From: Maximiliano Sandoval <m.sandoval@proxmox.com>
To: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
Cc: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA
Date: Tue, 17 Mar 2026 13:58:33 +0100 [thread overview]
Message-ID: <s8ocy12d346.fsf@toolbox> (raw)
In-Reply-To: <20260126100534.86882-5-a.bied-charreton@proxmox.com> (Arthur Bied-Charreton's message of "Mon, 26 Jan 2026 10:55:44 +0100")
Arthur Bied-Charreton <a.bied-charreton@proxmox.com> writes:
> Add the keyUsage[1] extension to the PVE root CA to comply with RFC
> 5280, which Python decided to enforce as of 3.13 by adding the
> VERIFY_X509_STRICT flag, which breaks some clients like Ansible.
If there is a v2, it would be good to mention that this flag
(ssl.VERIFY_X509_STRICT) comes from python's [ssl] module. And that the
change of behavior in 3.13 is documented at [create_default_context].
[ssl] https://docs.python.org/3/library/ssl.html
[create_default_context] https://docs.python.org/3/library/ssl.html#ssl.create_default_context
>
> The authorityKeyIdentifier[2] and subjectKeyIdentifier[3] extensions are
> required by RFC 5280 as well, however OpenSSL adds them in by default
> based on /etc/ssl/openssl.cnf, so there is no need for explicitly
> passing them.
>
> Test script:
> ```
> import socket, ssl
>
> ctx = ssl.create_default_context(cafile="/etc/pve/pve-root-ca.pem")
> ctx.wrap_socket(socket.create_connection(("localhost", 8006)),
> server_hostname="localhost")
> print("success")
> ```
>
> [1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
> [2] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1
> [3] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2
>
> Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
> ---
> src/PVE/Cluster/Setup.pm | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
> index 75d3507..4f528ba 100644
> --- a/src/PVE/Cluster/Setup.pm
> +++ b/src/PVE/Cluster/Setup.pm
> @@ -439,6 +439,8 @@ sub gen_pveca_cert {
> '-new',
> '-x509',
> '-nodes',
> + '-addext',
> + 'keyUsage=critical,keyCertSign,cRLSign',
> '-key',
> $pveca_key_fn,
> '-out',
--
Maximiliano
next prev parent reply other threads:[~2026-03-17 12:59 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-26 9:55 [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Arthur Bied-Charreton
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
2026-03-17 12:58 ` Maximiliano Sandoval [this message]
2026-03-17 14:26 ` Arthur Bied-Charreton
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton
2026-01-26 9:55 ` [pve-devel] [PATCH pve-cluster v2 3/3] Create temporary CSR file in /run instead of /tmp Arthur Bied-Charreton
2026-03-17 13:57 ` Maximiliano Sandoval
2026-03-17 14:25 ` Arthur Bied-Charreton
2026-02-06 11:35 ` [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation Stoiko Ivanov
2026-03-17 12:50 ` Arthur Bied-Charreton
2026-03-17 14:27 ` superseded: " Arthur Bied-Charreton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=s8ocy12d346.fsf@toolbox \
--to=m.sandoval@proxmox.com \
--cc=a.bied-charreton@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox