* [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates
@ 2025-09-09 10:04 Fabian Grünbichler
2025-09-09 10:04 ` [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages Fabian Grünbichler
0 siblings, 1 reply; 2+ messages in thread
From: Fabian Grünbichler @ 2025-09-09 10:04 UTC (permalink / raw)
To: pve-devel
if nodes are offline for a longer period of time, they might not be renewed by
pveupdate before they expire. the `verify` call here just serves as an
extra safeguard to prevent accidental overwriting of certificates not actually
signed by the cluster CA, checking the expiry time servers no purpose.
Suggested-by: Stephane Chazelas
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
verified by manually creating an expired and a soon-to-be-expired certificate..
bin/pveupdate | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/bin/pveupdate b/bin/pveupdate
index 757cac868..9984c9369 100755
--- a/bin/pveupdate
+++ b/bin/pveupdate
@@ -111,7 +111,10 @@ eval {
# check if cert is really signed by the ca
# TODO: replace by low level ssleay interface if version 1.86 is available
- PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile', $capath, $certpath]);
+ my $cmd = [
+ '/usr/bin/openssl', 'verify', '-no_check_time', '-CAfile', $capath, '--', $certpath,
+ ];
+ PVE::Tools::run_command($cmd);
print "PVE certificate $msg\n";
# create new certificate
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages
2025-09-09 10:04 [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates Fabian Grünbichler
@ 2025-09-09 10:04 ` Fabian Grünbichler
0 siblings, 0 replies; 2+ messages in thread
From: Fabian Grünbichler @ 2025-09-09 10:04 UTC (permalink / raw)
To: pve-devel
by explicitly checking for already expired certificates and adapting the
message in that case.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
bin/pveupdate | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/bin/pveupdate b/bin/pveupdate
index 9984c9369..c5356c885 100755
--- a/bin/pveupdate
+++ b/bin/pveupdate
@@ -125,7 +125,10 @@ eval {
PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
};
- if (PVE::Certificate::check_expiry($certpath, time() + 14 * 24 * 60 * 60)) {
+ if (PVE::Certificate::check_expiry($certpath)) {
+ # already expired
+ $renew->("expired, renewing...");
+ } elsif (PVE::Certificate::check_expiry($certpath, time() + 14 * 24 * 60 * 60)) {
# expires in next 2 weeks
$renew->("expires soon, renewing...");
} elsif (!PVE::Certificate::check_expiry($certpath, time() + 2 * 365 * 24 * 60 * 60)) {
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-09-09 10:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-09-09 10:04 [pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates Fabian Grünbichler
2025-09-09 10:04 ` [pve-devel] [PATCH manager 2/2] pveupdate: improve cert renew log messages Fabian Grünbichler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox