Re: [RFC datacenter-manager/proxmox{,-backup} 00/10] TLS Certificate Rotation

["Shannon Sterz" <s.sterz@proxmox.com>]

Superseded-by: https://lore.proxmox.com/pbs-devel/20260422124022.17952-1-s.sterz@proxmox.com/T/#t

On Tue Apr 7, 2026 at 3:57 PM CEST, Shannon Sterz wrote:
> this series adds certificate rotation to Proxmox Backup Server and Proxmox
> Datacenter Manager. currently, both products issue a certificate that is valid
> for almost 1000 years (365000 days). no cryptographic key can reasonably be
> considered secure for this amount of time. this series:
>
> - allows specifying the lifetime of the certificate when creating one via
>   proxmox-acme-api and reduces the default to 3650 days (almost ten years).
> - sends and logs reminders 30 days before a certificate expires (pdm currently
>   does not support the notification framework yet, so adding notifications is
>   left as future work here).
> - refreshes a certificate at the earliest 15 days before it expires, logs
>   and notifies when that happens.
> - warns on certificates with excessive lifetimes (>3650 days) and documents
>   how to manually update them.
> - for pdm: exposes cert handling cli methods in proxmox-datacenter-manager-admin.
>
> sending this as an rfc mainly because there are some open questions for me
> about the chosen time frames for the lifetime and renewal periods.
>
> ## Testing
>
> the easiest way to test this is to manipulate the date of the host with `date
> --set` and then manually trigger the daily update binary for each product:
>
> * PBS: `/usr/lib/x86_64-linux-gnu/proxmox-backup/proxmox-daily-update`
> * PDM: `/usr/libexec/proxmox/proxmox-datacenter-manager-daily-update`
>
> you can then check the logs and the certificate itself to see what happened.
> specifying the `PBS_LOG` with the parameter `trace` or `debug` will also enable
> debug logging here.
>
> ## Open Questions
>
> + 10 years is still a long time and i'd rather reduce that further down if
>   possible. see the first patch for proxmox-acme-api for more info.
> + should we remove pre-existing long lasting certificates by ourselves? imo
>   that is too risky at the moment given that an unplanned certificate rotation
>   could cause backups to fail.
> + notifying every day for 15 days before the renewal might be excessive, see
>   the second commit for pbs.
>
> ## Future Work
>
> - pve and pdm should be extended to allow automatically updating allowed
>   fingerprints before a new self-signed certificate goes into action. this will
>   be handled in a follow-up series. if this series is applied, we have ten years
>   to implement such a mechanism before any setups are realistically expected to
>   break.
> - pdm should send notifications similar to pbs once support for notifications
>   is added.
>
>
> proxmox:
>
> Shannon Sterz (1):
>   acme-api: make self-signed certificate expiry configurable
>
>  proxmox-acme-api/src/certificate_helpers.rs | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
>
> backup:
>
> Shannon Sterz (5):
>   config: use proxmox_acme_api for generating self-signed certificates
>   config: adapt to api change in proxmox_acme_api, add expiry paramter
>   config/server/api: add certificate renewal logic including
>     notifications
>   daily-update/docs: warn on excessive self-signed certificate lifetime
>   backup-manager cli: `cert update` can create auth and csrf key
>
>  debian/proxmox-backup-server.install          |  4 +
>  docs/certificate-management.rst               | 31 ++++++
>  src/api2/node/certificates.rs                 | 44 +++++++++
>  src/bin/proxmox-daily-update.rs               | 32 +++++++
>  src/bin/proxmox_backup_manager/cert.rs        |  2 +
>  src/config/mod.rs                             | 96 ++-----------------
>  src/server/notifications/mod.rs               | 50 ++++++++++
>  templates/Makefile                            | 62 ++++++------
>  templates/default/cert-refresh-body.txt.hbs   |  8 ++
>  .../default/cert-refresh-subject.txt.hbs      |  1 +
>  .../cert-upcoming-refresh-body.txt.hbs        |  9 ++
>  .../cert-upcoming-refresh-subject.txt.hbs     |  1 +
>  12 files changed, 225 insertions(+), 115 deletions(-)
>  create mode 100644 templates/default/cert-refresh-body.txt.hbs
>  create mode 100644 templates/default/cert-refresh-subject.txt.hbs
>  create mode 100644 templates/default/cert-upcoming-refresh-body.txt.hbs
>  create mode 100644 templates/default/cert-upcoming-refresh-subject.txt.hbs
>
>
> datacenter-manager:
>
> Shannon Sterz (4):
>   certs: adapt to api change in proxmox_acme_api, add expiry paramter
>   api/auth/bin: add certificate renewal logic
>   cli: expose certificate management endpoints via the cli
>   daily-update/docs: warn on excessive tls certificate validity periods
>
>  cli/admin/Cargo.toml                          |  2 +
>  cli/admin/src/cert.rs                         | 86 +++++++++++++++++++
>  cli/admin/src/main.rs                         |  2 +
>  docs/certificate-management.rst               | 31 +++++++
>  server/Cargo.toml                             |  1 +
>  server/src/api/nodes/certificates.rs          | 48 +++++++++++
>  server/src/auth/certs.rs                      |  4 +-
>  ...proxmox-datacenter-manager-daily-update.rs | 30 +++++++
>  8 files changed, 203 insertions(+), 1 deletion(-)
>  create mode 100644 cli/admin/src/cert.rs
>
>
> Summary over all repositories:
>   21 files changed, 430 insertions(+), 117 deletions(-)