[PATCH proxmox-backup 02/10] config: use proxmox_acme_api for generating self-signed certificates

public inbox for pbs-devel@lists.proxmox.com
 help / color / mirror / Atom feed

From: Shannon Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox-backup 02/10] config: use proxmox_acme_api for generating self-signed certificates
Date: Tue,  7 Apr 2026 15:57:06 +0200	[thread overview]
Message-ID: <20260407135714.490747-3-s.sterz@proxmox.com> (raw)
In-Reply-To: <20260407135714.490747-1-s.sterz@proxmox.com>

to avoid duplicating almost identical code here, re-use the version
from `proxmox_acme_api::create_self_signed_cert`. proxmox backup
server already depends on `proxmox_acme_api` and the code is identical
apart from handling arguments. no functional change intended.

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 src/config/mod.rs | 93 ++++-------------------------------------------
 1 file changed, 7 insertions(+), 86 deletions(-)

diff --git a/src/config/mod.rs b/src/config/mod.rs
index 2de76bb1..3d48a25e 100644
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@@ -5,9 +5,6 @@
 
 use anyhow::{bail, format_err, Error};
 use nix::sys::stat::Mode;
-use openssl::pkey::PKey;
-use openssl::rsa::Rsa;
-use openssl::x509::X509Builder;
 use std::path::Path;
 
 use proxmox_lang::try_block;
@@ -89,92 +86,16 @@ pub fn update_self_signed_cert(force: bool) -> Result<(), Error> {
     if key_path.exists() && cert_path.exists() && !force {
         return Ok(());
     }
-
-    let rsa = Rsa::generate(4096).unwrap();
-
-    let priv_pem = rsa.private_key_to_pem()?;
-
-    let mut x509 = X509Builder::new()?;
-
-    x509.set_version(2)?;
-
-    let today = openssl::asn1::Asn1Time::days_from_now(0)?;
-    x509.set_not_before(&today)?;
-    let expire = openssl::asn1::Asn1Time::days_from_now(365 * 1000)?;
-    x509.set_not_after(&expire)?;
-
-    let nodename = proxmox_sys::nodename();
-    let mut fqdn = nodename.to_owned();
-
     let resolv_conf = crate::api2::node::dns::read_etc_resolv_conf()?;
-    if let Some(search) = resolv_conf["search"].as_str() {
-        fqdn.push('.');
-        fqdn.push_str(search);
-    }
 
-    // we try to generate an unique 'subject' to avoid browser problems
-    //(reused serial numbers, ..)
-    let uuid = proxmox_uuid::Uuid::generate();
+    let (priv_key, cert) = proxmox_acme_api::create_self_signed_cert(
+        "Proxmox Backup Server",
+        proxmox_sys::nodename(),
+        resolv_conf["search"].as_str(),
+    )?;
 
-    let mut subject_name = openssl::x509::X509NameBuilder::new()?;
-    subject_name.append_entry_by_text("O", "Proxmox Backup Server")?;
-    subject_name.append_entry_by_text("OU", &format!("{uuid:X}"))?;
-    subject_name.append_entry_by_text("CN", &fqdn)?;
-    let subject_name = subject_name.build();
-
-    x509.set_subject_name(&subject_name)?;
-    x509.set_issuer_name(&subject_name)?;
-
-    let bc = openssl::x509::extension::BasicConstraints::new(); // CA = false
-    let bc = bc.build()?;
-    x509.append_extension(bc)?;
-
-    let usage = openssl::x509::extension::ExtendedKeyUsage::new()
-        .server_auth()
-        .build()?;
-    x509.append_extension(usage)?;
-
-    let context = x509.x509v3_context(None, None);
-
-    let mut alt_names = openssl::x509::extension::SubjectAlternativeName::new();
-
-    alt_names.ip("127.0.0.1");
-    alt_names.ip("::1");
-
-    alt_names.dns("localhost");
-
-    if nodename != "localhost" {
-        alt_names.dns(nodename);
-    }
-    if nodename != fqdn {
-        alt_names.dns(&fqdn);
-    }
-
-    let alt_names = alt_names.build(&context)?;
-
-    x509.append_extension(alt_names)?;
-
-    let pub_pem = rsa.public_key_to_pem()?;
-    let pubkey = PKey::public_key_from_pem(&pub_pem)?;
-
-    x509.set_pubkey(&pubkey)?;
-
-    let context = x509.x509v3_context(None, None);
-    let ext = openssl::x509::extension::SubjectKeyIdentifier::new().build(&context)?;
-    x509.append_extension(ext)?;
-
-    let context = x509.x509v3_context(None, None);
-    let ext = openssl::x509::extension::AuthorityKeyIdentifier::new()
-        .keyid(true)
-        .build(&context)?;
-    x509.append_extension(ext)?;
-
-    let privkey = PKey::from_rsa(rsa)?;
-
-    x509.sign(&privkey, openssl::hash::MessageDigest::sha256())?;
-
-    let x509 = x509.build();
-    let cert_pem = x509.to_pem()?;
+    let cert_pem = cert.to_pem()?;
+    let priv_pem = priv_key.private_key_to_pem_pkcs8()?;
 
     set_proxy_certificate(&cert_pem, &priv_pem)?;
 
-- 
2.47.3

next prev parent reply	other threads:[~2026-04-07 13:57 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-07 13:57 [RFC datacenter-manager/proxmox{,-backup} 00/10] TLS Certificate Rotation Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox 01/10] acme-api: make self-signed certificate expiry configurable Shannon Sterz
2026-04-07 13:57 ` Shannon Sterz [this message]
2026-04-07 13:57 ` [PATCH proxmox-backup 03/10] config: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 04/10] config/server/api: add certificate renewal logic including notifications Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 05/10] daily-update/docs: warn on excessive self-signed certificate lifetime Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 06/10] backup-manager cli: `cert update` can create auth and csrf key Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 07/10] certs: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 08/10] api/auth/bin: add certificate renewal logic Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 09/10] cli: expose certificate management endpoints via the cli Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 10/10] daily-update/docs: warn on excessive tls certificate validity periods Shannon Sterz
2026-04-07 15:29   ` Shannon Sterz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260407135714.490747-3-s.sterz@proxmox.com \
    --to=s.sterz@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal