* [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation
@ 2026-01-26 9:55 Arthur Bied-Charreton
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Arthur Bied-Charreton @ 2026-01-26 9:55 UTC (permalink / raw)
To: pve-devel
The main fix (1/3) adds the keyUsage extension to PVE's root CA, which
is required by RFC 5280.
{2,3}/3 address review feedback [1] by eliminating temporary config
files and moving temp file creation from /tmp to /run to prevent symlink
races.
More details in the commit messages.
[1]
https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t
Arthur Bied-Charreton (3):
fix #6701: Add keyUsage extension to root CA
Convert SSL cert generation config to CLI arguments
Create temporary CSR file in /run instead of /tmp
src/PVE/Cluster/Setup.pm | 45 +++++++++++-----------------------------
1 file changed, 12 insertions(+), 33 deletions(-)
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA
2026-01-26 9:55 [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Arthur Bied-Charreton
@ 2026-01-26 9:55 ` Arthur Bied-Charreton
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 3/3] Create temporary CSR file in /run instead of /tmp Arthur Bied-Charreton
2 siblings, 0 replies; 4+ messages in thread
From: Arthur Bied-Charreton @ 2026-01-26 9:55 UTC (permalink / raw)
To: pve-devel
Add the keyUsage[1] extension to the PVE root CA to comply with RFC
5280, which Python decided to enforce as of 3.13 by adding the
VERIFY_X509_STRICT flag, which breaks some clients like Ansible.
The authorityKeyIdentifier[2] and subjectKeyIdentifier[3] extensions are
required by RFC 5280 as well, however OpenSSL adds them in by default
based on /etc/ssl/openssl.cnf, so there is no need for explicitly
passing them.
Test script:
```
import socket, ssl
ctx = ssl.create_default_context(cafile="/etc/pve/pve-root-ca.pem")
ctx.wrap_socket(socket.create_connection(("localhost", 8006)),
server_hostname="localhost")
print("success")
```
[1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
[2] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1
[3] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2
Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
---
src/PVE/Cluster/Setup.pm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
index 75d3507..4f528ba 100644
--- a/src/PVE/Cluster/Setup.pm
+++ b/src/PVE/Cluster/Setup.pm
@@ -439,6 +439,8 @@ sub gen_pveca_cert {
'-new',
'-x509',
'-nodes',
+ '-addext',
+ 'keyUsage=critical,keyCertSign,cRLSign',
'-key',
$pveca_key_fn,
'-out',
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pve-devel] [PATCH pve-cluster v2 2/3] Convert SSL cert generation config to CLI arguments
2026-01-26 9:55 [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Arthur Bied-Charreton
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
@ 2026-01-26 9:55 ` Arthur Bied-Charreton
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 3/3] Create temporary CSR file in /run instead of /tmp Arthur Bied-Charreton
2 siblings, 0 replies; 4+ messages in thread
From: Arthur Bied-Charreton @ 2026-01-26 9:55 UTC (permalink / raw)
To: pve-devel
Replace temporary OpenSSL config file with direct CLI arguments in PVE
node SSL cert generation.
Changes:
- Use '-subj' flag for distinguished name
- Use '-addext' flag for cert extensions
- Use '-copy_extensions copyall' to copy extensions from CSR to cert
- Remove temp config file and cleanup code
As suggested here:
https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t
Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
---
src/PVE/Cluster/Setup.pm | 41 +++++++++-------------------------------
1 file changed, 9 insertions(+), 32 deletions(-)
diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
index 4f528ba..b9cacfd 100644
--- a/src/PVE/Cluster/Setup.pm
+++ b/src/PVE/Cluster/Setup.pm
@@ -504,33 +504,6 @@ sub gen_pve_ssl_cert {
$names .= ",DNS:$fqdn";
}
- my $sslconf = <<__EOD;
-RANDFILE = /root/.rnd
-extensions = v3_req
-
-[ req ]
-default_bits = 2048
-distinguished_name = req_distinguished_name
-req_extensions = v3_req
-prompt = no
-string_mask = nombstr
-
-[ req_distinguished_name ]
-organizationalUnitName = PVE Cluster Node
-organizationName = Proxmox Virtual Environment
-commonName = $fqdn
-
-[ v3_req ]
-basicConstraints = CA:FALSE
-extendedKeyUsage = serverAuth
-subjectAltName = $names
-__EOD
-
- my $cfgfn = "/tmp/pvesslconf-$$.tmp";
- my $fh = IO::File->new($cfgfn, "w");
- print $fh $sslconf;
- close($fh);
-
my $reqfn = "/tmp/pvecertreq-$$.tmp";
unlink $reqfn;
@@ -541,18 +514,23 @@ __EOD
'req',
'-batch',
'-new',
- '-config',
- $cfgfn,
'-key',
$pvessl_key_fn,
'-out',
$reqfn,
+ '-subj',
+ "/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=$fqdn",
+ '-addext',
+ 'basicConstraints=CA:FALSE',
+ '-addext',
+ 'extendedKeyUsage=serverAuth',
+ '-addext',
+ "subjectAltName=$names",
]);
};
if (my $err = $@) {
unlink $reqfn;
- unlink $cfgfn;
die "unable to generate pve certificate request:\n$err";
}
@@ -581,13 +559,12 @@ __EOD
'openssl', 'x509', '-req', '-in', $reqfn, '-days', $daysleft, '-out',
$pvessl_cert_fn,
'-CAkey', $pveca_key_fn, '-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn,
- '-extfile', $cfgfn,
+ '-copy_extensions', 'copyall',
]);
};
my $err = $@;
unlink $reqfn or $!{ENOENT} or warn "failed to clean up '$reqfn' - $!";
- unlink $cfgfn or $!{ENOENT} or warn "failed to clean up '$cfgfn' - $!";
die "unable to generate pve ssl certificate:\n$err" if $err;
}
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pve-devel] [PATCH pve-cluster v2 3/3] Create temporary CSR file in /run instead of /tmp
2026-01-26 9:55 [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Arthur Bied-Charreton
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton
@ 2026-01-26 9:55 ` Arthur Bied-Charreton
2 siblings, 0 replies; 4+ messages in thread
From: Arthur Bied-Charreton @ 2026-01-26 9:55 UTC (permalink / raw)
To: pve-devel
Creating temp files in a world-writable directory such as /tmp could expose
the config generation to symlink races. Use /run directory instead.
As suggested here:
https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t
Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
---
src/PVE/Cluster/Setup.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
index b9cacfd..5ed85ad 100644
--- a/src/PVE/Cluster/Setup.pm
+++ b/src/PVE/Cluster/Setup.pm
@@ -504,7 +504,7 @@ sub gen_pve_ssl_cert {
$names .= ",DNS:$fqdn";
}
- my $reqfn = "/tmp/pvecertreq-$$.tmp";
+ my $reqfn = "/run/pvecertreq-$$.tmp";
unlink $reqfn;
my $pvessl_key_fn = "$pmxcfs_base_dir/nodes/$nodename/pve-ssl.key";
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-01-26 10:11 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-01-26 9:55 [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Arthur Bied-Charreton
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 3/3] Create temporary CSR file in /run instead of /tmp Arthur Bied-Charreton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox