From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 2E5531FF136
	for <inbox@lore.proxmox.com>; Mon, 26 Jan 2026 11:12:58 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 14D6A945C;
	Mon, 26 Jan 2026 11:13:21 +0100 (CET)
Date: Mon, 26 Jan 2026 11:13:16 +0100
From: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
To: Stoiko Ivanov <s.ivanov@proxmox.com>
Message-ID: <bl4zadarmedjt4u2pr5qtzywxieicbipxmndrhuctrjxyhavyy@y6lb66qj4laj>
References: <20260122105516.135778-1-a.bied-charreton@proxmox.com>
 <20260123195300.0ae7fcc9@rosa.proxmox.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20260123195300.0ae7fcc9@rosa.proxmox.com>
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1769422334629
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.833 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH pve-cluster] fix #6701: Add keyUsage
 extension to root CA
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Cc: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

On Fri, Jan 23, 2026 at 07:53:00PM +0100, Stoiko Ivanov wrote:
> Thanks for tackling this and looking into certificate generation!
> 
> two suggestions/comments inline:
> 
> On Thu, 22 Jan 2026 11:55:16 +0100
> Arthur Bied-Charreton <a.bied-charreton@proxmox.com> wrote:
> 
> > Add the keyUsage[1] extension to the PVE root CA to comply with RFC
> > 5280. Python started to enforce this as of 3.13 by defaulting to using the 
> > VERIFY_X509_STRICT flag, which breaks clients like Ansible.
> > 
> > The authorityKeyIdentifier[2] and subjectKeyIdentifier[3] extensions are
> > not strictly required for fixing this issue, however RFC 5280 mandates
> > them for conforming CAs, so adding them makes sense as well.
> > 
> > [1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
> > [2] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1
> > [3] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2
> > 
> > Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
> > ---
> > This fix is not required for PBS and PDM, since they only use self-signed
> > certificates.
> mentioning this here provides helpful information - thanks!
> (PMG also does not create a CA - so should not be affected either (without
> checking explicitly))
> 
> > 
> > You can run the script below to test the changes, should fail with
> > "CA cert does not include key usage extension" before applying the patch,
> > and succeed afterwards. 
> > 
> > ```
> > #!/usr/bin/env python3
> > 
> > import socket
> > import ssl
> > import sys
> > 
> > try:
> >     context = ssl.create_default_context(cafile="/etc/pve/pve-root-ca.pem")
> >     context.check_hostname = True
> >     context.verify_mode = ssl.CERT_REQUIRED
> > 
> >     with socket.create_connection(("localhost", 8006), timeout=10) as sock:
> >         with context.wrap_socket(sock, server_hostname="localhost") as ssock:
> >             print(f"success")
> > 
> > except ssl.SSLCertVerificationError as e:
> >     print(e)
> > ```
> thanks for the short script - helped a lot in seeing what's needed, and
> verifying the results.
> I'd argue that this could even be part of the commit message (more likely
> to be found again in the future. (best-case would if there's something
> shorter to achieve the same result).
> 
> >     
> >  src/PVE/Cluster/Setup.pm | 23 +++++++++++++++++++++++
> >  1 file changed, 23 insertions(+)
> > 
> > diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
> > index 75d3507..d95a278 100644
> > --- a/src/PVE/Cluster/Setup.pm
> > +++ b/src/PVE/Cluster/Setup.pm
> > @@ -426,6 +426,25 @@ sub gen_pveca_cert {
> >      my $uuid_str;
> >      UUID::unparse($uuid, $uuid_str);
> >  
> > +    my $sslconf = <<__EOD;
> > +[req]
> > +distinguished_name = req_distinguished_name
> > +x509_extensions = v3_ca
> > +
> > +[ req_distinguished_name ]
> > +
> > +[ v3_ca ]
> > +basicConstraints = critical,CA:TRUE
> > +keyUsage = critical,keyCertSign,cRLSign
> > +authorityKeyIdentifier = keyid:always,issuer
> > +subjectKeyIdentifier = hash
> 
> newer versions of openssl finally have a way of adding extensions without
> the need to edit the openssl config, or providing overrides in temporary
> files (or via bash `<(printf...` redirects.
> (noticed this a while ago when again searching how to add a SAN to a
> self-signed certificate.
> 
> Based on /etc/ssl/openssl.cnf on a PVE9 node replacing the config file, by
> `-addext 'keyUsage=critical,keyCertSign,cRLSign'` on the openssl
> command-line should be enough (and yields `success` with your script from
> above on a test-machine)
> 
> 
> > +__EOD
> > +
> > +    my $cfgfn = "/tmp/pvesslconf-$$.tmp";
> I would consider generating temporary files in /run, or any other
> directory that is not world-writable. I think there's a number of issues
> which were caused by potential symlink-races in /tmp.
> 
> alternatively/additionally - opening with O_CREAT | O_EXCL (see `man 2
> open`) might help with the potential for races.
> pve-common/src/PVE/File.pm has `file_set_contents` which looks like it
> does the right thing.
> 
> As you said off-list that this is based on other similar code in
> pve-cluster - switching those sites too might be a nice additional
> improvement - though not strictly tied to this patch.
> 
> A quick look through PVE::Cluster::Setup makes me think that
> probably most of the temporary config-file additions could also be
> replaced by one or two `-addext` command-line parameters and a fitting
> `-subj` (this can contain `organizationName` (as O=) and
> `organizationalUnitName` (as OU=) I think)
> 
> 
> > +    my $fh = IO::File->new($cfgfn, "w");
> > +    print $fh $sslconf;
> > +    close($fh);
> > +
> >      eval {
> >          # wrap openssl with faketime to prevent bug #904
> >          run_silent_cmd([
> > @@ -439,6 +458,8 @@ sub gen_pveca_cert {
> >              '-new',
> >              '-x509',
> >              '-nodes',
> > +            '-config',
> > +            $cfgfn,
> >              '-key',
> >              $pveca_key_fn,
> >              '-out',
> > @@ -448,6 +469,8 @@ sub gen_pveca_cert {
> >          ]);
> >      };
> >  
> > +    unlink $cfgfn;
> > +
> >      die "generating pve root certificate failed:\n$@" if $@;
> >  
> >      return 1;
> 
Hey Stoiko, thanks a lot for the review and all the feedback! I
addressed your suggestions in v2:
https://lore.proxmox.com/pve-devel/20260126100534.86882-3-a.bied-charreton@proxmox.com/T/#t


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel