* [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation
@ 2026-01-26 9:55 Arthur Bied-Charreton
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Arthur Bied-Charreton @ 2026-01-26 9:55 UTC (permalink / raw)
To: pve-devel
The main fix (1/3) adds the keyUsage extension to PVE's root CA, which
is required by RFC 5280.
{2,3}/3 address review feedback [1] by eliminating temporary config
files and moving temp file creation from /tmp to /run to prevent symlink
races.
More details in the commit messages.
[1]
https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t
Arthur Bied-Charreton (3):
fix #6701: Add keyUsage extension to root CA
Convert SSL cert generation config to CLI arguments
Create temporary CSR file in /run instead of /tmp
src/PVE/Cluster/Setup.pm | 45 +++++++++++-----------------------------
1 file changed, 12 insertions(+), 33 deletions(-)
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread* [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA 2026-01-26 9:55 [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Arthur Bied-Charreton @ 2026-01-26 9:55 ` Arthur Bied-Charreton 2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton ` (2 subsequent siblings) 3 siblings, 0 replies; 5+ messages in thread From: Arthur Bied-Charreton @ 2026-01-26 9:55 UTC (permalink / raw) To: pve-devel Add the keyUsage[1] extension to the PVE root CA to comply with RFC 5280, which Python decided to enforce as of 3.13 by adding the VERIFY_X509_STRICT flag, which breaks some clients like Ansible. The authorityKeyIdentifier[2] and subjectKeyIdentifier[3] extensions are required by RFC 5280 as well, however OpenSSL adds them in by default based on /etc/ssl/openssl.cnf, so there is no need for explicitly passing them. Test script: ``` import socket, ssl ctx = ssl.create_default_context(cafile="/etc/pve/pve-root-ca.pem") ctx.wrap_socket(socket.create_connection(("localhost", 8006)), server_hostname="localhost") print("success") ``` [1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3 [2] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1 [3] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2 Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com> Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com> --- src/PVE/Cluster/Setup.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm index 75d3507..4f528ba 100644 --- a/src/PVE/Cluster/Setup.pm +++ b/src/PVE/Cluster/Setup.pm @@ -439,6 +439,8 @@ sub gen_pveca_cert { '-new', '-x509', '-nodes', + '-addext', + 'keyUsage=critical,keyCertSign,cRLSign', '-key', $pveca_key_fn, '-out', -- 2.47.3 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH pve-cluster v2 2/3] Convert SSL cert generation config to CLI arguments 2026-01-26 9:55 [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Arthur Bied-Charreton 2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton @ 2026-01-26 9:55 ` Arthur Bied-Charreton 2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 3/3] Create temporary CSR file in /run instead of /tmp Arthur Bied-Charreton 2026-02-06 11:35 ` [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Stoiko Ivanov 3 siblings, 0 replies; 5+ messages in thread From: Arthur Bied-Charreton @ 2026-01-26 9:55 UTC (permalink / raw) To: pve-devel Replace temporary OpenSSL config file with direct CLI arguments in PVE node SSL cert generation. Changes: - Use '-subj' flag for distinguished name - Use '-addext' flag for cert extensions - Use '-copy_extensions copyall' to copy extensions from CSR to cert - Remove temp config file and cleanup code As suggested here: https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com> Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com> --- src/PVE/Cluster/Setup.pm | 41 +++++++++------------------------------- 1 file changed, 9 insertions(+), 32 deletions(-) diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm index 4f528ba..b9cacfd 100644 --- a/src/PVE/Cluster/Setup.pm +++ b/src/PVE/Cluster/Setup.pm @@ -504,33 +504,6 @@ sub gen_pve_ssl_cert { $names .= ",DNS:$fqdn"; } - my $sslconf = <<__EOD; -RANDFILE = /root/.rnd -extensions = v3_req - -[ req ] -default_bits = 2048 -distinguished_name = req_distinguished_name -req_extensions = v3_req -prompt = no -string_mask = nombstr - -[ req_distinguished_name ] -organizationalUnitName = PVE Cluster Node -organizationName = Proxmox Virtual Environment -commonName = $fqdn - -[ v3_req ] -basicConstraints = CA:FALSE -extendedKeyUsage = serverAuth -subjectAltName = $names -__EOD - - my $cfgfn = "/tmp/pvesslconf-$$.tmp"; - my $fh = IO::File->new($cfgfn, "w"); - print $fh $sslconf; - close($fh); - my $reqfn = "/tmp/pvecertreq-$$.tmp"; unlink $reqfn; @@ -541,18 +514,23 @@ __EOD 'req', '-batch', '-new', - '-config', - $cfgfn, '-key', $pvessl_key_fn, '-out', $reqfn, + '-subj', + "/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=$fqdn", + '-addext', + 'basicConstraints=CA:FALSE', + '-addext', + 'extendedKeyUsage=serverAuth', + '-addext', + "subjectAltName=$names", ]); }; if (my $err = $@) { unlink $reqfn; - unlink $cfgfn; die "unable to generate pve certificate request:\n$err"; } @@ -581,13 +559,12 @@ __EOD 'openssl', 'x509', '-req', '-in', $reqfn, '-days', $daysleft, '-out', $pvessl_cert_fn, '-CAkey', $pveca_key_fn, '-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn, - '-extfile', $cfgfn, + '-copy_extensions', 'copyall', ]); }; my $err = $@; unlink $reqfn or $!