Re: [pve-devel] [PATCH pve-cluster] fix #6701: Add keyUsage extension to root CA

[Arthur Bied-Charreton <a.bied-charreton@proxmox.com>]

On Fri, Jan 23, 2026 at 07:53:00PM +0100, Stoiko Ivanov wrote:
> Thanks for tackling this and looking into certificate generation!
> 
> two suggestions/comments inline:
> 
> On Thu, 22 Jan 2026 11:55:16 +0100
> Arthur Bied-Charreton <a.bied-charreton@proxmox.com> wrote:
> 
> > Add the keyUsage[1] extension to the PVE root CA to comply with RFC
> > 5280. Python started to enforce this as of 3.13 by defaulting to using the 
> > VERIFY_X509_STRICT flag, which breaks clients like Ansible.
> > 
> > The authorityKeyIdentifier[2] and subjectKeyIdentifier[3] extensions are
> > not strictly required for fixing this issue, however RFC 5280 mandates
> > them for conforming CAs, so adding them makes sense as well.
> > 
> > [1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
> > [2] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1
> > [3] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2
> > 
> > Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
> > ---
> > This fix is not required for PBS and PDM, since they only use self-signed
> > certificates.
> mentioning this here provides helpful information - thanks!
> (PMG also does not create a CA - so should not be affected either (without
> checking explicitly))
> 
> > 
> > You can run the script below to test the changes, should fail with
> > "CA cert does not include key usage extension" before applying the patch,
> > and succeed afterwards. 
> > 
> > ```
> > #!/usr/bin/env python3
> > 
> > import socket
> > import ssl
> > import sys
> > 
> > try:
> >     context = ssl.create_default_context(cafile="/etc/pve/pve-root-ca.pem")
> >     context.check_hostname = True
> >     context.verify_mode = ssl.CERT_REQUIRED
> > 
> >     with socket.create_connection(("localhost", 8006), timeout=10) as sock:
> >         with context.wrap_socket(sock, server_hostname="localhost") as ssock:
> >             print(f"success")
> > 
> > except ssl.SSLCertVerificationError as e:
> >     print(e)
> > ```
> thanks for the short script - helped a lot in seeing what's needed, and
> verifying the results.
> I'd argue that this could even be part of the commit message (more likely
> to be found again in the future. (best-case would if there's something
> shorter to achieve the same result).
> 
> >     
> >  src/PVE/Cluster/Setup.pm | 23 +++++++++++++++++++++++
> >  1 file changed, 23 insertions(+)
> > 
> > diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
> > index 75d3507..d95a278 100644
> > --- a/src/PVE/Cluster/Setup.pm
> > +++ b/src/PVE/Cluster/Setup.pm
> > @@ -426,6 +426,25 @@ sub gen_pveca_cert {
> >      my $uuid_str;
> >      UUID::unparse($uuid, $uuid_str);
> >  
> > +    my $sslconf = <<__EOD;
> > +[req]
> > +distinguished_name = req_distinguished_name
> > +x509_extensions = v3_ca
> > +
> > +[ req_distinguished_name ]
> > +
> > +[ v3_ca ]
> > +basicConstraints = critical,CA:TRUE
> > +keyUsage = critical,keyCertSign,cRLSign
> > +authorityKeyIdentifier = keyid:always,issuer
> > +subjectKeyIdentifier = hash
> 
> newer versions of openssl finally have a way of adding extensions without
> the need to edit the openssl config, or providing overrides in temporary
> files (or via bash `<(printf...` redirects.
> (noticed this a while ago when again searching how to add a SAN to a
> self-signed certificate.
> 
> Based on /etc/ssl/openssl.cnf on a PVE9 node replacing the config file, by
> `-addext 'keyUsage=critical,keyCertSign,cRLSign'` on the openssl
> command-line should be enough (and yields `success` with your script from
> above on a test-machine)
> 
> 
> > +__EOD
> > +
> > +    my $cfgfn = "/tmp/pvesslconf-$$.tmp";
> I would consider generating temporary files in /run, or any other
> directory that is not world-writable. I think there's a number of issues
> which were caused by potential symlink-races in /tmp.
> 
> alternatively/additionally - opening with O_CREAT | O_EXCL (see `man 2
> open`) might help with the potential for races.
> pve-common/src/PVE/File.pm has `file_set_contents` which looks like it
> does the right thing.
> 
> As you said off-list that this is based on other similar code in
> pve-cluster - switching those sites too might be a nice additional
> improvement - though not strictly tied to this patch.
> 
> A quick look through PVE::Cluster::Setup makes me think that
> probably most of the temporary config-file additions could also be
> replaced by one or two `-addext` command-line parameters and a fitting
> `-subj` (this can contain `organizationName` (as O=) and
> `organizationalUnitName` (as OU=) I think)
> 
> 
> > +    my $fh = IO::File->new($cfgfn, "w");
> > +    print $fh $sslconf;
> > +    close($fh);
> > +
> >      eval {
> >          # wrap openssl with faketime to prevent bug #904
> >          run_silent_cmd([
> > @@ -439,6 +458,8 @@ sub gen_pveca_cert {
> >              '-new',
> >              '-x509',
> >              '-nodes',
> > +            '-config',
> > +            $cfgfn,
> >              '-key',
> >              $pveca_key_fn,
> >              '-out',
> > @@ -448,6 +469,8 @@ sub gen_pveca_cert {
> >          ]);
> >      };
> >  
> > +    unlink $cfgfn;
> > +
> >      die "generating pve root certificate failed:\n$@" if $@;
> >  
> >      return 1;
> 
Hey Stoiko, thanks a lot for the review and all the feedback! I
addressed your suggestions in v2:
https://lore.proxmox.com/pve-devel/20260126100534.86882-3-a.bied-charreton@proxmox.com/T/#t


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel