From: "Shannon Sterz" <s.sterz@proxmox.com>
To: "Shannon Sterz" <s.sterz@proxmox.com>, <pve-devel@lists.proxmox.com>
Subject: Superseded: Re: [PATCH manager] certificate: make sure that any new certificate and key match
Date: Wed, 06 May 2026 14:50:06 +0200 [thread overview]
Message-ID: <DIBLUJONZPL6.11J71CWOO206B@proxmox.com> (raw)
In-Reply-To: <20260506110452.166057-1-s.sterz@proxmox.com>
Superseded: https://lore.proxmox.com/pve-devel/20260506124832.246682-1-s.sterz@proxmox.com/T/#u
On Wed May 6, 2026 at 1:04 PM CEST, Shannon Sterz wrote:
> previously it was possible to upload and set a key and certificate
> combination, that did not match each other. this lead to confusing
> errors as pveproxy would seemingly start, but not actually serve any
> http connections. in a cluster context this leads to "broken pipe"
> errors when connecting to such a misconfigured node. since this is
> rather confusing, verify that a key and certificate can actually be
> used before setting them as the current certificates by loading them
> into a TLS context.
>
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
>
> Notes:
> this came up in the enterprise support and caused quite a bit of
> confusion.
>
> PVE/CertHelpers.pm | 27 +++++++++++++++++++++++++++
> 1 file changed, 27 insertions(+)
>
> diff --git a/PVE/CertHelpers.pm b/PVE/CertHelpers.pm
> index ee945827f..2fc241c24 100644
> --- a/PVE/CertHelpers.pm
> +++ b/PVE/CertHelpers.pm
> @@ -7,6 +7,8 @@ use PVE::Certificate;
> use PVE::JSONSchema;
> use PVE::Tools;
>
> +use Net::SSLeay;
> +
> my $account_prefix = '/etc/pve/priv/acme';
>
> PVE::JSONSchema::register_standard_option(
> @@ -81,6 +83,31 @@ sub set_cert_files {
> PVE::Tools::file_set_contents($cert_path, $cert);
> PVE::Tools::file_set_contents($key_path, $key) if $key;
> $info = PVE::Certificate::get_certificate_info($cert_path);
> +
> + if (my $method = Net::SSLeay::TLS_method()) {
> + my $ctx = Net::SSLeay::CTX_new_with_method($method);
> +
> + eval {
> + Net::SSLeay::CTX_use_certificate_chain_file($ctx, $cert_path)
> + or die "could not load certificate (chain)\n";
> + Net::SSLeay::CTX_use_PrivateKey_file(
> + $ctx,
> + $key_path,
> + Net::SSLeay::FILETYPE_PEM(),
> + ) or die "key does not match the certificate (chain)\n";
> + };
> +
> + my $err = $@;
> +
> + if ($err) {
> + # clean up invalid certificate and key
> + unlink $cert_path;
> + unlink $key_path;
> + die $err;
> + }
> + } else {
> + warn "no TLS method to verify certificate and key match, continuing anyway\n";
> + }
> };
> my $err = $@;
>
prev parent reply other threads:[~2026-05-06 12:50 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-06 11:04 [PATCH manager] certificate: make sure that any new certificate and key match Shannon Sterz
2026-05-06 11:28 ` Daniel Herzig
2026-05-06 11:54 ` Thomas Lamprecht
2026-05-06 12:39 ` Shannon Sterz
2026-05-06 12:50 ` Shannon Sterz [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DIBLUJONZPL6.11J71CWOO206B@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.