{ENOENT} or warn "failed to clean up '$reqfn' - $!"; - unlink $cfgfn or $!{ENOENT} or warn "failed to clean up '$cfgfn' - $!"; die "unable to generate pve ssl certificate:\n$err" if $err; } -- 2.47.3 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH pve-cluster v2 3/3] Create temporary CSR file in /run instead of /tmp 2026-01-26 9:55 [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Arthur Bied-Charreton 2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton 2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton @ 2026-01-26 9:55 ` Arthur Bied-Charreton 2026-02-06 11:35 ` [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Stoiko Ivanov 3 siblings, 0 replies; 5+ messages in thread From: Arthur Bied-Charreton @ 2026-01-26 9:55 UTC (permalink / raw) To: pve-devel Creating temp files in a world-writable directory such as /tmp could expose the config generation to symlink races. Use /run directory instead. As suggested here: https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com> Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com> --- src/PVE/Cluster/Setup.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm index b9cacfd..5ed85ad 100644 --- a/src/PVE/Cluster/Setup.pm +++ b/src/PVE/Cluster/Setup.pm @@ -504,7 +504,7 @@ sub gen_pve_ssl_cert { $names .= ",DNS:$fqdn"; } - my $reqfn = "/tmp/pvecertreq-$$.tmp"; + my $reqfn = "/run/pvecertreq-$$.tmp"; unlink $reqfn; my $pvessl_key_fn = "$pmxcfs_base_dir/nodes/$nodename/pve-ssl.key"; -- 2.47.3 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation 2026-01-26 9:55 [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Arthur Bied-Charreton ` (2 preceding siblings ...) 2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 3/3] Create temporary CSR file in /run instead of /tmp Arthur Bied-Charreton @ 2026-02-06 11:35 ` Stoiko Ivanov 3 siblings, 0 replies; 5+ messages in thread From: Stoiko Ivanov @ 2026-02-06 11:35 UTC (permalink / raw) To: Arthur Bied-Charreton; +Cc: Proxmox VE development discussion Thanks for the quick iteration on this! Changes look good to me - and I consider them an improvement to before. Tested this quickly by: 1) removing pve-root-ca (key and cert), the node's pve-ssl (key and cert) 2) running `pvecm updatecerts --force` 3) installing pve-cluster packages with your patches applied 4) recreating the certificate (point 1+2) again 5) vimdiffing old and new files - changes look sensible (apart from the uuid, only the added keyUsage extension) 6) running the test-script from your commit-message after restarting pveproxy did not read/recheck everything in RFC 5280 though. consider this series Reviewed-by: Stoiko Ivanov <s.ivanov@proxmox.com> Tested-by: Stoiko Ivanov <s.ivanov@proxmox.com> On Mon, 26 Jan 2026 10:55:42 +0100 Arthur Bied-Charreton <a.bied-charreton@proxmox.com> wrote: > The main fix (1/3) adds the keyUsage extension to PVE's root CA, which > is required by RFC 5280. > > {2,3}/3 address review feedback [1] by eliminating temporary config > files and moving temp file creation from /tmp to /run to prevent symlink > races. > > More details in the commit messages. > > [1] > https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t > > Arthur Bied-Charreton (3): > fix #6701: Add keyUsage extension to root CA > Convert SSL cert generation config to CLI arguments > Create temporary CSR file in /run instead of /tmp > > src/PVE/Cluster/Setup.pm | 45 +++++++++++----------------------------- > 1 file changed, 12 insertions(+), 33 deletions(-) > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-02-06 11:35 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2026-01-26 9:55 [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Arthur Bied-Charreton 2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton 2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton 2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 3/3] Create temporary CSR file in /run instead of /tmp Arthur Bied-Charreton 2026-02-06 11:35 ` [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Stoiko Ivanov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox