From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 748BA1FF142 for ; Tue, 07 Apr 2026 15:57:18 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 3BF7C1CD82; Tue, 7 Apr 2026 15:57:53 +0200 (CEST) From: Shannon Sterz To: pbs-devel@lists.proxmox.com Subject: [PATCH proxmox-backup 02/10] config: use proxmox_acme_api for generating self-signed certificates Date: Tue, 7 Apr 2026 15:57:06 +0200 Message-ID: <20260407135714.490747-3-s.sterz@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260407135714.490747-1-s.sterz@proxmox.com> References: <20260407135714.490747-1-s.sterz@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1775570172271 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.124 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: 22VIPZQF25P77OPOEDMSR3UGCAGS6YY3 X-Message-ID-Hash: 22VIPZQF25P77OPOEDMSR3UGCAGS6YY3 X-MailFrom: s.sterz@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: to avoid duplicating almost identical code here, re-use the version from `proxmox_acme_api::create_self_signed_cert`. proxmox backup server already depends on `proxmox_acme_api` and the code is identical apart from handling arguments. no functional change intended. Signed-off-by: Shannon Sterz --- src/config/mod.rs | 93 ++++------------------------------------------- 1 file changed, 7 insertions(+), 86 deletions(-) diff --git a/src/config/mod.rs b/src/config/mod.rs index 2de76bb1..3d48a25e 100644 --- a/src/config/mod.rs +++ b/src/config/mod.rs @@ -5,9 +5,6 @@ use anyhow::{bail, format_err, Error}; use nix::sys::stat::Mode; -use openssl::pkey::PKey; -use openssl::rsa::Rsa; -use openssl::x509::X509Builder; use std::path::Path; use proxmox_lang::try_block; @@ -89,92 +86,16 @@ pub fn update_self_signed_cert(force: bool) -> Result<(), Error> { if key_path.exists() && cert_path.exists() && !force { return Ok(()); } - - let rsa = Rsa::generate(4096).unwrap(); - - let priv_pem = rsa.private_key_to_pem()?; - - let mut x509 = X509Builder::new()?; - - x509.set_version(2)?; - - let today = openssl::asn1::Asn1Time::days_from_now(0)?; - x509.set_not_before(&today)?; - let expire = openssl::asn1::Asn1Time::days_from_now(365 * 1000)?; - x509.set_not_after(&expire)?; - - let nodename = proxmox_sys::nodename(); - let mut fqdn = nodename.to_owned(); - let resolv_conf = crate::api2::node::dns::read_etc_resolv_conf()?; - if let Some(search) = resolv_conf["search"].as_str() { - fqdn.push('.'); - fqdn.push_str(search); - } - // we try to generate an unique 'subject' to avoid browser problems - //(reused serial numbers, ..) - let uuid = proxmox_uuid::Uuid::generate(); + let (priv_key, cert) = proxmox_acme_api::create_self_signed_cert( + "Proxmox Backup Server", + proxmox_sys::nodename(), + resolv_conf["search"].as_str(), + )?; - let mut subject_name = openssl::x509::X509NameBuilder::new()?; - subject_name.append_entry_by_text("O", "Proxmox Backup Server")?; - subject_name.append_entry_by_text("OU", &format!("{uuid:X}"))?; - subject_name.append_entry_by_text("CN", &fqdn)?; - let subject_name = subject_name.build(); - - x509.set_subject_name(&subject_name)?; - x509.set_issuer_name(&subject_name)?; - - let bc = openssl::x509::extension::BasicConstraints::new(); // CA = false - let bc = bc.build()?; - x509.append_extension(bc)?; - - let usage = openssl::x509::extension::ExtendedKeyUsage::new() - .server_auth() - .build()?; - x509.append_extension(usage)?; - - let context = x509.x509v3_context(None, None); - - let mut alt_names = openssl::x509::extension::SubjectAlternativeName::new(); - - alt_names.ip("127.0.0.1"); - alt_names.ip("::1"); - - alt_names.dns("localhost"); - - if nodename != "localhost" { - alt_names.dns(nodename); - } - if nodename != fqdn { - alt_names.dns(&fqdn); - } - - let alt_names = alt_names.build(&context)?; - - x509.append_extension(alt_names)?; - - let pub_pem = rsa.public_key_to_pem()?; - let pubkey = PKey::public_key_from_pem(&pub_pem)?; - - x509.set_pubkey(&pubkey)?; - - let context = x509.x509v3_context(None, None); - let ext = openssl::x509::extension::SubjectKeyIdentifier::new().build(&context)?; - x509.append_extension(ext)?; - - let context = x509.x509v3_context(None, None); - let ext = openssl::x509::extension::AuthorityKeyIdentifier::new() - .keyid(true) - .build(&context)?; - x509.append_extension(ext)?; - - let privkey = PKey::from_rsa(rsa)?; - - x509.sign(&privkey, openssl::hash::MessageDigest::sha256())?; - - let x509 = x509.build(); - let cert_pem = x509.to_pem()?; + let cert_pem = cert.to_pem()?; + let priv_pem = priv_key.private_key_to_pem_pkcs8()?; set_proxy_certificate(&cert_pem, &priv_pem)?; -- 2.47.3