From: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
To: Thomas Lamprecht <t.lamprecht@proxmox.com>
Cc: pve-devel@lists.proxmox.com
Subject: Re: [PATCH pve-cluster v3 2/3] Convert SSL cert generation config to CLI arguments
Date: Tue, 17 Mar 2026 17:07:43 +0100 [thread overview]
Message-ID: <knp644zpnswq6rh6t5xsuc6g3glqz6d5g5rg5y4fue3xwg5djg@tlpakktdkntx> (raw)
In-Reply-To: <20d37ec8-114f-4311-96fa-52736db2c522@proxmox.com>
On Tue, Mar 17, 2026 at 05:00:20PM +0100, Thomas Lamprecht wrote:
> Am 17.03.26 um 15:22 schrieb Arthur Bied-Charreton:
> > Replace temporary OpenSSL config file with direct CLI arguments in PVE
> > node SSL cert generation.
> >
> > Changes:
> > - Use '-subj' flag for distinguished name
> > - Use '-addext' flag for cert extensions
> > - Use '-copy_extensions copyall' to copy extensions from CSR to cert
> > - Remove temp config file and cleanup code
>
> IMO an odd way to write a commit message, especially as I can see most of
> that from checking the, well, actual changes below... And only some parts
> got picked out.
>
Good point, will rewrite this.
> Also, the 2048 bit is just silently dropped, is that implied somewhere?
> Such things should be actually mentioned. Please recheck all settings
> yourself to ensure this is a complete change.
>
Yes, 2048 is the default (/etc/ssl/openssl.cnf). I should have made that
clear in the commit message. Will add it in v4.
> > As suggested here:
> > https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t
>
> would be good to include some actual rationale, not just the link, as
> unlike the changes described above I cannot just get that from the diff
> or rest of the commit's info.
>
Thanks for the feedback!
>
>
> >
> > Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
> > ---
> > src/PVE/Cluster/Setup.pm | 41 +++++++++-------------------------------
> > 1 file changed, 9 insertions(+), 32 deletions(-)
> >
> > diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
> > index 4f528ba..b9cacfd 100644
> > --- a/src/PVE/Cluster/Setup.pm
> > +++ b/src/PVE/Cluster/Setup.pm
> > @@ -504,33 +504,6 @@ sub gen_pve_ssl_cert {
> > $names .= ",DNS:$fqdn";
> > }
> >
> > - my $sslconf = <<__EOD;
> > -RANDFILE = /root/.rnd
> > -extensions = v3_req
> > -
> > -[ req ]
> > -default_bits = 2048
> > -distinguished_name = req_distinguished_name
> > -req_extensions = v3_req
> > -prompt = no
> > -string_mask = nombstr
> > -
> > -[ req_distinguished_name ]
> > -organizationalUnitName = PVE Cluster Node
> > -organizationName = Proxmox Virtual Environment
> > -commonName = $fqdn
> > -
> > -[ v3_req ]
> > -basicConstraints = CA:FALSE
> > -extendedKeyUsage = serverAuth
> > -subjectAltName = $names
> > -__EOD
> > -
> > - my $cfgfn = "/tmp/pvesslconf-$$.tmp";
> > - my $fh = IO::File->new($cfgfn, "w");
> > - print $fh $sslconf;
> > - close($fh);
> > -
> > my $reqfn = "/tmp/pvecertreq-$$.tmp";
> > unlink $reqfn;
> >
> > @@ -541,18 +514,23 @@ __EOD
> > 'req',
> > '-batch',
> > '-new',
> > - '-config',
> > - $cfgfn,
> > '-key',
> > $pvessl_key_fn,
> > '-out',
> > $reqfn,
> > + '-subj',
> > + "/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=$fqdn",
> > + '-addext',
> > + 'basicConstraints=CA:FALSE',
> > + '-addext',
> > + 'extendedKeyUsage=serverAuth',
> > + '-addext',
> > + "subjectAltName=$names",
> > ]);
> > };
> >
> > if (my $err = $@) {
> > unlink $reqfn;
> > - unlink $cfgfn;
> > die "unable to generate pve certificate request:\n$err";
> > }
> >
> > @@ -581,13 +559,12 @@ __EOD
> > 'openssl', 'x509', '-req', '-in', $reqfn, '-days', $daysleft, '-out',
> > $pvessl_cert_fn,
> > '-CAkey', $pveca_key_fn, '-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn,
> > - '-extfile', $cfgfn,
> > + '-copy_extensions', 'copyall',
> > ]);
> > };
> > my $err = $@;
> >
> > unlink $reqfn or $!{ENOENT} or warn "failed to clean up '$reqfn' - $!";
> > - unlink $cfgfn or $!{ENOENT} or warn "failed to clean up '$cfgfn' - $!";
> >
> > die "unable to generate pve ssl certificate:\n$err" if $err;
> > }
>
next prev parent reply other threads:[~2026-03-17 16:07 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-17 14:20 [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
2026-03-17 14:20 ` [PATCH pve-cluster v3 1/3] " Arthur Bied-Charreton
2026-03-17 14:20 ` [PATCH pve-cluster v3 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton
2026-03-17 16:00 ` Thomas Lamprecht
2026-03-17 16:07 ` Arthur Bied-Charreton [this message]
2026-03-17 14:20 ` [PATCH pve-cluster v3 3/3] Create temporary CSR file in /run instead of /tmp Arthur Bied-Charreton
2026-03-17 16:56 ` superseded: [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=knp644zpnswq6rh6t5xsuc6g3glqz6d5g5rg5y4fue3xwg5djg@tlpakktdkntx \
--to=a.bied-charreton@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=t.lamprecht@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox