From: Shannon Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH datacenter-manager/proxmox{,-backup}/yew-comp 00/12] TLS Certificate Rotation
Date: Wed, 22 Apr 2026 14:40:10 +0200 [thread overview]
Message-ID: <20260422124022.17952-1-s.sterz@proxmox.com> (raw)
this series adds certificate rotation to Proxmox Backup Server and Proxmox
Datacenter Manager. currently, both products issue a certificate that is valid
for almost 1000 years (365000 days). no cryptographic key can reasonably be
considered secure for this amount of time. this series:
- allows specifying the lifetime of the certificate when creating one via
proxmox-acme-api and reduces the default to 3650 days (almost ten years).
- sends and logs reminders 30 days before a certificate expires (pdm currently
does not support the notification framework yet, so adding notifications is
left as future work here).
- refreshes a certificate at the earliest 15 days before it expires, logs
and notifies when that happens.
- warns on certificates with excessive lifetimes (>3650 days) and documents
how to manually update them.
- for pdm: exposes cert handling cli methods in proxmox-datacenter-manager-admin.
## Testing
the easiest way to test this is to manipulate the date of the host with `date
--set` and then manually trigger the daily update binary for each product:
* PBS: `/usr/lib/x86_64-linux-gnu/proxmox-backup/proxmox-daily-update`
* PDM: `/usr/libexec/proxmox/proxmox-datacenter-manager-daily-update`
you can then check the logs and the certificate itself to see what happened.
specifying the `PBS_LOG` with the parameter `trace` or `debug` will also enable
debug logging here.
## Open Questions
+ 10 years is still a long time and i'd rather reduce that further down if
possible. see the first patch for proxmox-acme-api for more info.
+ should we remove pre-existing long lasting certificates by ourselves? imo
that is too risky at the moment given that an unplanned certificate rotation
could cause backups to fail.
+ notifying every day for 15 days before the renewal might be excessive, see
the second commit for pbs.
## Future Work
- pve and pdm should be extended to allow automatically updating allowed
fingerprints before a new self-signed certificate goes into action. this will
be handled in a follow-up series. if this series is applied, we have ten years
to implement such a mechanism before any setups are realistically expected to
break.
- pdm should send notifications similar to pbs once support for notifications
is added.
## Changelog
* rfc: https://lore.proxmox.com/pbs-devel/20260407135714.490747-1-s.sterz@proxmox.com/T
changes since rfc:
+ add patches that avoid hard-coding the certificate file name in yew-comp and
use the proper filename in pdm
+ update pdm renewal docs patch to avoid confusion
proxmox:
Shannon Sterz (1):
acme-api: make self-signed certificate expiry configurable
proxmox-acme-api/src/certificate_helpers.rs | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
backup:
Shannon Sterz (5):
config: use proxmox_acme_api for generating self-signed certificates
config: adapt to api change in proxmox_acme_api, add expiry paramter
config/server/api: add certificate renewal logic including
notifications
daily-update/docs: warn on excessive self-signed certificate lifetime
backup-manager cli: `cert update` can create auth and csrf key
debian/proxmox-backup-server.install | 4 +
docs/certificate-management.rst | 31 ++++++
src/api2/node/certificates.rs | 44 +++++++++
src/bin/proxmox-daily-update.rs | 32 +++++++
src/bin/proxmox_backup_manager/cert.rs | 2 +
src/config/mod.rs | 96 ++-----------------
src/server/notifications/mod.rs | 50 ++++++++++
templates/Makefile | 66 +++++++------
templates/default/cert-refresh-body.txt.hbs | 8 ++
.../default/cert-refresh-subject.txt.hbs | 1 +
.../cert-upcoming-refresh-body.txt.hbs | 9 ++
.../cert-upcoming-refresh-subject.txt.hbs | 1 +
12 files changed, 227 insertions(+), 117 deletions(-)
create mode 100644 templates/default/cert-refresh-body.txt.hbs
create mode 100644 templates/default/cert-refresh-subject.txt.hbs
create mode 100644 templates/default/cert-upcoming-refresh-body.txt.hbs
create mode 100644 templates/default/cert-upcoming-refresh-subject.txt.hbs
yew-comp:
Shannon Sterz (1):
certificate list: use certificate file name fetched from the backend
src/acme/certificate_list.rs | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
datacenter-manager:
Shannon Sterz (5):
certs: adapt to api change in proxmox_acme_api, add expiry paramter
api/auth/bin: add certificate renewal logic
cli: expose certificate management endpoints via the cli
daily-update/docs: warn on excessive tls certificate validity periods
docs/certificates: use correct certificate file name
cli/admin/Cargo.toml | 2 +
cli/admin/src/cert.rs | 86 +++++++++++++++++++
cli/admin/src/main.rs | 2 +
docs/certificate-management.rst | 32 +++++++
server/Cargo.toml | 1 +
server/src/api/nodes/certificates.rs | 50 ++++++++++-
server/src/auth/certs.rs | 4 +-
...proxmox-datacenter-manager-daily-update.rs | 30 +++++++
8 files changed, 205 insertions(+), 2 deletions(-)
create mode 100644 cli/admin/src/cert.rs
Summary over all repositories:
22 files changed, 439 insertions(+), 121 deletions(-)
--
Generated by murpp 0.10.0
next reply other threads:[~2026-04-22 12:40 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-22 12:40 Shannon Sterz [this message]
2026-04-22 12:40 ` [PATCH proxmox 01/12] acme-api: make self-signed certificate expiry configurable Shannon Sterz
2026-04-22 12:40 ` [PATCH proxmox-backup 02/12] config: use proxmox_acme_api for generating self-signed certificates Shannon Sterz
2026-04-22 12:40 ` [PATCH proxmox-backup 03/12] config: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-04-22 12:40 ` [PATCH proxmox-backup 04/12] config/server/api: add certificate renewal logic including notifications Shannon Sterz
2026-04-22 12:40 ` [PATCH proxmox-backup 05/12] daily-update/docs: warn on excessive self-signed certificate lifetime Shannon Sterz
2026-04-22 12:40 ` [PATCH proxmox-backup 06/12] backup-manager cli: `cert update` can create auth and csrf key Shannon Sterz
2026-04-22 12:40 ` [PATCH yew-comp 07/12] certificate list: use certificate file name fetched from the backend Shannon Sterz
2026-04-22 12:40 ` [PATCH datacenter-manager 08/12] certs: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-04-22 12:40 ` [PATCH datacenter-manager 09/12] api/auth/bin: add certificate renewal logic Shannon Sterz
2026-04-22 12:40 ` [PATCH datacenter-manager 10/12] cli: expose certificate management endpoints via the cli Shannon Sterz
2026-04-22 12:40 ` [PATCH datacenter-manager 11/12] daily-update/docs: warn on excessive tls certificate validity periods Shannon Sterz
2026-04-22 12:40 ` [PATCH datacenter-manager 12/12] docs/certificates: use correct certificate file name Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260422124022.17952-1-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox