From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 605851FF137 for ; Tue, 17 Mar 2026 17:07:36 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 669041394A; Tue, 17 Mar 2026 17:07:49 +0100 (CET) Date: Tue, 17 Mar 2026 17:07:43 +0100 From: Arthur Bied-Charreton To: Thomas Lamprecht Subject: Re: [PATCH pve-cluster v3 2/3] Convert SSL cert generation config to CLI arguments Message-ID: References: <20260317142206.482976-1-a.bied-charreton@proxmox.com> <20260317142206.482976-3-a.bied-charreton@proxmox.com> <20d37ec8-114f-4311-96fa-52736db2c522@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20d37ec8-114f-4311-96fa-52736db2c522@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1773763623789 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.837 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: GCRFNFLQSPK3DGZ765W6MNW2AIXTIDOT X-Message-ID-Hash: GCRFNFLQSPK3DGZ765W6MNW2AIXTIDOT X-MailFrom: a.bied-charreton@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: pve-devel@lists.proxmox.com X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Tue, Mar 17, 2026 at 05:00:20PM +0100, Thomas Lamprecht wrote: > Am 17.03.26 um 15:22 schrieb Arthur Bied-Charreton: > > Replace temporary OpenSSL config file with direct CLI arguments in PVE > > node SSL cert generation. > > > > Changes: > > - Use '-subj' flag for distinguished name > > - Use '-addext' flag for cert extensions > > - Use '-copy_extensions copyall' to copy extensions from CSR to cert > > - Remove temp config file and cleanup code > > IMO an odd way to write a commit message, especially as I can see most of > that from checking the, well, actual changes below... And only some parts > got picked out. > Good point, will rewrite this. > Also, the 2048 bit is just silently dropped, is that implied somewhere? > Such things should be actually mentioned. Please recheck all settings > yourself to ensure this is a complete change. > Yes, 2048 is the default (/etc/ssl/openssl.cnf). I should have made that clear in the commit message. Will add it in v4. > > As suggested here: > > https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t > > would be good to include some actual rationale, not just the link, as > unlike the changes described above I cannot just get that from the diff > or rest of the commit's info. > Thanks for the feedback! > > > > > > Signed-off-by: Arthur Bied-Charreton > > --- > > src/PVE/Cluster/Setup.pm | 41 +++++++++------------------------------- > > 1 file changed, 9 insertions(+), 32 deletions(-) > > > > diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm > > index 4f528ba..b9cacfd 100644 > > --- a/src/PVE/Cluster/Setup.pm > > +++ b/src/PVE/Cluster/Setup.pm > > @@ -504,33 +504,6 @@ sub gen_pve_ssl_cert { > > $names .= ",DNS:$fqdn"; > > } > > > > - my $sslconf = <<__EOD; > > -RANDFILE = /root/.rnd > > -extensions = v3_req > > - > > -[ req ] > > -default_bits = 2048 > > -distinguished_name = req_distinguished_name > > -req_extensions = v3_req > > -prompt = no > > -string_mask = nombstr > > - > > -[ req_distinguished_name ] > > -organizationalUnitName = PVE Cluster Node > > -organizationName = Proxmox Virtual Environment > > -commonName = $fqdn > > - > > -[ v3_req ] > > -basicConstraints = CA:FALSE > > -extendedKeyUsage = serverAuth > > -subjectAltName = $names > > -__EOD > > - > > - my $cfgfn = "/tmp/pvesslconf-$$.tmp"; > > - my $fh = IO::File->new($cfgfn, "w"); > > - print $fh $sslconf; > > - close($fh); > > - > > my $reqfn = "/tmp/pvecertreq-$$.tmp"; > > unlink $reqfn; > > > > @@ -541,18 +514,23 @@ __EOD > > 'req', > > '-batch', > > '-new', > > - '-config', > > - $cfgfn, > > '-key', > > $pvessl_key_fn, > > '-out', > > $reqfn, > > + '-subj', > > + "/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=$fqdn", > > + '-addext', > > + 'basicConstraints=CA:FALSE', > > + '-addext', > > + 'extendedKeyUsage=serverAuth', > > + '-addext', > > + "subjectAltName=$names", > > ]); > > }; > > > > if (my $err = $@) { > > unlink $reqfn; > > - unlink $cfgfn; > > die "unable to generate pve certificate request:\n$err"; > > } > > > > @@ -581,13 +559,12 @@ __EOD > > 'openssl', 'x509', '-req', '-in', $reqfn, '-days', $daysleft, '-out', > > $pvessl_cert_fn, > > '-CAkey', $pveca_key_fn, '-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn, > > - '-extfile', $cfgfn, > > + '-copy_extensions', 'copyall', > > ]); > > }; > > my $err = $@; > > > > unlink $reqfn or $!{ENOENT} or warn "failed to clean up '$reqfn' - $!"; > > - unlink $cfgfn or $!{ENOENT} or warn "failed to clean up '$cfgfn' - $!"; > > > > die "unable to generate pve ssl certificate:\n$err" if $err; > > } >