From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id E4D761FF13B
	for <inbox@lore.proxmox.com>; Wed, 22 Apr 2026 14:40:41 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 8D20A1DAA0;
	Wed, 22 Apr 2026 14:40:40 +0200 (CEST)
From: Shannon Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH datacenter-manager/proxmox{,-backup}/yew-comp 00/12] TLS
 Certificate Rotation
Date: Wed, 22 Apr 2026 14:40:10 +0200
Message-ID: <20260422124022.17952-1-s.sterz@proxmox.com>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1776861540996
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.122 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: EIL35T3HSVQ4Q2QW52W4EFTX5AIPBWNC
X-Message-ID-Hash: EIL35T3HSVQ4Q2QW52W4EFTX5AIPBWNC
X-MailFrom: s.sterz@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pbs-devel-owner@lists.proxmox.com>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Subscribe: <mailto:pbs-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pbs-devel-leave@lists.proxmox.com>

this series adds certificate rotation to Proxmox Backup Server and Proxmox
Datacenter Manager. currently, both products issue a certificate that is valid
for almost 1000 years (365000 days). no cryptographic key can reasonably be
considered secure for this amount of time. this series:

- allows specifying the lifetime of the certificate when creating one via
  proxmox-acme-api and reduces the default to 3650 days (almost ten years).
- sends and logs reminders 30 days before a certificate expires (pdm currently
  does not support the notification framework yet, so adding notifications is
  left as future work here).
- refreshes a certificate at the earliest 15 days before it expires, logs
  and notifies when that happens.
- warns on certificates with excessive lifetimes (>3650 days) and documents
  how to manually update them.
- for pdm: exposes cert handling cli methods in proxmox-datacenter-manager-admin.

## Testing

the easiest way to test this is to manipulate the date of the host with `date
--set` and then manually trigger the daily update binary for each product:

* PBS: `/usr/lib/x86_64-linux-gnu/proxmox-backup/proxmox-daily-update`
* PDM: `/usr/libexec/proxmox/proxmox-datacenter-manager-daily-update`

you can then check the logs and the certificate itself to see what happened.
specifying the `PBS_LOG` with the parameter `trace` or `debug` will also enable
debug logging here.

## Open Questions

+ 10 years is still a long time and i'd rather reduce that further down if
  possible. see the first patch for proxmox-acme-api for more info.
+ should we remove pre-existing long lasting certificates by ourselves? imo
  that is too risky at the moment given that an unplanned certificate rotation
  could cause backups to fail.
+ notifying every day for 15 days before the renewal might be excessive, see
  the second commit for pbs.

## Future Work

- pve and pdm should be extended to allow automatically updating allowed
  fingerprints before a new self-signed certificate goes into action. this will
  be handled in a follow-up series. if this series is applied, we have ten years
  to implement such a mechanism before any setups are realistically expected to
  break.
- pdm should send notifications similar to pbs once support for notifications
  is added.

## Changelog

* rfc: https://lore.proxmox.com/pbs-devel/20260407135714.490747-1-s.sterz@proxmox.com/T

changes since rfc:

+ add patches that avoid hard-coding the certificate file name in yew-comp and
  use the proper filename in pdm
+ update pdm renewal docs patch to avoid confusion


proxmox:

Shannon Sterz (1):
  acme-api: make self-signed certificate expiry configurable

 proxmox-acme-api/src/certificate_helpers.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)


backup:

Shannon Sterz (5):
  config: use proxmox_acme_api for generating self-signed certificates
  config: adapt to api change in proxmox_acme_api, add expiry paramter
  config/server/api: add certificate renewal logic including
    notifications
  daily-update/docs: warn on excessive self-signed certificate lifetime
  backup-manager cli: `cert update` can create auth and csrf key

 debian/proxmox-backup-server.install          |  4 +
 docs/certificate-management.rst               | 31 ++++++
 src/api2/node/certificates.rs                 | 44 +++++++++
 src/bin/proxmox-daily-update.rs               | 32 +++++++
 src/bin/proxmox_backup_manager/cert.rs        |  2 +
 src/config/mod.rs                             | 96 ++-----------------
 src/server/notifications/mod.rs               | 50 ++++++++++
 templates/Makefile                            | 66 +++++++------
 templates/default/cert-refresh-body.txt.hbs   |  8 ++
 .../default/cert-refresh-subject.txt.hbs      |  1 +
 .../cert-upcoming-refresh-body.txt.hbs        |  9 ++
 .../cert-upcoming-refresh-subject.txt.hbs     |  1 +
 12 files changed, 227 insertions(+), 117 deletions(-)
 create mode 100644 templates/default/cert-refresh-body.txt.hbs
 create mode 100644 templates/default/cert-refresh-subject.txt.hbs
 create mode 100644 templates/default/cert-upcoming-refresh-body.txt.hbs
 create mode 100644 templates/default/cert-upcoming-refresh-subject.txt.hbs


yew-comp:

Shannon Sterz (1):
  certificate list: use certificate file name fetched from the backend

 src/acme/certificate_list.rs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)


datacenter-manager:

Shannon Sterz (5):
  certs: adapt to api change in proxmox_acme_api, add expiry paramter
  api/auth/bin: add certificate renewal logic
  cli: expose certificate management endpoints via the cli
  daily-update/docs: warn on excessive tls certificate validity periods
  docs/certificates: use correct certificate file name

 cli/admin/Cargo.toml                          |  2 +
 cli/admin/src/cert.rs                         | 86 +++++++++++++++++++
 cli/admin/src/main.rs                         |  2 +
 docs/certificate-management.rst               | 32 +++++++
 server/Cargo.toml                             |  1 +
 server/src/api/nodes/certificates.rs          | 50 ++++++++++-
 server/src/auth/certs.rs                      |  4 +-
 ...proxmox-datacenter-manager-daily-update.rs | 30 +++++++
 8 files changed, 205 insertions(+), 2 deletions(-)
 create mode 100644 cli/admin/src/cert.rs


Summary over all repositories:
  22 files changed, 439 insertions(+), 121 deletions(-)

-- 
Generated by murpp 0.10.0