From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 00CEC1FF13B for ; Wed, 22 Apr 2026 14:40:33 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 78D2B1D807; Wed, 22 Apr 2026 14:40:32 +0200 (CEST) From: Shannon Sterz To: pbs-devel@lists.proxmox.com Subject: [PATCH proxmox 01/12] acme-api: make self-signed certificate expiry configurable Date: Wed, 22 Apr 2026 14:40:11 +0200 Message-ID: <20260422124022.17952-2-s.sterz@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260422124022.17952-1-s.sterz@proxmox.com> References: <20260422124022.17952-1-s.sterz@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1776861541101 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.122 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com] Message-ID-Hash: LEESSC57PNUSGBZSM6FBW6TXBZKNHOSD X-Message-ID-Hash: LEESSC57PNUSGBZSM6FBW6TXBZKNHOSD X-MailFrom: s.sterz@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: and change the default from 365000 days (almost 1000 years) to 3650 days (almost 10 years). almost 1000 years is excessive, as no practical cryptographic key can reasonably be considered safe for that amount of time. almost 10 years should still give plenty of time to prepare for certificate changes. Signed-off-by: Shannon Sterz --- Notes: imo, we could go down even more. as far as i am aware there is no real limit that is being enforced here for self-signed certificates from a browser perspective. they are already trusted on an exemption-basis anyway. however, certificates signed by public CAs will only be valid for a maximum of 47 days by 2029 [1]. hence, i would personally either adopt the same limit or go down to a year, as a sensible middle-ground. certificate rotation should really be automated even in self-signed scenarios. we also had cases in the past, where customers already ran into issue because they wanted to limit the lifetime of their certificates below 30 days [2]. meaning that there is a need out there for shorter lived certificates (though, in that case a custom CA & ACME setup was used). [1]: https://github.com/cabforum/servercert/pull/553 [2]: https://bugzilla.proxmox.com/show_bug.cgi?id=6372 proxmox-acme-api/src/certificate_helpers.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/proxmox-acme-api/src/certificate_helpers.rs b/proxmox-acme-api/src/certificate_helpers.rs index a4fe153a..c09bd65c 100644 --- a/proxmox-acme-api/src/certificate_helpers.rs +++ b/proxmox-acme-api/src/certificate_helpers.rs @@ -214,6 +214,7 @@ pub fn create_self_signed_cert( product_name: &str, nodename: &str, domain: Option<&str>, + expire: Option, ) -> Result<(PKey, X509), Error> { let rsa = Rsa::generate(4096).unwrap(); @@ -223,7 +224,7 @@ pub fn create_self_signed_cert( let today = openssl::asn1::Asn1Time::days_from_now(0)?; x509.set_not_before(&today)?; - let expire = openssl::asn1::Asn1Time::days_from_now(365 * 1000)?; + let expire = openssl::asn1::Asn1Time::days_from_now(expire.unwrap_or(365 * 10))?; x509.set_not_after(&expire)?; let mut fqdn = nodename.to_owned(); -- 2.47.3