From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 3661B1FF142 for ; Tue, 07 Apr 2026 17:29:54 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 0814C1F4C0; Tue, 7 Apr 2026 17:30:29 +0200 (CEST) Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Tue, 07 Apr 2026 17:29:51 +0200 Message-Id: Subject: Re: [PATCH datacenter-manager 10/10] daily-update/docs: warn on excessive tls certificate validity periods To: "Shannon Sterz" , X-Mailer: aerc 0.20.0 References: <20260407135714.490747-1-s.sterz@proxmox.com> <20260407135714.490747-11-s.sterz@proxmox.com> In-Reply-To: <20260407135714.490747-11-s.sterz@proxmox.com> From: "Shannon Sterz" X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1775575726162 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.123 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: HEM5IXVLZLIT54GRUNLDSX7EQHWXMJIR X-Message-ID-Hash: HEM5IXVLZLIT54GRUNLDSX7EQHWXMJIR X-MailFrom: s.sterz@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Tue Apr 7, 2026 at 3:57 PM CEST, Shannon Sterz wrote: > and document how to update the certificate manually. an excessive > lifetime is reported when the lifetime of the certificate exceeds 3650 > days (almost ten years), which corresponds to the default lifetime > generated by proxmox-acme-api. > > Signed-off-by: Shannon Sterz > --- > docs/certificate-management.rst | 31 +++++++++++++++++++ > ...proxmox-datacenter-manager-daily-update.rs | 4 +++ > 2 files changed, 35 insertions(+) > > diff --git a/docs/certificate-management.rst b/docs/certificate-managemen= t.rst > index 652f6ca..a9a12cf 100644 > --- a/docs/certificate-management.rst > +++ b/docs/certificate-management.rst > @@ -303,3 +303,34 @@ Test your new certificate, using your browser. > > .. [1] > acme.sh https://github.com/acmesh-official/acme.sh > + > +Manually Renew Self-signed Certificates > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + > +Proxmox Datacenter Manager creates and renews a self-signed certificate = if no > +custom or ACME certificate is provided. Older versions issued a certific= ate > +that was valid for almost 1000 years and did not renew this certificate. > +Beginning with version 1.1, new setups use shorter lived certificates th= at will > +be regularly renewed. Old self-signed certificates are not replaced in o= rder to > +not disrupt existing backup setups. In such cases, the following line is the "backup" here should be dropped ofc. i'll include that in the next version. sorry for any inconvenience. > +logged: > + > +.. code-block:: console > + > + Apr 04 12:17:51 pdm proxmox-datacenter-manager-daily-update[1170]: Se= lf-signed certificate is valid for an excessive amount of time. Please rene= w it. > + > +To manually renew a certificate, navigate to Configuration -> Certificat= es. > +Select the certificate ``proxy.pem``. Then click the "Delete Custom on a sidenote: i just noticed that in pdm the file is actually `/etc/proxmox-datacenter-manager/auth/api.pem`. `proxy.pem` is still used here because we hard-code the certificate name [1,2]. i'd add patches to fix that to in a next version of this series. [1]: https://git.proxmox.com/?p=3Dproxmox-datacenter-manager.git;a=3Dblob;f= =3Dserver/src/api/nodes/certificates.rs;h=3D47aef7ad;hb=3DHEAD#l51 [2]: https://git.proxmox.com/?p=3Dui/proxmox-yew-comp.git;a=3Dblob;f=3Dsrc/= acme/certificate_list.rs;h=3D2553bac6;hb=3DHEAD#l125 > +Certificate" button. Alternatively, you can run the following command: > + > +.. code-block:: shell > + > + proxmox-datacenter-manager-admin cert update --force > + > +.. WARNING:: Any client using a fingerprint to verify TLS sessions with = the > + server will need to be updated with the new fingerprint. > + > +After manually renewing the certificate once, Proxmox Datacenter Manager= will > +start renewing the certificate itself. A certificate will be renewed at = the > +earliest 15 days before it expires. Starting from 30 days before it expi= res, > +notifications will be issued with a reminder about the upcoming renewal. > diff --git a/server/src/bin/proxmox-datacenter-manager-daily-update.rs b/= server/src/bin/proxmox-datacenter-manager-daily-update.rs > index deed0be..8e5f67a 100644 > --- a/server/src/bin/proxmox-datacenter-manager-daily-update.rs > +++ b/server/src/bin/proxmox-datacenter-manager-daily-update.rs > @@ -108,6 +108,10 @@ async fn renew_self_signed_certificate() -> Result<(= ), Error> { > } else if days <=3D 30 { > log::info!("Certificate expires within 30 days."); > // fixme: send_upcoming_self_signed_renewal_notification()?; > + } else if days > 365 * 10 { > + log::warn!( > + "Self-signed certificate is valid for an excessive amount of= time. Please renew it." > + ); > } > > Ok(())