From: Shannon Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox-backup 05/10] daily-update/docs: warn on excessive self-signed certificate lifetime
Date: Tue, 7 Apr 2026 15:57:09 +0200 [thread overview]
Message-ID: <20260407135714.490747-6-s.sterz@proxmox.com> (raw)
In-Reply-To: <20260407135714.490747-1-s.sterz@proxmox.com>
and document how to renew it. an excessive lifetime is reported when
the lifetime of the certificate exceeds 3650 days (almost ten years),
which corresponds to the default lifetime generated by
proxmox-acme-api.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
docs/certificate-management.rst | 31 +++++++++++++++++++++++++++++++
src/bin/proxmox-daily-update.rs | 4 ++++
2 files changed, 35 insertions(+)
diff --git a/docs/certificate-management.rst b/docs/certificate-management.rst
index 903d0efc..b08133d5 100644
--- a/docs/certificate-management.rst
+++ b/docs/certificate-management.rst
@@ -333,3 +333,34 @@ Test your new certificate, using your browser.
.. [1]
acme.sh https://github.com/acmesh-official/acme.sh
+
+Manually Renew Self-signed Certificates
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Proxmox Backup Server creates and renews a self-signed certificate if no custom
+or ACME certificate is provided. Older versions issued a certificate that was
+valid for almost 1000 years and did not renew this certificate. Beginning with
+version 4.2, new setups use shorter lived certificates that will be regularly
+renewed. Old self-signed certificates are not replaced in order to not disrupt
+existing backup setups. In such cases, the following line is logged:
+
+.. code-block:: console
+
+ Apr 04 12:17:51 pbs proxmox-daily-update[1170]: Self-signed certificate is valid for an excessive amount of time. Please renew it.
+
+To manually renew a certificate, navigate to Configuration -> Certificates.
+Select the certificate ``proxy.pem``. Then click the "Delete Custom
+Certificate" button. Alternatively, you can run the following command:
+
+.. code-block:: shell
+
+ proxmox-backup-manager cert update --force
+
+.. WARNING:: Any client using a fingerprint to verify TLS sessions with the
+ server will need to be updated with the new fingerprint. This includes any
+ Proxmox VE instance that may use it as a backup destination.
+
+After manually renewing the certificate once, Proxmox Backup Server will start
+renewing the certificate itself. A certificate will be renewed at the earliest
+15 days before it expires. Starting from 30 days before it expires,
+notifications will be issued with a reminder about the upcoming renewal.
diff --git a/src/bin/proxmox-daily-update.rs b/src/bin/proxmox-daily-update.rs
index 49159d24..43d35f4a 100644
--- a/src/bin/proxmox-daily-update.rs
+++ b/src/bin/proxmox-daily-update.rs
@@ -112,6 +112,10 @@ async fn renew_self_signed_certificate() -> Result<(), Error> {
} else if days <= 30 {
log::info!("Certificate expires within 30 days, notify about renewal.");
send_upcoming_self_signed_renewal_notification()?;
+ } else if days > 365 * 10 {
+ log::warn!(
+ "Self-signed certificate is valid for an excessive amount of time. Please renew it."
+ );
}
Ok(())
--
2.47.3
next prev parent reply other threads:[~2026-04-07 13:56 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-07 13:57 [RFC datacenter-manager/proxmox{,-backup} 00/10] TLS Certificate Rotation Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox 01/10] acme-api: make self-signed certificate expiry configurable Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 02/10] config: use proxmox_acme_api for generating self-signed certificates Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 03/10] config: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 04/10] config/server/api: add certificate renewal logic including notifications Shannon Sterz
2026-04-07 13:57 ` Shannon Sterz [this message]
2026-04-07 13:57 ` [PATCH proxmox-backup 06/10] backup-manager cli: `cert update` can create auth and csrf key Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 07/10] certs: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 08/10] api/auth/bin: add certificate renewal logic Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 09/10] cli: expose certificate management endpoints via the cli Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 10/10] daily-update/docs: warn on excessive tls certificate validity periods Shannon Sterz
2026-04-07 15:29 ` Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260407135714.490747-6-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox