From: "Lukas Wagner" <l.wagner@proxmox.com>
To: "Shannon Sterz" <s.sterz@proxmox.com>, <pdm-devel@lists.proxmox.com>
Subject: Re: [PATCH proxmox-backup 05/11] daily-update/docs: warn on excessive self-signed certificate lifetime
Date: Fri, 10 Jul 2026 13:17:21 +0200 [thread overview]
Message-ID: <DJUUL1QV0WV2.1QEUFCOC25R3P@proxmox.com> (raw)
In-Reply-To: <20260618115443.48618-6-s.sterz@proxmox.com>
Just nit-picking here, but I think the daily-update part should be a
separate commit.
On Thu Jun 18, 2026 at 1:54 PM CEST, Shannon Sterz wrote:
> and document how to renew it. an excessive lifetime is reported when
> the lifetime of the certificate exceeds 3650 days (almost ten years),
> which corresponds to the default lifetime generated by
> proxmox-acme-api.
>
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
> docs/certificate-management.rst | 31 +++++++++++++++++++++++++++++++
> src/bin/proxmox-daily-update.rs | 4 ++++
> 2 files changed, 35 insertions(+)
>
> diff --git a/docs/certificate-management.rst b/docs/certificate-management.rst
> index 89f628049..722d8d88b 100644
> --- a/docs/certificate-management.rst
> +++ b/docs/certificate-management.rst
> @@ -333,3 +333,34 @@ Test your new certificate, using your browser.
>
> .. [1]
> acme.sh https://github.com/acmesh-official/acme.sh
> +
> +Manually Renew Self-signed Certificates
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +Proxmox Backup Server creates and renews a self-signed certificate if no custom
> +or ACME certificate is provided. Older versions issued a certificate that was
> +valid for almost 1000 years and did not renew this certificate. Beginning with
> +version 4.2, new setups use shorter lived certificates that will be regularly
Should be 'shorter-lived' with a hyphen, I believe.
> +renewed. Old self-signed certificates are not replaced in order to not disrupt
> +existing backup setups. In such cases, the following line is logged:
> +
> +.. code-block:: console
> +
> + Apr 04 12:17:51 pbs proxmox-daily-update[1170]: Self-signed certificate is valid for an excessive amount of time. Please renew it.
> +
> +To manually renew a certificate, navigate to Configuration -> Certificates.
> +Select the certificate ``proxy.pem``. Then click the "Delete Custom
> +Certificate" button. Alternatively, you can run the following command:
> +
> +.. code-block:: shell
> +
> + proxmox-backup-manager cert update --force
> +
> +.. WARNING:: Any client using a fingerprint to verify TLS sessions with the
> + server will need to be updated with the new fingerprint. This includes any
> + Proxmox VE instance that may use it as a backup destination.
> +
> +After manually renewing the certificate once, Proxmox Backup Server will start
> +renewing the certificate itself. A certificate will be renewed at the earliest
> +15 days before it expires. Starting from 30 days before it expires,
> +notifications will be issued with a reminder about the upcoming renewal.
> diff --git a/src/bin/proxmox-daily-update.rs b/src/bin/proxmox-daily-update.rs
> index ffeb46e49..71fd653ce 100644
> --- a/src/bin/proxmox-daily-update.rs
> +++ b/src/bin/proxmox-daily-update.rs
> @@ -113,6 +113,10 @@ async fn renew_self_signed_certificate() -> Result<(), Error> {
> } else if days <= 30 {
> log::info!("Certificate expires within 30 days, notify about renewal.");
> send_upcoming_self_signed_renewal_notification()?;
> + } else if days > 365 * 10 {
> + log::warn!(
> + "Self-signed certificate is valid for an excessive amount of time. Please renew it."
> + );
> }
>
> Ok(())
next prev parent reply other threads:[~2026-07-10 11:17 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 11:54 [PATCH datacenter-manager/proxmox{,-backup} 00/11] TLS Certificate Rotation Shannon Sterz
2026-06-18 11:54 ` [PATCH proxmox 01/11] acme-api: make self-signed certificate expiry configurable Shannon Sterz
2026-07-10 11:15 ` Lukas Wagner
2026-06-18 11:54 ` [PATCH proxmox-backup 02/11] config: use proxmox_acme_api for generating self-signed certificates Shannon Sterz
2026-06-18 11:54 ` [PATCH proxmox-backup 03/11] config: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-06-18 11:54 ` [PATCH proxmox-backup 04/11] config/server/api: add certificate renewal logic including notifications Shannon Sterz
2026-07-10 11:17 ` Lukas Wagner
2026-06-18 11:54 ` [PATCH proxmox-backup 05/11] daily-update/docs: warn on excessive self-signed certificate lifetime Shannon Sterz
2026-07-10 11:17 ` Lukas Wagner [this message]
2026-06-18 11:54 ` [PATCH proxmox-backup 06/11] backup-manager cli: `cert update` can create auth and csrf key Shannon Sterz
2026-06-18 11:54 ` [PATCH datacenter-manager 07/11] certs: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-06-18 11:54 ` [PATCH datacenter-manager 08/11] api/auth/bin: add certificate renewal logic Shannon Sterz
2026-07-10 11:17 ` Lukas Wagner
2026-06-18 11:54 ` [PATCH datacenter-manager 09/11] cli: expose certificate management endpoints via the cli Shannon Sterz
2026-06-18 11:54 ` [PATCH datacenter-manager 10/11] daily-update/docs: warn on excessive tls certificate validity periods Shannon Sterz
2026-06-18 11:54 ` [PATCH datacenter-manager 11/11] docs/certificates: use correct certificate file name Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJUUL1QV0WV2.1QEUFCOC25R3P@proxmox.com \
--to=l.wagner@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
--cc=s.sterz@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox