[PATCH manager v2] cert helpers: make sure that any new certificate and key match

[PATCH manager v2] cert helpers: make sure that any new certificate and key match

[Shannon Sterz]

previously it was possible to upload and set a key and certificate
combination, that did not match each other. this lead to confusing
errors as pveproxy would seemingly start, but not actually serve any
http connections. in a cluster context this leads to "broken pipe"
errors when connecting to such a misconfigured node. since this is
rather confusing, verify that a key and certificate can actually be
used before setting them as the current certificates by loading them
into a TLS context.

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---

Notes:
    this came up in the enterprise support and caused quite a bit of
    confusion.
    
    changes since v1 (thanks @ Thomas Lamprecht):
    
    - use `NET::SSLeay::die_now` instead of `die` to potentially return
      more useful debugging information.
    - add error handling when removing invalid keys/certificates fails.

 PVE/CertHelpers.pm | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/PVE/CertHelpers.pm b/PVE/CertHelpers.pm
index ee945827f..202dec0ee 100644
--- a/PVE/CertHelpers.pm
+++ b/PVE/CertHelpers.pm
@@ -7,6 +7,8 @@ use PVE::Certificate;
 use PVE::JSONSchema;
 use PVE::Tools;
 
+use Net::SSLeay qw(die_now);
+
 my $account_prefix = '/etc/pve/priv/acme';
 
 PVE::JSONSchema::register_standard_option(
@@ -81,6 +83,31 @@ sub set_cert_files {
         PVE::Tools::file_set_contents($cert_path, $cert);
         PVE::Tools::file_set_contents($key_path, $key) if $key;
         $info = PVE::Certificate::get_certificate_info($cert_path);
+
+        if (my $method = Net::SSLeay::TLS_method()) {
+            my $ctx = Net::SSLeay::CTX_new_with_method($method);
+
+            eval {
+                Net::SSLeay::CTX_use_certificate_chain_file($ctx, $cert_path)
+                    or die_now("could not load certificate (chain) ($!)");
+                Net::SSLeay::CTX_use_PrivateKey_file(
+                    $ctx,
+                    $key_path,
+                    Net::SSLeay::FILETYPE_PEM(),
+                ) or die_now("key does not match the certificate (chain) ($!)");
+            };
+
+            my $err = $@;
+
+            if ($err) {
+                # clean up invalid certificate and key
+                unlink $cert_path or $!{ENOENT} or warn "failed to clean-up $cert_path - $!\n";
+                unlink $key_path or $!{ENOENT} or warn "failed to clean-up $key_path - $!\n";
+                die $err;
+            }
+        } else {
+            warn "no TLS method to verify certificate and key match, continuing anyway\n";
+        }
     };
     my $err = $@;
 
-- 
2.47.3

applied: [PATCH manager v2] cert helpers: make sure that any new certificate and key match

[Thomas Lamprecht]

On Wed, 06 May 2026 14:48:32 +0200, Shannon Sterz wrote:
> previously it was possible to upload and set a key and certificate
> combination, that did not match each other. this lead to confusing
> errors as pveproxy would seemingly start, but not actually serve any
> http connections. in a cluster context this leads to "broken pipe"
> errors when connecting to such a misconfigured node. since this is
> rather confusing, verify that a key and certificate can actually be
> used before setting them as the current certificates by loading them
> into a TLS context.
> 
> [...]

Applied, thanks!

[1/1] cert helpers: make sure that any new certificate and key match
      commit: 76660ff2e5eaebfe4e783f1a755c9e376c75d1e4