From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gate001.proxmox.com (gate001.proxmox.com [45.144.208.40]) by lore.proxmox.com (Postfix) with ESMTPS id 6CB5B1FF0E7 for ; Fri, 10 Jul 2026 13:17:56 +0200 (CEST) Received: from gate001.proxmox.com (localhost.localdomain [127.0.0.1]) by gate001.proxmox.com (Proxmox) with ESMTP id 444112143D; Fri, 10 Jul 2026 13:17:56 +0200 (CEST) Content-Type: text/plain; charset=UTF-8 Date: Fri, 10 Jul 2026 13:17:21 +0200 Message-Id: Subject: Re: [PATCH proxmox-backup 05/11] daily-update/docs: warn on excessive self-signed certificate lifetime From: "Lukas Wagner" To: "Shannon Sterz" , Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Mailer: aerc 0.21.0-0-g5549850facc2-dirty References: <20260618115443.48618-1-s.sterz@proxmox.com> <20260618115443.48618-6-s.sterz@proxmox.com> In-Reply-To: <20260618115443.48618-6-s.sterz@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1783682230701 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.000 Adjusted score from AWL reputation of From: address DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment (newer systems) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: PHQCEJJITNNRMRVN3AMFCGEXSDA7XHIX X-Message-ID-Hash: PHQCEJJITNNRMRVN3AMFCGEXSDA7XHIX X-MailFrom: l.wagner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Just nit-picking here, but I think the daily-update part should be a separate commit. On Thu Jun 18, 2026 at 1:54 PM CEST, Shannon Sterz wrote: > and document how to renew it. an excessive lifetime is reported when > the lifetime of the certificate exceeds 3650 days (almost ten years), > which corresponds to the default lifetime generated by > proxmox-acme-api. > > Signed-off-by: Shannon Sterz > --- > docs/certificate-management.rst | 31 +++++++++++++++++++++++++++++++ > src/bin/proxmox-daily-update.rs | 4 ++++ > 2 files changed, 35 insertions(+) > > diff --git a/docs/certificate-management.rst b/docs/certificate-managemen= t.rst > index 89f628049..722d8d88b 100644 > --- a/docs/certificate-management.rst > +++ b/docs/certificate-management.rst > @@ -333,3 +333,34 @@ Test your new certificate, using your browser. > =20 > .. [1] > acme.sh https://github.com/acmesh-official/acme.sh > + > +Manually Renew Self-signed Certificates > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + > +Proxmox Backup Server creates and renews a self-signed certificate if no= custom > +or ACME certificate is provided. Older versions issued a certificate tha= t was > +valid for almost 1000 years and did not renew this certificate. Beginnin= g with > +version 4.2, new setups use shorter lived certificates that will be regu= larly Should be 'shorter-lived' with a hyphen, I believe. > +renewed. Old self-signed certificates are not replaced in order to not d= isrupt > +existing backup setups. In such cases, the following line is logged: > + > +.. code-block:: console > + > + Apr 04 12:17:51 pbs proxmox-daily-update[1170]: Self-signed certifica= te is valid for an excessive amount of time. Please renew it. > + > +To manually renew a certificate, navigate to Configuration -> Certificat= es. > +Select the certificate ``proxy.pem``. Then click the "Delete Custom > +Certificate" button. Alternatively, you can run the following command: > + > +.. code-block:: shell > + > + proxmox-backup-manager cert update --force > + > +.. WARNING:: Any client using a fingerprint to verify TLS sessions with = the > + server will need to be updated with the new fingerprint. This include= s any > + Proxmox VE instance that may use it as a backup destination. > + > +After manually renewing the certificate once, Proxmox Backup Server will= start > +renewing the certificate itself. A certificate will be renewed at the ea= rliest > +15 days before it expires. Starting from 30 days before it expires, > +notifications will be issued with a reminder about the upcoming renewal. > diff --git a/src/bin/proxmox-daily-update.rs b/src/bin/proxmox-daily-upda= te.rs > index ffeb46e49..71fd653ce 100644 > --- a/src/bin/proxmox-daily-update.rs > +++ b/src/bin/proxmox-daily-update.rs > @@ -113,6 +113,10 @@ async fn renew_self_signed_certificate() -> Result<(= ), Error> { > } else if days <=3D 30 { > log::info!("Certificate expires within 30 days, notify about ren= ewal."); > send_upcoming_self_signed_renewal_notification()?; > + } else if days > 365 * 10 { > + log::warn!( > + "Self-signed certificate is valid for an excessive amount of= time. Please renew it." > + ); > } > =20 > Ok(())