From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Thomas Ellmenreich <t.ellmenreich@proxmox.com>,
pve-devel@lists.proxmox.com
Subject: Re: [PATCH proxmox-acme v2 2/2] fix #5978: pem parser: relax parsing of chain entries:
Date: Wed, 24 Jun 2026 13:38:16 +0200 [thread overview]
Message-ID: <4fcddd28-704f-446f-bdf2-6b77afc0e6ad@proxmox.com> (raw)
In-Reply-To: <20260617124251.89036-3-t.ellmenreich@proxmox.com>
Am 17.06.26 um 14:42 schrieb Thomas Ellmenreich:
> Instead of using a custom regex to parse pem chains, now uses
> the pve-common Certificate::check_pem function to do so. This
> now allows for additional text and whitespace inbetween the
> chain entries.
>
> Signed-off-by: Thomas Ellmenreich <t.ellmenreich@proxmox.com>
> ---
> src/PVE/ACME.pm | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
> index e6fb9c2..4b06817 100644
> --- a/src/PVE/ACME.pm
> +++ b/src/PVE/ACME.pm
> @@ -530,10 +530,10 @@ sub get_certificate {
> if !defined($res);
> }
>
> - if ($res =~ /^(-----BEGIN CERTIFICATE-----)(.+)(-----END CERTIFICATE-----)$/s) { # untaint
> - return $1 . $2 . $3;
> - }
> - die "Server reply does not look like a PEM encoded certificate\n";
> + my $parsed = eval { PVE::Certificate::check_pem->($res) };
Why the -> ? That's normally how one calls code references or blessed objects,
but not "normal" methods. As above will call check_perm without arguments and
then try to call the result as code reference with $res as parameter, so this
will always fail FWICT. Was this actually tested end to end?
Also, this fails with certs that are full chains, so this probably should be:
my $parsed = eval { PVE::Certificate::check_pem($res, multiple => 1) };
> + die "Server reply does not look like a PEM encoded certificate: $@\n"
Nit: server is not really _that_ telling here, could be also interpreted as some
API server part of ours (and yes, that wording is somewhat pre-existing in another
error in this method, but still).
> + if $@;
> + return $parsed;
> };
> $self->fatal("POST of '$order->{certificate}' failed - $@", $r) if $@;
> return $return;
next prev parent reply other threads:[~2026-06-24 11:38 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-17 12:42 [PATCH common/proxmox-acme v2 0/2] fix #5978: pem parser: relax parsing of chain entries Thomas Ellmenreich
2026-06-17 12:42 ` [PATCH common v2 1/2] fix #5978: pem parser: relax parsing of chain entries: Thomas Ellmenreich
2026-06-24 9:27 ` Thomas Lamprecht
2026-06-24 10:57 ` Fabian Grünbichler
2026-06-17 12:42 ` [PATCH proxmox-acme v2 2/2] " Thomas Ellmenreich
2026-06-24 10:57 ` Fabian Grünbichler
2026-06-24 11:38 ` Thomas Lamprecht [this message]
2026-06-17 13:21 ` [PATCH common/proxmox-acme v2 0/2] fix #5978: pem parser: relax parsing of chain entries Shannon Sterz
2026-06-18 8:46 ` Thomas Ellmenreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4fcddd28-704f-446f-bdf2-6b77afc0e6ad@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=t.ellmenreich@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox