From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gate001.proxmox.com (gate001.proxmox.com [45.144.208.40]) by lore.proxmox.com (Postfix) with ESMTPS id 890061FF0E7 for ; Fri, 10 Jul 2026 13:18:03 +0200 (CEST) Received: from gate001.proxmox.com (localhost.localdomain [127.0.0.1]) by gate001.proxmox.com (Proxmox) with ESMTP id 57EB62144A; Fri, 10 Jul 2026 13:18:03 +0200 (CEST) Content-Type: text/plain; charset=UTF-8 Date: Fri, 10 Jul 2026 13:17:28 +0200 Message-Id: Subject: Re: [PATCH datacenter-manager 08/11] api/auth/bin: add certificate renewal logic From: "Lukas Wagner" To: "Shannon Sterz" , Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Mailer: aerc 0.21.0-0-g5549850facc2-dirty References: <20260618115443.48618-1-s.sterz@proxmox.com> <20260618115443.48618-9-s.sterz@proxmox.com> In-Reply-To: <20260618115443.48618-9-s.sterz@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1783682237763 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.000 Adjusted score from AWL reputation of From: address DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment (newer systems) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: WDJYJUYJPR3HW5Q5BIC2LNGTS5XNQEED X-Message-ID-Hash: WDJYJUYJPR3HW5Q5BIC2LNGTS5XNQEED X-MailFrom: l.wagner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Thu Jun 18, 2026 at 1:54 PM CEST, Shannon Sterz wrote: > + pub SELF_SIGNED_REGEX =3D concatcp!( > + r#"^O\s?=3D\s?"#, > + crate::auth::certs::PRODUCT_NAME, > + r#", OU\s?=3D\s?[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]= {12}, CN\s?=3D\s?(?.*)$"# > + ); > +} > + > pub const ROUTER: Router =3D Router::new() > .get(&list_subdirs_api_method!(SUBDIRS)) > .subdirs(SUBDIRS); > @@ -247,6 +258,43 @@ pub fn cert_expires_soon() -> Result { > .map_err(|err| format_err!("Failed to check certificate expirati= on date: {}", err)) > } > =20 > +/// Check whether the current certificate is self-signed and returns the= remaining days the > +/// certificate is valid for. > +pub fn self_signed_cert_expires_in() -> Result, Error> { This helper seems very similar to the one you added in PBS, would it make sense to move it to some shared crate? > + let cert =3D get_certificate_info()?; > + > + let Some(captures) =3D (SELF_SIGNED_REGEX.regex_obj)().captures(&cer= t.issuer) else { > + return Ok(None); > + }; > + > + let mut fqdn =3D proxmox_sys::nodename().to_owned(); > + let resolv_conf =3D read_etc_resolv_conf(None)?.config; > + > + if let Some(domain) =3D resolv_conf.search { > + fqdn.push('.'); > + fqdn.push_str(&domain); > + } > + > + if captures["fqdn"] !=3D fqdn { > + return Ok(None); > + } > + > + let now =3D Asn1Time::from_unix(proxmox_time::epoch_i64())?; > + let not_after =3D Asn1Time::from_unix(cert.notafter.ok_or_else(|| { > + format_err!("Could not get \"not after\" epoch for current certi= ficate.") > + })?)?; > + > + let diff =3D now.diff(¬_after)?; > + Ok(Some(diff.days)) > +}