Re: [PATCH datacenter-manager 10/10] daily-update/docs: warn on excessive tls certificate validity periods

["Shannon Sterz" <s.sterz@proxmox.com>]

On Tue Apr 7, 2026 at 3:57 PM CEST, Shannon Sterz wrote:
> and document how to update the certificate manually. an excessive
> lifetime is reported when the lifetime of the certificate exceeds 3650
> days (almost ten years), which corresponds to the default lifetime
> generated by proxmox-acme-api.
>
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
>  docs/certificate-management.rst               | 31 +++++++++++++++++++
>  ...proxmox-datacenter-manager-daily-update.rs |  4 +++
>  2 files changed, 35 insertions(+)
>
> diff --git a/docs/certificate-management.rst b/docs/certificate-management.rst
> index 652f6ca..a9a12cf 100644
> --- a/docs/certificate-management.rst
> +++ b/docs/certificate-management.rst
> @@ -303,3 +303,34 @@ Test your new certificate, using your browser.
>
>  .. [1]
>     acme.sh https://github.com/acmesh-official/acme.sh
> +
> +Manually Renew Self-signed Certificates
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +Proxmox Datacenter Manager creates and renews a self-signed certificate if no
> +custom or ACME certificate is provided. Older versions issued a certificate
> +that was valid for almost 1000 years and did not renew this certificate.
> +Beginning with version 1.1, new setups use shorter lived certificates that will
> +be regularly renewed. Old self-signed certificates are not replaced in order to
> +not disrupt existing backup setups. In such cases, the following line is

the "backup" here should be dropped ofc. i'll include that in the next
version. sorry for any inconvenience.

> +logged:
> +
> +.. code-block:: console
> +
> +   Apr 04 12:17:51 pdm proxmox-datacenter-manager-daily-update[1170]: Self-signed certificate is valid for an excessive amount of time. Please renew it.
> +
> +To manually renew a certificate, navigate to Configuration -> Certificates.
> +Select the certificate ``proxy.pem``. Then click the "Delete Custom

on a sidenote: i just noticed that in pdm the file is actually
`/etc/proxmox-datacenter-manager/auth/api.pem`. `proxy.pem` is still
used here because we hard-code the certificate name [1,2]. i'd add
patches to fix that to in a next version of this series.

[1]: https://git.proxmox.com/?p=proxmox-datacenter-manager.git;a=blob;f=server/src/api/nodes/certificates.rs;h=47aef7ad;hb=HEAD#l51
[2]: https://git.proxmox.com/?p=ui/proxmox-yew-comp.git;a=blob;f=src/acme/certificate_list.rs;h=2553bac6;hb=HEAD#l125

> +Certificate" button. Alternatively, you can run the following command:
> +
> +.. code-block:: shell
> +
> +   proxmox-datacenter-manager-admin cert update --force
> +
> +.. WARNING:: Any client using a fingerprint to verify TLS sessions with the
> +   server will need to be updated with the new fingerprint.
> +
> +After manually renewing the certificate once, Proxmox Datacenter Manager will
> +start renewing the certificate itself. A certificate will be renewed at the
> +earliest 15 days before it expires. Starting from 30 days before it expires,
> +notifications will be issued with a reminder about the upcoming renewal.
> diff --git a/server/src/bin/proxmox-datacenter-manager-daily-update.rs b/server/src/bin/proxmox-datacenter-manager-daily-update.rs
> index deed0be..8e5f67a 100644
> --- a/server/src/bin/proxmox-datacenter-manager-daily-update.rs
> +++ b/server/src/bin/proxmox-datacenter-manager-daily-update.rs
> @@ -108,6 +108,10 @@ async fn renew_self_signed_certificate() -> Result<(), Error> {
>      } else if days <= 30 {
>          log::info!("Certificate expires within 30 days.");
>          // fixme: send_upcoming_self_signed_renewal_notification()?;
> +    } else if days > 365 * 10 {
> +        log::warn!(
> +            "Self-signed certificate is valid for an excessive amount of time. Please renew it."
> +        );
>      }
>
>      Ok(())