[pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates

public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed

* [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates
@ 2025-09-09 10:04 Fabian Grünbichler
  2025-09-09 10:04 ` [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages Fabian Grünbichler
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2025-09-09 10:04 UTC (permalink / raw)
  To: pve-devel

if nodes are offline for a longer period of time, they might not be renewed by
pveupdate before they expire. the `verify` call here just serves as an
extra safeguard to prevent accidental overwriting of certificates not actually
signed by the cluster CA, checking the expiry time servers no purpose.

Suggested-by: Stephane Chazelas
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
verified by manually creating an expired and a soon-to-be-expired certificate..

 bin/pveupdate | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/bin/pveupdate b/bin/pveupdate
index 757cac868..9984c9369 100755
--- a/bin/pveupdate
+++ b/bin/pveupdate
@@ -111,7 +111,10 @@ eval {
 
         # check if cert is really signed by the ca
         # TODO: replace by low level ssleay interface if version 1.86 is available
-        PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile', $capath, $certpath]);
+        my $cmd = [
+            '/usr/bin/openssl', 'verify', '-no_check_time', '-CAfile', $capath, '--', $certpath,
+        ];
+        PVE::Tools::run_command($cmd);
 
         print "PVE certificate $msg\n";
         # create new certificate
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages
  2025-09-09 10:04 [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates Fabian Grünbichler
@ 2025-09-09 10:04 ` Fabian Grünbichler
  2025-10-22 13:09   ` Fiona Ebner
  2025-10-22 13:09 ` [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates Fiona Ebner
  2025-10-23  8:20 ` [pve-devel] applied-series: " Fabian Grünbichler
  2 siblings, 1 reply; 5+ messages in thread
From: Fabian Grünbichler @ 2025-09-09 10:04 UTC (permalink / raw)
  To: pve-devel

by explicitly checking for already expired certificates and adapting the
message in that case.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 bin/pveupdate | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/bin/pveupdate b/bin/pveupdate
index 9984c9369..c5356c885 100755
--- a/bin/pveupdate
+++ b/bin/pveupdate
@@ -125,7 +125,10 @@ eval {
         PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
     };
 
-    if (PVE::Certificate::check_expiry($certpath, time() + 14 * 24 * 60 * 60)) {
+    if (PVE::Certificate::check_expiry($certpath)) {
+        # already expired
+        $renew->("expired, renewing...");
+    } elsif (PVE::Certificate::check_expiry($certpath, time() + 14 * 24 * 60 * 60)) {
         # expires in next 2 weeks
         $renew->("expires soon, renewing...");
     } elsif (!PVE::Certificate::check_expiry($certpath, time() + 2 * 365 * 24 * 60 * 60)) {
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages
  2025-09-09 10:04 ` [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages Fabian Grünbichler
@ 2025-10-22 13:09   ` Fiona Ebner
  0 siblings, 0 replies; 5+ messages in thread
From: Fiona Ebner @ 2025-10-22 13:09 UTC (permalink / raw)
  To: Proxmox VE development discussion, Fabian Grünbichler

Am 09.09.25 um 12:05 PM schrieb Fabian Grünbichler:
> by explicitly checking for already expired certificates and adapting the
> message in that case.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

Reviewed-by: Fiona Ebner <f.ebner@proxmox.com>

> ---
>  bin/pveupdate | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/bin/pveupdate b/bin/pveupdate
> index 9984c9369..c5356c885 100755
> --- a/bin/pveupdate
> +++ b/bin/pveupdate
> @@ -125,7 +125,10 @@ eval {
>          PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
>      };
>  
> -    if (PVE::Certificate::check_expiry($certpath, time() + 14 * 24 * 60 * 60)) {
> +    if (PVE::Certificate::check_expiry($certpath)) {
> +        # already expired
> +        $renew->("expired, renewing...");
> +    } elsif (PVE::Certificate::check_expiry($certpath, time() + 14 * 24 * 60 * 60)) {
>          # expires in next 2 weeks
>          $renew->("expires soon, renewing...");
>      } elsif (!PVE::Certificate::check_expiry($certpath, time() + 2 * 365 * 24 * 60 * 60)) {



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates
  2025-09-09 10:04 [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates Fabian Grünbichler
  2025-09-09 10:04 ` [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages Fabian Grünbichler
@ 2025-10-22 13:09 ` Fiona Ebner
  2025-10-23  8:20 ` [pve-devel] applied-series: " Fabian Grünbichler
  2 siblings, 0 replies; 5+ messages in thread
From: Fiona Ebner @ 2025-10-22 13:09 UTC (permalink / raw)
  To: Proxmox VE development discussion, Fabian Grünbichler

Am 09.09.25 um 12:05 PM schrieb Fabian Grünbichler:
> if nodes are offline for a longer period of time, they might not be renewed by
> pveupdate before they expire. the `verify` call here just serves as an
> extra safeguard to prevent accidental overwriting of certificates not actually
> signed by the cluster CA, checking the expiry time servers no purpose.
> 
> Suggested-by: Stephane Chazelas
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

Reviewed-by: Fiona Ebner <f.ebner@proxmox.com>

> ---
> verified by manually creating an expired and a soon-to-be-expired certificate..
> 
>  bin/pveupdate | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/bin/pveupdate b/bin/pveupdate
> index 757cac868..9984c9369 100755
> --- a/bin/pveupdate
> +++ b/bin/pveupdate
> @@ -111,7 +111,10 @@ eval {
>  
>          # check if cert is really signed by the ca
>          # TODO: replace by low level ssleay interface if version 1.86 is available
> -        PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile', $capath, $certpath]);
> +        my $cmd = [
> +            '/usr/bin/openssl', 'verify', '-no_check_time', '-CAfile', $capath, '--', $certpath,
> +        ];
> +        PVE::Tools::run_command($cmd);
>  
>          print "PVE certificate $msg\n";
>          # create new certificate



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] applied-series: [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates
  2025-09-09 10:04 [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates Fabian Grünbichler
  2025-09-09 10:04 ` [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages Fabian Grünbichler
  2025-10-22 13:09 ` [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates Fiona Ebner
@ 2025-10-23  8:20 ` Fabian Grünbichler
  2 siblings, 0 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2025-10-23  8:20 UTC (permalink / raw)
  To: pve-devel, Fabian Grünbichler


On Tue, 09 Sep 2025 12:04:47 +0200, Fabian Grünbichler wrote:
> if nodes are offline for a longer period of time, they might not be renewed by
> pveupdate before they expire. the `verify` call here just serves as an
> extra safeguard to prevent accidental overwriting of certificates not actually
> signed by the cluster CA, checking the expiry time servers no purpose.
> 
> 

Applied with Fiona's R-b, thanks!

[1/2] fix #6779: pveupdate: renew already expired certificates
      commit: 6ec35c4ff917512d9091d97b602a0188d435aeeb
[2/2] pveupdate: improve cert renew log messages
      commit: 351df678af73ea63748637ce3859ff87d85090e9

Best regards,
-- 
Fabian Grünbichler <f.gruenbichler@proxmox.com>


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2025-10-23  8:21 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-09-09 10:04 [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates Fabian Grünbichler
2025-09-09 10:04 ` [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages Fabian Grünbichler
2025-10-22 13:09   ` Fiona Ebner
2025-10-22 13:09 ` [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates Fiona Ebner
2025-10-23  8:20 ` [pve-devel] applied-series: " Fabian Grünbichler

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal