[RFC datacenter-manager/proxmox{,-backup} 00/10] TLS Certificate Rotation

public inbox for pbs-devel@lists.proxmox.com
 help / color / mirror / Atom feed

From: Shannon Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [RFC datacenter-manager/proxmox{,-backup} 00/10] TLS Certificate Rotation
Date: Tue,  7 Apr 2026 15:57:04 +0200	[thread overview]
Message-ID: <20260407135714.490747-1-s.sterz@proxmox.com> (raw)

this series adds certificate rotation to Proxmox Backup Server and Proxmox
Datacenter Manager. currently, both products issue a certificate that is valid
for almost 1000 years (365000 days). no cryptographic key can reasonably be
considered secure for this amount of time. this series:

- allows specifying the lifetime of the certificate when creating one via
  proxmox-acme-api and reduces the default to 3650 days (almost ten years).
- sends and logs reminders 30 days before a certificate expires (pdm currently
  does not support the notification framework yet, so adding notifications is
  left as future work here).
- refreshes a certificate at the earliest 15 days before it expires, logs
  and notifies when that happens.
- warns on certificates with excessive lifetimes (>3650 days) and documents
  how to manually update them.
- for pdm: exposes cert handling cli methods in proxmox-datacenter-manager-admin.

sending this as an rfc mainly because there are some open questions for me
about the chosen time frames for the lifetime and renewal periods.

## Testing

the easiest way to test this is to manipulate the date of the host with `date
--set` and then manually trigger the daily update binary for each product:

* PBS: `/usr/lib/x86_64-linux-gnu/proxmox-backup/proxmox-daily-update`
* PDM: `/usr/libexec/proxmox/proxmox-datacenter-manager-daily-update`

you can then check the logs and the certificate itself to see what happened.
specifying the `PBS_LOG` with the parameter `trace` or `debug` will also enable
debug logging here.

## Open Questions

+ 10 years is still a long time and i'd rather reduce that further down if
  possible. see the first patch for proxmox-acme-api for more info.
+ should we remove pre-existing long lasting certificates by ourselves? imo
  that is too risky at the moment given that an unplanned certificate rotation
  could cause backups to fail.
+ notifying every day for 15 days before the renewal might be excessive, see
  the second commit for pbs.

## Future Work

- pve and pdm should be extended to allow automatically updating allowed
  fingerprints before a new self-signed certificate goes into action. this will
  be handled in a follow-up series. if this series is applied, we have ten years
  to implement such a mechanism before any setups are realistically expected to
  break.
- pdm should send notifications similar to pbs once support for notifications
  is added.


proxmox:

Shannon Sterz (1):
  acme-api: make self-signed certificate expiry configurable

 proxmox-acme-api/src/certificate_helpers.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)


backup:

Shannon Sterz (5):
  config: use proxmox_acme_api for generating self-signed certificates
  config: adapt to api change in proxmox_acme_api, add expiry paramter
  config/server/api: add certificate renewal logic including
    notifications
  daily-update/docs: warn on excessive self-signed certificate lifetime
  backup-manager cli: `cert update` can create auth and csrf key

 debian/proxmox-backup-server.install          |  4 +
 docs/certificate-management.rst               | 31 ++++++
 src/api2/node/certificates.rs                 | 44 +++++++++
 src/bin/proxmox-daily-update.rs               | 32 +++++++
 src/bin/proxmox_backup_manager/cert.rs        |  2 +
 src/config/mod.rs                             | 96 ++-----------------
 src/server/notifications/mod.rs               | 50 ++++++++++
 templates/Makefile                            | 62 ++++++------
 templates/default/cert-refresh-body.txt.hbs   |  8 ++
 .../default/cert-refresh-subject.txt.hbs      |  1 +
 .../cert-upcoming-refresh-body.txt.hbs        |  9 ++
 .../cert-upcoming-refresh-subject.txt.hbs     |  1 +
 12 files changed, 225 insertions(+), 115 deletions(-)
 create mode 100644 templates/default/cert-refresh-body.txt.hbs
 create mode 100644 templates/default/cert-refresh-subject.txt.hbs
 create mode 100644 templates/default/cert-upcoming-refresh-body.txt.hbs
 create mode 100644 templates/default/cert-upcoming-refresh-subject.txt.hbs


datacenter-manager:

Shannon Sterz (4):
  certs: adapt to api change in proxmox_acme_api, add expiry paramter
  api/auth/bin: add certificate renewal logic
  cli: expose certificate management endpoints via the cli
  daily-update/docs: warn on excessive tls certificate validity periods

 cli/admin/Cargo.toml                          |  2 +
 cli/admin/src/cert.rs                         | 86 +++++++++++++++++++
 cli/admin/src/main.rs                         |  2 +
 docs/certificate-management.rst               | 31 +++++++
 server/Cargo.toml                             |  1 +
 server/src/api/nodes/certificates.rs          | 48 +++++++++++
 server/src/auth/certs.rs                      |  4 +-
 ...proxmox-datacenter-manager-daily-update.rs | 30 +++++++
 8 files changed, 203 insertions(+), 1 deletion(-)
 create mode 100644 cli/admin/src/cert.rs


Summary over all repositories:
  21 files changed, 430 insertions(+), 117 deletions(-)

-- 
Generated by murpp 0.10.0

next             reply	other threads:[~2026-04-07 13:56 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-07 13:57 Shannon Sterz [this message]
2026-04-07 13:57 ` [PATCH proxmox 01/10] acme-api: make self-signed certificate expiry configurable Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 02/10] config: use proxmox_acme_api for generating self-signed certificates Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 03/10] config: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 04/10] config/server/api: add certificate renewal logic including notifications Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 05/10] daily-update/docs: warn on excessive self-signed certificate lifetime Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 06/10] backup-manager cli: `cert update` can create auth and csrf key Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 07/10] certs: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 08/10] api/auth/bin: add certificate renewal logic Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 09/10] cli: expose certificate management endpoints via the cli Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 10/10] daily-update/docs: warn on excessive tls certificate validity periods Shannon Sterz
2026-04-07 15:29   ` Shannon Sterz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260407135714.490747-1-s.sterz@proxmox.com \
    --to=s.sterz@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal