From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 4A3CD1FF142 for ; Tue, 07 Apr 2026 15:57:20 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 2A3B41CE3E; Tue, 7 Apr 2026 15:57:54 +0200 (CEST) From: Shannon Sterz To: pbs-devel@lists.proxmox.com Subject: [PATCH proxmox 01/10] acme-api: make self-signed certificate expiry configurable Date: Tue, 7 Apr 2026 15:57:05 +0200 Message-ID: <20260407135714.490747-2-s.sterz@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260407135714.490747-1-s.sterz@proxmox.com> References: <20260407135714.490747-1-s.sterz@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1775570172209 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.124 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: SSX5TFV6GXUFMLI43BXMZEXZANLJQFPF X-Message-ID-Hash: SSX5TFV6GXUFMLI43BXMZEXZANLJQFPF X-MailFrom: s.sterz@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: and change the default from 365000 days (almost 1000 years) to 3650 days (almost 10 years). almost 1000 years is excessive, as no practical cryptographic key can reasonably be considered safe for that amount of time. almost 10 years should still give plenty of time to prepare for certificate changes. Signed-off-by: Shannon Sterz --- Notes: imo, we could go down even more. as far as i am aware there is no real limit that is being enforced here for self-signed certificates from a browser perspective. they are already trusted on an exemption-basis anyway. however, certificates signed by public CAs will only be valid for a maximum of 47 days by 2029 [1]. hence, i would personally either adopt the same limit or go down to a year, as a sensible middle-ground. certificate rotation should really be automated even in self-signed scenarios. we also had cases in the past, where customers already ran into issue because they wanted to limit the lifetime of their certificates below 30 days [2]. meaning that there is a need out there for shorter lived certificates (though, in that case a custom CA & ACME setup was used). [1]: https://github.com/cabforum/servercert/pull/553 [2]: https://bugzilla.proxmox.com/show_bug.cgi?id=6372 proxmox-acme-api/src/certificate_helpers.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/proxmox-acme-api/src/certificate_helpers.rs b/proxmox-acme-api/src/certificate_helpers.rs index a4fe153a..c09bd65c 100644 --- a/proxmox-acme-api/src/certificate_helpers.rs +++ b/proxmox-acme-api/src/certificate_helpers.rs @@ -214,6 +214,7 @@ pub fn create_self_signed_cert( product_name: &str, nodename: &str, domain: Option<&str>, + expire: Option, ) -> Result<(PKey, X509), Error> { let rsa = Rsa::generate(4096).unwrap(); @@ -223,7 +224,7 @@ pub fn create_self_signed_cert( let today = openssl::asn1::Asn1Time::days_from_now(0)?; x509.set_not_before(&today)?; - let expire = openssl::asn1::Asn1Time::days_from_now(365 * 1000)?; + let expire = openssl::asn1::Asn1Time::days_from_now(expire.unwrap_or(365 * 10))?; x509.set_not_after(&expire)?; let mut fqdn = nodename.to_owned(); -- 2.47.3