From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 68FEA1FF13B
	for <inbox@lore.proxmox.com>; Wed, 22 Apr 2026 14:42:29 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 4A0201E130;
	Wed, 22 Apr 2026 14:42:29 +0200 (CEST)
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
Date: Wed, 22 Apr 2026 14:42:24 +0200
Message-Id: <DHZOX4PMLN83.2BTDKGFW1VVOA@proxmox.com>
Subject: Re: [RFC datacenter-manager/proxmox{,-backup} 00/10] TLS
 Certificate Rotation
To: "Shannon Sterz" <s.sterz@proxmox.com>, <pbs-devel@lists.proxmox.com>
X-Mailer: aerc 0.20.0
References: <20260407135714.490747-1-s.sterz@proxmox.com>
In-Reply-To: <20260407135714.490747-1-s.sterz@proxmox.com>
From: "Shannon Sterz" <s.sterz@proxmox.com>
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1776861657458
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.121 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: ZHIDYRVQH2N3GXIV4FTIP56GLYHAKFD2
X-Message-ID-Hash: ZHIDYRVQH2N3GXIV4FTIP56GLYHAKFD2
X-MailFrom: s.sterz@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pbs-devel-owner@lists.proxmox.com>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Subscribe: <mailto:pbs-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pbs-devel-leave@lists.proxmox.com>

Superseded-by: https://lore.proxmox.com/pbs-devel/20260422124022.17952-1-s.=
sterz@proxmox.com/T/#t

On Tue Apr 7, 2026 at 3:57 PM CEST, Shannon Sterz wrote:
> this series adds certificate rotation to Proxmox Backup Server and Proxmo=
x
> Datacenter Manager. currently, both products issue a certificate that is =
valid
> for almost 1000 years (365000 days). no cryptographic key can reasonably =
be
> considered secure for this amount of time. this series:
>
> - allows specifying the lifetime of the certificate when creating one via
>   proxmox-acme-api and reduces the default to 3650 days (almost ten years=
).
> - sends and logs reminders 30 days before a certificate expires (pdm curr=
ently
>   does not support the notification framework yet, so adding notification=
s is
>   left as future work here).
> - refreshes a certificate at the earliest 15 days before it expires, logs
>   and notifies when that happens.
> - warns on certificates with excessive lifetimes (>3650 days) and documen=
ts
>   how to manually update them.
> - for pdm: exposes cert handling cli methods in proxmox-datacenter-manage=
r-admin.
>
> sending this as an rfc mainly because there are some open questions for m=
e
> about the chosen time frames for the lifetime and renewal periods.
>
> ## Testing
>
> the easiest way to test this is to manipulate the date of the host with `=
date
> --set` and then manually trigger the daily update binary for each product=
:
>
> * PBS: `/usr/lib/x86_64-linux-gnu/proxmox-backup/proxmox-daily-update`
> * PDM: `/usr/libexec/proxmox/proxmox-datacenter-manager-daily-update`
>
> you can then check the logs and the certificate itself to see what happen=
ed.
> specifying the `PBS_LOG` with the parameter `trace` or `debug` will also =
enable
> debug logging here.
>
> ## Open Questions
>
> + 10 years is still a long time and i'd rather reduce that further down i=
f
>   possible. see the first patch for proxmox-acme-api for more info.
> + should we remove pre-existing long lasting certificates by ourselves? i=
mo
>   that is too risky at the moment given that an unplanned certificate rot=
ation
>   could cause backups to fail.
> + notifying every day for 15 days before the renewal might be excessive, =
see
>   the second commit for pbs.
>
> ## Future Work
>
> - pve and pdm should be extended to allow automatically updating allowed
>   fingerprints before a new self-signed certificate goes into action. thi=
s will
>   be handled in a follow-up series. if this series is applied, we have te=
n years
>   to implement such a mechanism before any setups are realistically expec=
ted to
>   break.
> - pdm should send notifications similar to pbs once support for notificat=
ions
>   is added.
>
>
> proxmox:
>
> Shannon Sterz (1):
>   acme-api: make self-signed certificate expiry configurable
>
>  proxmox-acme-api/src/certificate_helpers.rs | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
>
> backup:
>
> Shannon Sterz (5):
>   config: use proxmox_acme_api for generating self-signed certificates
>   config: adapt to api change in proxmox_acme_api, add expiry paramter
>   config/server/api: add certificate renewal logic including
>     notifications
>   daily-update/docs: warn on excessive self-signed certificate lifetime
>   backup-manager cli: `cert update` can create auth and csrf key
>
>  debian/proxmox-backup-server.install          |  4 +
>  docs/certificate-management.rst               | 31 ++++++
>  src/api2/node/certificates.rs                 | 44 +++++++++
>  src/bin/proxmox-daily-update.rs               | 32 +++++++
>  src/bin/proxmox_backup_manager/cert.rs        |  2 +
>  src/config/mod.rs                             | 96 ++-----------------
>  src/server/notifications/mod.rs               | 50 ++++++++++
>  templates/Makefile                            | 62 ++++++------
>  templates/default/cert-refresh-body.txt.hbs   |  8 ++
>  .../default/cert-refresh-subject.txt.hbs      |  1 +
>  .../cert-upcoming-refresh-body.txt.hbs        |  9 ++
>  .../cert-upcoming-refresh-subject.txt.hbs     |  1 +
>  12 files changed, 225 insertions(+), 115 deletions(-)
>  create mode 100644 templates/default/cert-refresh-body.txt.hbs
>  create mode 100644 templates/default/cert-refresh-subject.txt.hbs
>  create mode 100644 templates/default/cert-upcoming-refresh-body.txt.hbs
>  create mode 100644 templates/default/cert-upcoming-refresh-subject.txt.h=
bs
>
>
> datacenter-manager:
>
> Shannon Sterz (4):
>   certs: adapt to api change in proxmox_acme_api, add expiry paramter
>   api/auth/bin: add certificate renewal logic
>   cli: expose certificate management endpoints via the cli
>   daily-update/docs: warn on excessive tls certificate validity periods
>
>  cli/admin/Cargo.toml                          |  2 +
>  cli/admin/src/cert.rs                         | 86 +++++++++++++++++++
>  cli/admin/src/main.rs                         |  2 +
>  docs/certificate-management.rst               | 31 +++++++
>  server/Cargo.toml                             |  1 +
>  server/src/api/nodes/certificates.rs          | 48 +++++++++++
>  server/src/auth/certs.rs                      |  4 +-
>  ...proxmox-datacenter-manager-daily-update.rs | 30 +++++++
>  8 files changed, 203 insertions(+), 1 deletion(-)
>  create mode 100644 cli/admin/src/cert.rs
>
>
> Summary over all repositories:
>   21 files changed, 430 insertions(+), 117 deletions(-)