* [pve-devel] [PATCH pve-cluster] fix #6701: Add keyUsage extension to root CA
@ 2026-01-22 10:55 Arthur Bied-Charreton
0 siblings, 0 replies; only message in thread
From: Arthur Bied-Charreton @ 2026-01-22 10:55 UTC (permalink / raw)
To: pve-devel
Add the keyUsage[1] extension to the PVE root CA to comply with RFC
5280. Python started to enforce this as of 3.13 by defaulting to using the
VERIFY_X509_STRICT flag, which breaks clients like Ansible.
The authorityKeyIdentifier[2] and subjectKeyIdentifier[3] extensions are
not strictly required for fixing this issue, however RFC 5280 mandates
them for conforming CAs, so adding them makes sense as well.
[1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
[2] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1
[3] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2
Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
---
This fix is not required for PBS and PDM, since they only use self-signed
certificates.
You can run the script below to test the changes, should fail with
"CA cert does not include key usage extension" before applying the patch,
and succeed afterwards.
```
#!/usr/bin/env python3
import socket
import ssl
import sys
try:
context = ssl.create_default_context(cafile="/etc/pve/pve-root-ca.pem")
context.check_hostname = True
context.verify_mode = ssl.CERT_REQUIRED
with socket.create_connection(("localhost", 8006), timeout=10) as sock:
with context.wrap_socket(sock, server_hostname="localhost") as ssock:
print(f"success")
except ssl.SSLCertVerificationError as e:
print(e)
```
src/PVE/Cluster/Setup.pm | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
index 75d3507..d95a278 100644
--- a/src/PVE/Cluster/Setup.pm
+++ b/src/PVE/Cluster/Setup.pm
@@ -426,6 +426,25 @@ sub gen_pveca_cert {
my $uuid_str;
UUID::unparse($uuid, $uuid_str);
+ my $sslconf = <<__EOD;
+[req]
+distinguished_name = req_distinguished_name
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+
+[ v3_ca ]
+basicConstraints = critical,CA:TRUE
+keyUsage = critical,keyCertSign,cRLSign
+authorityKeyIdentifier = keyid:always,issuer
+subjectKeyIdentifier = hash
+__EOD
+
+ my $cfgfn = "/tmp/pvesslconf-$$.tmp";
+ my $fh = IO::File->new($cfgfn, "w");
+ print $fh $sslconf;
+ close($fh);
+
eval {
# wrap openssl with faketime to prevent bug #904
run_silent_cmd([
@@ -439,6 +458,8 @@ sub gen_pveca_cert {
'-new',
'-x509',
'-nodes',
+ '-config',
+ $cfgfn,
'-key',
$pveca_key_fn,
'-out',
@@ -448,6 +469,8 @@ sub gen_pveca_cert {
]);
};
+ unlink $cfgfn;
+
die "generating pve root certificate failed:\n$@" if $@;
return 1;
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-01-22 10:55 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-01-22 10:55 [pve-devel] [PATCH pve-cluster] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox