From: Shannon Sterz <s.sterz@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [PATCH manager 02/17] bin/api: add a new staged certificate when renewing self-signed cert
Date: Thu, 11 Jun 2026 14:03:12 +0200 [thread overview]
Message-ID: <20260611120327.257523-3-s.sterz@proxmox.com> (raw)
In-Reply-To: <20260611120327.257523-1-s.sterz@proxmox.com>
when a certificate is about to expire (within the next four weeks, up
to two weeks before it expires), create a new staged "next"
certificate. by including this certificate when querying the api,
clients can prepare for when the certificate is about to be rotated.
allowing them to update to the new fingerprint, without needing an
additional out-of-band communication channel.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
PVE/API2/Certificates.pm | 5 ++++-
PVE/CertHelpers.pm | 6 ++++++
bin/pveupdate | 44 ++++++++++++++++++++++++++++++++--------
3 files changed, 45 insertions(+), 10 deletions(-)
diff --git a/PVE/API2/Certificates.pm b/PVE/API2/Certificates.pm
index de8762c53..bcd650c3b 100644
--- a/PVE/API2/Certificates.pm
+++ b/PVE/API2/Certificates.pm
@@ -70,7 +70,10 @@ __PACKAGE__->register_method({
my $res = [];
my $cert_paths = [
- '/etc/pve/pve-root-ca.pem', "$node_path/pve-ssl.pem", "$node_path/pveproxy-ssl.pem",
+ '/etc/pve/pve-root-ca.pem',
+ "$node_path/pve-ssl.pem",
+ "$node_path/pveproxy-ssl.pem",
+ "$node_path/pve-ssl-next.pem",
];
for my $path (@$cert_paths) {
eval {
diff --git a/PVE/CertHelpers.pm b/PVE/CertHelpers.pm
index 202dec0ee..4272eaf57 100644
--- a/PVE/CertHelpers.pm
+++ b/PVE/CertHelpers.pm
@@ -55,6 +55,12 @@ sub default_cert_path_prefix {
return "/etc/pve/nodes/${node}/pve-ssl";
}
+sub default_next_cert_path_prefix {
+ my ($node) = @_;
+
+ return "/etc/pve/nodes/${node}/pve-ssl-next";
+}
+
sub cert_lock {
my ($timeout, $code, @param) = @_;
diff --git a/bin/pveupdate b/bin/pveupdate
index b1960c353..0842ec893 100755
--- a/bin/pveupdate
+++ b/bin/pveupdate
@@ -103,10 +103,12 @@ syslog('err', "Renewing ACME certificate failed: $@") if $@;
eval {
my $certpath = PVE::CertHelpers::default_cert_path_prefix($nodename) . ".pem";
+ my $next_certpath = PVE::CertHelpers::default_next_cert_path_prefix($nodename) . ".pem";
my $capath = "/etc/pve/pve-root-ca.pem";
+ my $now = time();
my $renew = sub {
- my ($msg) = @_;
+ my ($msg, $use_later) = @_;
# get CA info
my $cainfo = PVE::Certificate::get_certificate_info($capath);
@@ -127,19 +129,43 @@ eval {
print "PVE certificate $msg\n";
# create new certificate
my $ip = PVE::Cluster::remote_node_ip($nodename);
- PVE::Cluster::Setup::gen_pve_ssl_cert(1, $nodename, $ip);
- print "Restarting pveproxy after renewing certificate\n";
- PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
+ if ($use_later) {
+ PVE::Cluster::Setup::gen_pve_ssl_cert(1, $nodename, $ip, $next_certpath);
+ } else {
+ PVE::Cluster::Setup::gen_pve_ssl_cert(1, $nodename, $ip);
+ print "Restarting pveproxy after renewing certificate\n";
+ PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
+ }
};
- if (PVE::Certificate::check_expiry($certpath)) {
+ if (PVE::Certificate::check_expiry($certpath, $now)) {
# already expired
$renew->("expired, renewing...");
- } elsif (PVE::Certificate::check_expiry($certpath, time() + 14 * 24 * 60 * 60)) {
- # expires in next 2 weeks
- $renew->("expires soon, renewing...");
- } elsif (!PVE::Certificate::check_expiry($certpath, time() + 2 * 365 * 24 * 60 * 60)) {
+ } elsif (PVE::Certificate::check_expiry($certpath, $now + 14 * 24 * 60 * 60)) {
+ # expires in next 2 weeks, renew certificate if no "next" certificate already exists.
+ # rotate in the next certificate if it exists and does not expire.
+ if (
+ -f $next_certpath
+ && !PVE::Certificate::check_expiry($next_certpath, $now + 14 * 24 * 60 * 60)
+ ) {
+ rename($next_certpath, $certpath);
+ print "Restarting pveproxy after rotating certificate\n";
+ PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
+ } else {
+ $renew->("expires soon, renewing...");
+
+ # clean up the now useless staged certificate, if there is one
+ if (-f $next_certpath) {
+ unlink $next_certpath
+ or $!{ENOENT}
+ or warn "failed to clean-up $next_certpath - $!\n";
+ }
+ }
+ } elsif (PVE::Certificate::check_expiry($certpath, $now + 28 * 24 * 60 * 60)) {
+ # expires in the next 4 weeks, create new cert, but don't use it yet
+ $renew->("staging new certificate...", 1);
+ } elsif (!PVE::Certificate::check_expiry($certpath, $now + 2 * 365 * 24 * 60 * 60)) {
# expires in more than 2 years
$renew->(
"expires in more than 2 years, renewing to reduce certificate life-span for client compatibility..."
--
2.47.3
next prev parent reply other threads:[~2026-06-11 12:04 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 12:03 [RFC cluster/datacenter-manager/manager/proxmox 00/17] TLS Certificate Staging Shannon Sterz
2026-06-11 12:03 ` [PATCH cluster 01/17] setup: allow caller to provide the certificate filename Shannon Sterz
2026-06-11 12:03 ` Shannon Sterz [this message]
2026-06-11 12:03 ` [PATCH manager 03/17] api: certificates: if node parameter is 'localhost' return local certs Shannon Sterz
2026-06-11 12:03 ` [PATCH proxmox 04/17] client: ignore certificate trust store validation result on fp option Shannon Sterz
2026-06-11 12:03 ` [PATCH proxmox 05/17] pve-api-types: expose certificates info endpoint Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 06/17] client: don't short-circuit on valid certificate when tls fp exists Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 07/17] client: allow users to update a changed fingerprint interactively Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 08/17] cli/api-types: move Fingerprint to common api type crate Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 09/17] server: connection: report mismatching fingerprint as untrusted on probe Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 10/17] ui: wizzard: add context if a provided fingerprint did not match remote Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 11/17] ui: wizzard: nodes page: always update fingerprints on user confirmation Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 12/17] pdm-api-types: implement ApiType for Fingerprint Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 13/17] pdm-api-types: add staged_fingerprints field to NodeUrl Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 14/17] server: remotes: lock remotes config when updating it Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 15/17] server: connection: rotate in staged fingerprints when encountering them Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 16/17] server: api: tasks: move `spawn_aborted_on_shutdown()` to super module Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 17/17] server: bin: api: tasks: add task to discover new staged certificates Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260611120327.257523-3-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox