From: "Shannon Sterz" <s.sterz@proxmox.com>
To: "Shannon Sterz" <s.sterz@proxmox.com>, <pve-devel@lists.proxmox.com>
Subject: Superseded: Re: [PATCH manager] certificate: make sure that any new certificate and key match
Date: Wed, 06 May 2026 14:50:06 +0200 [thread overview]
Message-ID: <DIBLUJONZPL6.11J71CWOO206B@proxmox.com> (raw)
In-Reply-To: <20260506110452.166057-1-s.sterz@proxmox.com>
Superseded: https://lore.proxmox.com/pve-devel/20260506124832.246682-1-s.sterz@proxmox.com/T/#u
On Wed May 6, 2026 at 1:04 PM CEST, Shannon Sterz wrote:
> previously it was possible to upload and set a key and certificate
> combination, that did not match each other. this lead to confusing
> errors as pveproxy would seemingly start, but not actually serve any
> http connections. in a cluster context this leads to "broken pipe"
> errors when connecting to such a misconfigured node. since this is
> rather confusing, verify that a key and certificate can actually be
> used before setting them as the current certificates by loading them
> into a TLS context.
>
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
>
> Notes:
> this came up in the enterprise support and caused quite a bit of
> confusion.
>
> PVE/CertHelpers.pm | 27 +++++++++++++++++++++++++++
> 1 file changed, 27 insertions(+)
>
> diff --git a/PVE/CertHelpers.pm b/PVE/CertHelpers.pm
> index ee945827f..2fc241c24 100644
> --- a/PVE/CertHelpers.pm
> +++ b/PVE/CertHelpers.pm
> @@ -7,6 +7,8 @@ use PVE::Certificate;
> use PVE::JSONSchema;
> use PVE::Tools;
>
> +use Net::SSLeay;
> +
> my $account_prefix = '/etc/pve/priv/acme';
>
> PVE::JSONSchema::register_standard_option(
> @@ -81,6 +83,31 @@ sub set_cert_files {
> PVE::Tools::file_set_contents($cert_path, $cert);
> PVE::Tools::file_set_contents($key_path, $key) if $key;
> $info = PVE::Certificate::get_certificate_info($cert_path);
> +
> + if (my $method = Net::SSLeay::TLS_method()) {
> + my $ctx = Net::SSLeay::CTX_new_with_method($method);
> +
> + eval {
> + Net::SSLeay::CTX_use_certificate_chain_file($ctx, $cert_path)
> + or die "could not load certificate (chain)\n";
> + Net::SSLeay::CTX_use_PrivateKey_file(
> + $ctx,
> + $key_path,
> + Net::SSLeay::FILETYPE_PEM(),
> + ) or die "key does not match the certificate (chain)\n";
> + };
> +
> + my $err = $@;
> +
> + if ($err) {
> + # clean up invalid certificate and key
> + unlink $cert_path;
> + unlink $key_path;
> + die $err;
> + }
> + } else {
> + warn "no TLS method to verify certificate and key match, continuing anyway\n";
> + }
> };
> my $err = $@;
>
prev parent reply other threads:[~2026-05-06 12:50 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-06 11:04 [PATCH manager] certificate: make sure that any new certificate and key match Shannon Sterz
2026-05-06 11:28 ` Daniel Herzig
2026-05-06 11:54 ` Thomas Lamprecht
2026-05-06 12:39 ` Shannon Sterz
2026-05-06 12:50 ` Shannon Sterz [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DIBLUJONZPL6.11J71CWOO206B@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox