificate when creating one via
> proxmox-acme-api and reduces the default to 3650 days (almost ten years).
> - sends and logs reminders 30 days before a certificate expires (pdm currently
> does not support the notification framework yet, so adding notifications is
> left as future work here).
> - refreshes a certificate at the earliest 15 days before it expires, logs
> and notifies when that happens.
> - warns on certificates with excessive lifetimes (>3650 days) and documents
> how to manually update them.
> - for pdm: exposes cert handling cli methods in proxmox-datacenter-manager-admin.
>
> sending this as an rfc mainly because there are some open questions for me
> about the chosen time frames for the lifetime and renewal periods.
>
> ## Testing
>
> the easiest way to test this is to manipulate the date of the host with `date
> --set` and then manually trigger the daily update binary for each product:
>
> * PBS: `/usr/lib/x86_64-linux-gnu/proxmox-backup/proxmox-daily-update`
> * PDM: `/usr/libexec/proxmox/proxmox-datacenter-manager-daily-update`
>
> you can then check the logs and the certificate itself to see what happened.
> specifying the `PBS_LOG` with the parameter `trace` or `debug` will also enable
> debug logging here.
>
> ## Open Questions
>
> + 10 years is still a long time and i'd rather reduce that further down if
> possible. see the first patch for proxmox-acme-api for more info.
> + should we remove pre-existing long lasting certificates by ourselves? imo
> that is too risky at the moment given that an unplanned certificate rotation
> could cause backups to fail.
> + notifying every day for 15 days before the renewal might be excessive, see
> the second commit for pbs.
>
> ## Future Work
>
> - pve and pdm should be extended to allow automatically updating allowed
> fingerprints before a new self-signed certificate goes into action. this will
> be handled in a follow-up series. if this series is applied, we have ten years
> to implement such a mechanism before any setups are realistically expected to
> break.
> - pdm should send notifications similar to pbs once support for notifications
> is added.
>
>
> proxmox:
>
> Shannon Sterz (1):
> acme-api: make self-signed certificate expiry configurable
>
> proxmox-acme-api/src/certificate_helpers.rs | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
>
> backup:
>
> Shannon Sterz (5):
> config: use proxmox_acme_api for generating self-signed certificates
> config: adapt to api change in proxmox_acme_api, add expiry paramter
> config/server/api: add certificate renewal logic including
> notifications
> daily-update/docs: warn on excessive self-signed certificate lifetime
> backup-manager cli: `cert update` can create auth and csrf key
>
> debian/proxmox-backup-server.install | 4 +
> docs/certificate-management.rst | 31 ++++++
> src/api2/node/certificates.rs | 44 +++++++++
> src/bin/proxmox-daily-update.rs | 32 +++++++
> src/bin/proxmox_backup_manager/cert.rs | 2 +
> src/config/mod.rs | 96 ++-----------------
> src/server/notifications/mod.rs | 50 ++++++++++
> templates/Makefile | 62 ++++++------
> templates/default/cert-refresh-body.txt.hbs | 8 ++
> .../default/cert-refresh-subject.txt.hbs | 1 +
> .../cert-upcoming-refresh-body.txt.hbs | 9 ++
> .../cert-upcoming-refresh-subject.txt.hbs | 1 +
> 12 files changed, 225 insertions(+), 115 deletions(-)
> create mode 100644 templates/default/cert-refresh-body.txt.hbs
> create mode 100644 templates/default/cert-refresh-subject.txt.hbs
> create mode 100644 templates/default/cert-upcoming-refresh-body.txt.hbs
> create mode 100644 templates/default/cert-upcoming-refresh-subject.txt.hbs
>
>
> datacenter-manager:
>
> Shannon Sterz (4):
> certs: adapt to api change in proxmox_acme_api, add expiry paramter
> api/auth/bin: add certificate renewal logic
> cli: expose certificate management endpoints via the cli
> daily-update/docs: warn on excessive tls certificate validity periods
>
> cli/admin/Cargo.toml | 2 +
> cli/admin/src/cert.rs | 86 +++++++++++++++++++
> cli/admin/src/main.rs | 2 +
> docs/certificate-management.rst | 31 +++++++
> server/Cargo.toml | 1 +
> server/src/api/nodes/certificates.rs | 48 +++++++++++
> server/src/auth/certs.rs | 4 +-
> ...proxmox-datacenter-manager-daily-update.rs | 30 +++++++
> 8 files changed, 203 insertions(+), 1 deletion(-)
> create mode 100644 cli/admin/src/cert.rs
>
>
> Summary over all repositories:
> 21 files changed, 430 insertions(+), 117 deletions(-)
prev parent reply other threads:[~2026-04-22 12:42 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-07 13:57 [RFC datacenter-manager/proxmox{,-backup} 00/10] TLS Certificate Rotation Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox 01/10] acme-api: make self-signed certificate expiry configurable Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 02/10] config: use proxmox_acme_api for generating self-signed certificates Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 03/10] config: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 04/10] config/server/api: add certificate renewal logic including notifications Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 05/10] daily-update/docs: warn on excessive self-signed certificate lifetime Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 06/10] backup-manager cli: `cert update` can create auth and csrf key Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 07/10] certs: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 08/10] api/auth/bin: add certificate renewal logic Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 09/10] cli: expose certificate management endpoints via the cli Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 10/10] daily-update/docs: warn on excessive tls certificate validity periods Shannon Sterz
2026-04-07 15:29 ` Shannon Sterz
2026-04-22 12:42 ` Shannon Sterz [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DHZOX4PMLN83.2BTDKGFW1VVOA@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.