From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id B8C991FF142
	for <inbox@lore.proxmox.com>; Tue, 07 Apr 2026 15:56:57 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id ECDD01CC18;
	Tue,  7 Apr 2026 15:57:26 +0200 (CEST)
From: Shannon Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox-backup 05/10] daily-update/docs: warn on excessive
 self-signed certificate lifetime
Date: Tue,  7 Apr 2026 15:57:09 +0200
Message-ID: <20260407135714.490747-6-s.sterz@proxmox.com>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20260407135714.490747-1-s.sterz@proxmox.com>
References: <20260407135714.490747-1-s.sterz@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1775570172551
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.125 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: EOPRAYVPM5W2C5CZ45LFA4APGSI2FCDW
X-Message-ID-Hash: EOPRAYVPM5W2C5CZ45LFA4APGSI2FCDW
X-MailFrom: s.sterz@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pbs-devel-owner@lists.proxmox.com>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Subscribe: <mailto:pbs-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pbs-devel-leave@lists.proxmox.com>

and document how to renew it. an excessive lifetime is reported when
the lifetime of the certificate exceeds 3650 days (almost ten years),
which corresponds to the default lifetime generated by
proxmox-acme-api.

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 docs/certificate-management.rst | 31 +++++++++++++++++++++++++++++++
 src/bin/proxmox-daily-update.rs |  4 ++++
 2 files changed, 35 insertions(+)

diff --git a/docs/certificate-management.rst b/docs/certificate-management.rst
index 903d0efc..b08133d5 100644
--- a/docs/certificate-management.rst
+++ b/docs/certificate-management.rst
@@ -333,3 +333,34 @@ Test your new certificate, using your browser.
 
 .. [1]
    acme.sh https://github.com/acmesh-official/acme.sh
+
+Manually Renew Self-signed Certificates
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Proxmox Backup Server creates and renews a self-signed certificate if no custom
+or ACME certificate is provided. Older versions issued a certificate that was
+valid for almost 1000 years and did not renew this certificate. Beginning with
+version 4.2, new setups use shorter lived certificates that will be regularly
+renewed. Old self-signed certificates are not replaced in order to not disrupt
+existing backup setups. In such cases, the following line is logged:
+
+.. code-block:: console
+
+   Apr 04 12:17:51 pbs proxmox-daily-update[1170]: Self-signed certificate is valid for an excessive amount of time. Please renew it.
+
+To manually renew a certificate, navigate to Configuration -> Certificates.
+Select the certificate ``proxy.pem``. Then click the "Delete Custom
+Certificate" button. Alternatively, you can run the following command:
+
+.. code-block:: shell
+
+   proxmox-backup-manager cert update --force
+
+.. WARNING:: Any client using a fingerprint to verify TLS sessions with the
+   server will need to be updated with the new fingerprint. This includes any
+   Proxmox VE instance that may use it as a backup destination.
+
+After manually renewing the certificate once, Proxmox Backup Server will start
+renewing the certificate itself. A certificate will be renewed at the earliest
+15 days before it expires. Starting from 30 days before it expires,
+notifications will be issued with a reminder about the upcoming renewal.
diff --git a/src/bin/proxmox-daily-update.rs b/src/bin/proxmox-daily-update.rs
index 49159d24..43d35f4a 100644
--- a/src/bin/proxmox-daily-update.rs
+++ b/src/bin/proxmox-daily-update.rs
@@ -112,6 +112,10 @@ async fn renew_self_signed_certificate() -> Result<(), Error> {
     } else if days <= 30 {
         log::info!("Certificate expires within 30 days, notify about renewal.");
         send_upcoming_self_signed_renewal_notification()?;
+   } else if days > 365 * 10 {
+        log::warn!(
+            "Self-signed certificate is valid for an excessive amount of time. Please renew it."
+        );
     }
 
     Ok(())
-- 
2.47.3