public inbox for pdm-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: "Lukas Wagner" <l.wagner@proxmox.com>
To: "Shannon Sterz" <s.sterz@proxmox.com>, <pdm-devel@lists.proxmox.com>
Subject: Re: [PATCH proxmox-backup 04/11] config/server/api: add certificate renewal logic including notifications
Date: Fri, 10 Jul 2026 13:17:10 +0200	[thread overview]
Message-ID: <DJUUKWOZRJFG.26MQEMVN3HEHL@proxmox.com> (raw)
In-Reply-To: <20260618115443.48618-5-s.sterz@proxmox.com>

Hi Shannon,

some notes inline.

On Thu Jun 18, 2026 at 1:54 PM CEST, Shannon Sterz wrote:
>  /// Check configuration directory permissions
>  ///
>  /// For security reasons, we want to make sure they are set correctly:
> @@ -89,7 +91,7 @@ pub fn update_self_signed_cert(force: bool) -> Result<(), Error> {
>      let resolv_conf = crate::api2::node::dns::read_etc_resolv_conf()?;
>  
>      let (priv_key, cert) = proxmox_acme_api::create_self_signed_cert(
> -        "Proxmox Backup Server",
> +        PRODUCT_NAME,
>          proxmox_sys::nodename(),
>          resolv_conf["search"].as_str(),
>          None,
> diff --git a/src/server/notifications/mod.rs b/src/server/notifications/mod.rs
> index 0f772ddd9..2b55e980e 100644
> --- a/src/server/notifications/mod.rs
> +++ b/src/server/notifications/mod.rs
> @@ -575,6 +575,56 @@ pub fn send_certificate_renewal_mail(result: &Result<(), Error>) -> Result<(), E
>      Ok(())
>  }
>  
> +/// Send email for upcoming self signed renewal.
> +pub fn send_upcoming_self_signed_renewal_notification() -> Result<(), Error> {
> +    let metadata = HashMap::from([
> +        ("hostname".into(), proxmox_sys::nodename().into()),
> +        ("type".into(), "cert".into()),
> +    ]);
> +
> +    let notification = Notification::from_template(
> +        Severity::Info,

Maybe this should use Severity::Notice? Since it might require some
attention from the user?

> +        "cert-upcoming-refresh",
> +        serde_json::to_value(CommonData::new())?,
> +        metadata,
> +    );
> +
> +    send_notification(notification)?;
> +    Ok(())
> +}
> +
> +/// Send email renewed self-signed certificate
> +pub fn send_self_signed_renewal_notification(result: &Result<(), Error>) -> Result<(), Error> {
> +    let metadata = HashMap::from([
> +        ("hostname".into(), proxmox_sys::nodename().into()),
> +        ("type".into(), "acme".into()),

I guess the type should be "cert"?

Also, maybe a longer 'cert-renewal' might be clearer. Maybe we could
consolidate the ACME and self-signed notifications at some point
(probably during a major upgrade, since notification matchers might rely
on the type being 'acme')

> +    ]);
> +
> +    let notification = match result {
> +        Err(e) => {
> +            let template_data = AcmeErrTemplateData {
> +                common: CommonData::new(),
> +                error: format!("{e:#}"),
> +            };
> +
> +            Notification::from_template(
> +                Severity::Info,

This should be Severity::Error. Seems like in the pre-existing
ACME certificate notification it also only uses Info, which seems like a
bug to me. Feel free to fix it there as well.

> +                "acme-err",

Considering that templates can be overridden by users, we might want use
a dedicated template for the self-signed ones. Or, as mentioned above,
consolidate the notification types, which *could* (but does not have to)
mean that we also use the same templates for both, ACME and self-signed.

> +                serde_json::to_value(template_data)?,
> +                metadata,
> +            )
> +        }
> +        _ => Notification::from_template(
> +            Severity::Info,
> +            "cert-refresh",
> +            serde_json::to_value(CommonData::new())?,
> +            metadata,
> +        ),

I've just realized that we don't really send notifications for
successful ACME cert refreshes, so maybe we should do this in the future
as well. This would of course be a separate patch series, just thinking
out aloud here.

> +    };
> +
> +    send_notification(notification)
> +}
> +
>  /// Send notification if datastore values are exceeding the set threshold limit.
>  pub fn send_datastore_threshold_exceeded(
>      datastore: &str,
[...]
> diff --git a/templates/default/cert-refresh-body.txt.hbs b/templates/default/cert-refresh-body.txt.hbs
> new file mode 100644
> index 000000000..608ba30c0
> --- /dev/null
> +++ b/templates/default/cert-refresh-body.txt.hbs
> @@ -0,0 +1,8 @@
> +Proxmox Backup Server has refreshed its self-signed TLS certificate.
> +
> +The new certificate is now active. Please update any clients relying on the
> +certificate fingerprint to verify their connection to the server.
> +
> +Please visit the web interface for further details:
> +
> +<{{base-url}}/#pbsCertificateConfiguration>
> diff --git a/templates/default/cert-refresh-subject.txt.hbs b/templates/default/cert-refresh-subject.txt.hbs
> new file mode 100644
> index 000000000..e57f5cd4c
> --- /dev/null
> +++ b/templates/default/cert-refresh-subject.txt.hbs
> @@ -0,0 +1 @@
> +Self-Signed Certificate Has Been Refreshed
> diff --git a/templates/default/cert-upcoming-refresh-body.txt.hbs b/templates/default/cert-upcoming-refresh-body.txt.hbs
> new file mode 100644
> index 000000000..8d199c9fd
> --- /dev/null
> +++ b/templates/default/cert-upcoming-refresh-body.txt.hbs
> @@ -0,0 +1,9 @@
> +Proxmox Backup Server will refresh its TLS certificate within the next 30 days.

I wonder, would it be possible to include a concrete date here? If I
understood it correctly, the first time the user receives this
notification, the renewal would be first attempted in 15 days at the
earliest, so maybe this should be mentioned.

> +
> +If you rely on the certificate's fingerprint to verify TLS sessions between the
> +server and a client, please update the fingerprint once the certificate was
> +updated. Otherwise, no action is required.
> +
> +Please visit the web interface for further details:
> +
> +<{{base-url}}/#pbsCertificateConfiguration>
> diff --git a/templates/default/cert-upcoming-refresh-subject.txt.hbs b/templates/default/cert-upcoming-refresh-subject.txt.hbs
> new file mode 100644
> index 000000000..f188e391c
> --- /dev/null
> +++ b/templates/default/cert-upcoming-refresh-subject.txt.hbs
> @@ -0,0 +1 @@
> +Self-signed Certificate is About to be Refreshed





  reply	other threads:[~2026-07-10 11:17 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-18 11:54 [PATCH datacenter-manager/proxmox{,-backup} 00/11] TLS Certificate Rotation Shannon Sterz
2026-06-18 11:54 ` [PATCH proxmox 01/11] acme-api: make self-signed certificate expiry configurable Shannon Sterz
2026-07-10 11:15   ` Lukas Wagner
2026-06-18 11:54 ` [PATCH proxmox-backup 02/11] config: use proxmox_acme_api for generating self-signed certificates Shannon Sterz
2026-06-18 11:54 ` [PATCH proxmox-backup 03/11] config: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-06-18 11:54 ` [PATCH proxmox-backup 04/11] config/server/api: add certificate renewal logic including notifications Shannon Sterz
2026-07-10 11:17   ` Lukas Wagner [this message]
2026-06-18 11:54 ` [PATCH proxmox-backup 05/11] daily-update/docs: warn on excessive self-signed certificate lifetime Shannon Sterz
2026-07-10 11:17   ` Lukas Wagner
2026-06-18 11:54 ` [PATCH proxmox-backup 06/11] backup-manager cli: `cert update` can create auth and csrf key Shannon Sterz
2026-06-18 11:54 ` [PATCH datacenter-manager 07/11] certs: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-06-18 11:54 ` [PATCH datacenter-manager 08/11] api/auth/bin: add certificate renewal logic Shannon Sterz
2026-07-10 11:17   ` Lukas Wagner
2026-06-18 11:54 ` [PATCH datacenter-manager 09/11] cli: expose certificate management endpoints via the cli Shannon Sterz
2026-06-18 11:54 ` [PATCH datacenter-manager 10/11] daily-update/docs: warn on excessive tls certificate validity periods Shannon Sterz
2026-06-18 11:54 ` [PATCH datacenter-manager 11/11] docs/certificates: use correct certificate file name Shannon Sterz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DJUUKWOZRJFG.26MQEMVN3HEHL@proxmox.com \
    --to=l.wagner@proxmox.com \
    --cc=pdm-devel@lists.proxmox.com \
    --cc=s.sterz@proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal