From: "Lukas Wagner" <l.wagner@proxmox.com>
To: "Shannon Sterz" <s.sterz@proxmox.com>, <pdm-devel@lists.proxmox.com>
Subject: Re: [PATCH proxmox-backup 04/11] config/server/api: add certificate renewal logic including notifications
Date: Fri, 10 Jul 2026 13:17:10 +0200 [thread overview]
Message-ID: <DJUUKWOZRJFG.26MQEMVN3HEHL@proxmox.com> (raw)
In-Reply-To: <20260618115443.48618-5-s.sterz@proxmox.com>
Hi Shannon,
some notes inline.
On Thu Jun 18, 2026 at 1:54 PM CEST, Shannon Sterz wrote:
> /// Check configuration directory permissions
> ///
> /// For security reasons, we want to make sure they are set correctly:
> @@ -89,7 +91,7 @@ pub fn update_self_signed_cert(force: bool) -> Result<(), Error> {
> let resolv_conf = crate::api2::node::dns::read_etc_resolv_conf()?;
>
> let (priv_key, cert) = proxmox_acme_api::create_self_signed_cert(
> - "Proxmox Backup Server",
> + PRODUCT_NAME,
> proxmox_sys::nodename(),
> resolv_conf["search"].as_str(),
> None,
> diff --git a/src/server/notifications/mod.rs b/src/server/notifications/mod.rs
> index 0f772ddd9..2b55e980e 100644
> --- a/src/server/notifications/mod.rs
> +++ b/src/server/notifications/mod.rs
> @@ -575,6 +575,56 @@ pub fn send_certificate_renewal_mail(result: &Result<(), Error>) -> Result<(), E
> Ok(())
> }
>
> +/// Send email for upcoming self signed renewal.
> +pub fn send_upcoming_self_signed_renewal_notification() -> Result<(), Error> {
> + let metadata = HashMap::from([
> + ("hostname".into(), proxmox_sys::nodename().into()),
> + ("type".into(), "cert".into()),
> + ]);
> +
> + let notification = Notification::from_template(
> + Severity::Info,
Maybe this should use Severity::Notice? Since it might require some
attention from the user?
> + "cert-upcoming-refresh",
> + serde_json::to_value(CommonData::new())?,
> + metadata,
> + );
> +
> + send_notification(notification)?;
> + Ok(())
> +}
> +
> +/// Send email renewed self-signed certificate
> +pub fn send_self_signed_renewal_notification(result: &Result<(), Error>) -> Result<(), Error> {
> + let metadata = HashMap::from([
> + ("hostname".into(), proxmox_sys::nodename().into()),
> + ("type".into(), "acme".into()),
I guess the type should be "cert"?
Also, maybe a longer 'cert-renewal' might be clearer. Maybe we could
consolidate the ACME and self-signed notifications at some point
(probably during a major upgrade, since notification matchers might rely
on the type being 'acme')
> + ]);
> +
> + let notification = match result {
> + Err(e) => {
> + let template_data = AcmeErrTemplateData {
> + common: CommonData::new(),
> + error: format!("{e:#}"),
> + };
> +
> + Notification::from_template(
> + Severity::Info,
This should be Severity::Error. Seems like in the pre-existing
ACME certificate notification it also only uses Info, which seems like a
bug to me. Feel free to fix it there as well.
> + "acme-err",
Considering that templates can be overridden by users, we might want use
a dedicated template for the self-signed ones. Or, as mentioned above,
consolidate the notification types, which *could* (but does not have to)
mean that we also use the same templates for both, ACME and self-signed.
> + serde_json::to_value(template_data)?,
> + metadata,
> + )
> + }
> + _ => Notification::from_template(
> + Severity::Info,
> + "cert-refresh",
> + serde_json::to_value(CommonData::new())?,
> + metadata,
> + ),
I've just realized that we don't really send notifications for
successful ACME cert refreshes, so maybe we should do this in the future
as well. This would of course be a separate patch series, just thinking
out aloud here.
> + };
> +
> + send_notification(notification)
> +}
> +
> /// Send notification if datastore values are exceeding the set threshold limit.
> pub fn send_datastore_threshold_exceeded(
> datastore: &str,
[...]
