From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 9F9391FF13B for ; Wed, 06 May 2026 14:40:00 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id BA5F4203F7; Wed, 6 May 2026 14:39:59 +0200 (CEST) Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Wed, 06 May 2026 14:39:21 +0200 Message-Id: To: "Thomas Lamprecht" , Subject: Re: [PATCH manager] certificate: make sure that any new certificate and key match X-Mailer: aerc 0.20.0 References: <20260506110452.166057-1-s.sterz@proxmox.com> In-Reply-To: From: "Shannon Sterz" X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1778071054004 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.118 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [certhelpers.pm,metacpan.org] Message-ID-Hash: 47ZYSB3RP3KMQIP7L4TFNTLJ5VUVCLVZ X-Message-ID-Hash: 47ZYSB3RP3KMQIP7L4TFNTLJ5VUVCLVZ X-MailFrom: s.sterz@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Wed May 6, 2026 at 1:54 PM CEST, Thomas Lamprecht wrote: > Am 06.05.26 um 13:03 schrieb Shannon Sterz: >> previously it was possible to upload and set a key and certificate >> combination, that did not match each other. this lead to confusing >> errors as pveproxy would seemingly start, but not actually serve any >> http connections. in a cluster context this leads to "broken pipe" >> errors when connecting to such a misconfigured node. since this is >> rather confusing, verify that a key and certificate can actually be >> used before setting them as the current certificates by loading them >> into a TLS context. >> >> Signed-off-by: Shannon Sterz >> --- >> >> Notes: >> this came up in the enterprise support and caused quite a bit of >> confusion. > > nice UX polishing. > >> >> PVE/CertHelpers.pm | 27 +++++++++++++++++++++++++++ >> 1 file changed, 27 insertions(+) >> >> diff --git a/PVE/CertHelpers.pm b/PVE/CertHelpers.pm >> index ee945827f..2fc241c24 100644 >> --- a/PVE/CertHelpers.pm >> +++ b/PVE/CertHelpers.pm >> @@ -7,6 +7,8 @@ use PVE::Certificate; >> use PVE::JSONSchema; >> use PVE::Tools; >> >> +use Net::SSLeay; >> + >> my $account_prefix =3D '/etc/pve/priv/acme'; >> >> PVE::JSONSchema::register_standard_option( >> @@ -81,6 +83,31 @@ sub set_cert_files { >> PVE::Tools::file_set_contents($cert_path, $cert); >> PVE::Tools::file_set_contents($key_path, $key) if $key; > > > >> $info =3D PVE::Certificate::get_certificate_info($cert_path); >> + >> + if (my $method =3D Net::SSLeay::TLS_method()) { >> + my $ctx =3D Net::SSLeay::CTX_new_with_method($method); >> + >> + eval { >> + Net::SSLeay::CTX_use_certificate_chain_file($ctx, $cert= _path) >> + or die "could not load certificate (chain)\n"; >> + Net::SSLeay::CTX_use_PrivateKey_file( >> + $ctx, >> + $key_path, >> + Net::SSLeay::FILETYPE_PEM(), >> + ) or die "key does not match the certificate (chain)\n"= ; > > Should we include the error stack [0] here too in these calls? Might > make debugging even easier, and as the user provided these certs, (or ACM= E > generated them), we cannot really leak anything with doing that I think. > > [0]: https://metacpan.org/pod/Net::SSLeay#Error-handling-functions in my testing neither `die_now` nor `die_if_ssl_error` added any context for the mismatched key scenario. in my general experience, the openssl error stack rarely returns error messages that are very useful to end-users. however, it may come in handy for scenarios that i'm currently not considering and we don't really lose anything by using `die_now`. so i'll send a v2 with that. > >> + }; >> + >> + my $err =3D $@; >> + >> + if ($err) { >> + # clean up invalid certificate and key >> + unlink $cert_path; > > > error handling would be nice here: > > unlink $cert_path or $!{ENOENT} or warn "failed to clean-up $cert_path - = $!\n"; > >> + unlink $key_path; > > same here> + die $err; done. >> + } >> + } else { >> + warn "no TLS method to verify certificate and key match, co= ntinuing anyway\n"; >> + } >> }; >> my $err =3D $@; >>