> diff --git a/templates/default/cert-refresh-body.txt.hbs b/templates/default/cert-refresh-body.txt.hbs
> new file mode 100644
> index 000000000..608ba30c0
> --- /dev/null
> +++ b/templates/default/cert-refresh-body.txt.hbs
> @@ -0,0 +1,8 @@
> +Proxmox Backup Server has refreshed its self-signed TLS certificate.
> +
> +The new certificate is now active. Please update any clients relying on the
> +certificate fingerprint to verify their connection to the server.
> +
> +Please visit the web interface for further details:
> +
> +<{{base-url}}/#pbsCertificateConfiguration>
> diff --git a/templates/default/cert-refresh-subject.txt.hbs b/templates/default/cert-refresh-subject.txt.hbs
> new file mode 100644
> index 000000000..e57f5cd4c
> --- /dev/null
> +++ b/templates/default/cert-refresh-subject.txt.hbs
> @@ -0,0 +1 @@
> +Self-Signed Certificate Has Been Refreshed
> diff --git a/templates/default/cert-upcoming-refresh-body.txt.hbs b/templates/default/cert-upcoming-refresh-body.txt.hbs
> new file mode 100644
> index 000000000..8d199c9fd
> --- /dev/null
> +++ b/templates/default/cert-upcoming-refresh-body.txt.hbs
> @@ -0,0 +1,9 @@
> +Proxmox Backup Server will refresh its TLS certificate within the next 30 days.
I wonder, would it be possible to include a concrete date here? If I
understood it correctly, the first time the user receives this
notification, the renewal would be first attempted in 15 days at the
earliest, so maybe this should be mentioned.
> +
> +If you rely on the certificate's fingerprint to verify TLS sessions between the
> +server and a client, please update the fingerprint once the certificate was
> +updated. Otherwise, no action is required.
> +
> +Please visit the web interface for further details:
> +
> +<{{base-url}}/#pbsCertificateConfiguration>
> diff --git a/templates/default/cert-upcoming-refresh-subject.txt.hbs b/templates/default/cert-upcoming-refresh-subject.txt.hbs
> new file mode 100644
> index 000000000..f188e391c
> --- /dev/null
> +++ b/templates/default/cert-upcoming-refresh-subject.txt.hbs
> @@ -0,0 +1 @@
> +Self-signed Certificate is About to be Refreshed
next prev parent reply other threads:[~2026-07-10 11:17 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 11:54 [PATCH datacenter-manager/proxmox{,-backup} 00/11] TLS Certificate Rotation Shannon Sterz
2026-06-18 11:54 ` [PATCH proxmox 01/11] acme-api: make self-signed certificate expiry configurable Shannon Sterz
2026-07-10 11:15 ` Lukas Wagner
2026-06-18 11:54 ` [PATCH proxmox-backup 02/11] config: use proxmox_acme_api for generating self-signed certificates Shannon Sterz
2026-06-18 11:54 ` [PATCH proxmox-backup 03/11] config: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-06-18 11:54 ` [PATCH proxmox-backup 04/11] config/server/api: add certificate renewal logic including notifications Shannon Sterz
2026-07-10 11:17 ` Lukas Wagner [this message]
2026-06-18 11:54 ` [PATCH proxmox-backup 05/11] daily-update/docs: warn on excessive self-signed certificate lifetime Shannon Sterz
2026-07-10 11:17 ` Lukas Wagner
2026-06-18 11:54 ` [PATCH proxmox-backup 06/11] backup-manager cli: `cert update` can create auth and csrf key Shannon Sterz
2026-06-18 11:54 ` [PATCH datacenter-manager 07/11] certs: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-06-18 11:54 ` [PATCH datacenter-manager 08/11] api/auth/bin: add certificate renewal logic Shannon Sterz
2026-07-10 11:17 ` Lukas Wagner
2026-06-18 11:54 ` [PATCH datacenter-manager 09/11] cli: expose certificate management endpoints via the cli Shannon Sterz
2026-06-18 11:54 ` [PATCH datacenter-manager 10/11] daily-update/docs: warn on excessive tls certificate validity periods Shannon Sterz
2026-06-18 11:54 ` [PATCH datacenter-manager 11/11] docs/certificates: use correct certificate file name Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJUUKWOZRJFG.26MQEMVN3HEHL@proxmox.com \
--to=l.wagner@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
--cc=s.sterz@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox