[pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation

[pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation

[Arthur Bied-Charreton]

The main fix (1/3) adds the keyUsage extension to PVE's root CA, which
is required by RFC 5280.

{2,3}/3 address review feedback [1] by eliminating temporary config
files and moving temp file creation from /tmp to /run to prevent symlink
races.

More details in the commit messages.

[1]
https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t

Arthur Bied-Charreton (3):
  fix #6701: Add keyUsage extension to root CA
  Convert SSL cert generation config to CLI arguments
  Create temporary CSR file in /run instead of /tmp

 src/PVE/Cluster/Setup.pm | 45 +++++++++++-----------------------------
 1 file changed, 12 insertions(+), 33 deletions(-)

-- 
2.47.3


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA

[Arthur Bied-Charreton]

Add the keyUsage[1] extension to the PVE root CA to comply with RFC
5280, which Python decided to enforce as of 3.13 by adding the
VERIFY_X509_STRICT flag, which breaks some clients like Ansible.

The authorityKeyIdentifier[2] and subjectKeyIdentifier[3] extensions are
required by RFC 5280 as well, however OpenSSL adds them in by default
based on /etc/ssl/openssl.cnf, so there is no need for explicitly
passing them.

Test script:
```
import socket, ssl

ctx = ssl.create_default_context(cafile="/etc/pve/pve-root-ca.pem")
ctx.wrap_socket(socket.create_connection(("localhost", 8006)),
server_hostname="localhost")
print("success")
```

[1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
[2] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1
[3] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2

Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
---
 src/PVE/Cluster/Setup.pm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
index 75d3507..4f528ba 100644
--- a/src/PVE/Cluster/Setup.pm
+++ b/src/PVE/Cluster/Setup.pm
@@ -439,6 +439,8 @@ sub gen_pveca_cert {
             '-new',
             '-x509',
             '-nodes',
+            '-addext',
+            'keyUsage=critical,keyCertSign,cRLSign',
             '-key',
             $pveca_key_fn,
             '-out',
-- 
2.47.3


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH pve-cluster v2 2/3] Convert SSL cert generation config to CLI arguments

[Arthur Bied-Charreton]

Replace temporary OpenSSL config file with direct CLI arguments in PVE
node SSL cert generation.

Changes:
- Use '-subj' flag for distinguished name
- Use '-addext' flag for cert extensions
- Use '-copy_extensions copyall' to copy extensions from CSR to cert
- Remove temp config file and cleanup code

As suggested here:
https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t

Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
---
 src/PVE/Cluster/Setup.pm | 41 +++++++++-------------------------------
 1 file changed, 9 insertions(+), 32 deletions(-)

diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
index 4f528ba..b9cacfd 100644
--- a/src/PVE/Cluster/Setup.pm
+++ b/src/PVE/Cluster/Setup.pm
@@ -504,33 +504,6 @@ sub gen_pve_ssl_cert {
         $names .= ",DNS:$fqdn";
     }
 
-    my $sslconf = <<__EOD;
-RANDFILE = /root/.rnd
-extensions = v3_req
-
-[ req ]
-default_bits = 2048
-distinguished_name = req_distinguished_name
-req_extensions = v3_req
-prompt = no
-string_mask = nombstr
-
-[ req_distinguished_name ]
-organizationalUnitName = PVE Cluster Node
-organizationName = Proxmox Virtual Environment
-commonName = $fqdn
-
-[ v3_req ]
-basicConstraints = CA:FALSE
-extendedKeyUsage = serverAuth
-subjectAltName = $names
-__EOD
-
-    my $cfgfn = "/tmp/pvesslconf-$$.tmp";
-    my $fh = IO::File->new($cfgfn, "w");
-    print $fh $sslconf;
-    close($fh);
-
     my $reqfn = "/tmp/pvecertreq-$$.tmp";
     unlink $reqfn;
 
@@ -541,18 +514,23 @@ __EOD
             'req',
             '-batch',
             '-new',
-            '-config',
-            $cfgfn,
             '-key',
             $pvessl_key_fn,
             '-out',
             $reqfn,
+            '-subj',
+            "/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=$fqdn",
+            '-addext',
+            'basicConstraints=CA:FALSE',
+            '-addext',
+            'extendedKeyUsage=serverAuth',
+            '-addext',
+            "subjectAltName=$names",
         ]);
     };
 
     if (my $err = $@) {
         unlink $reqfn;
-        unlink $cfgfn;
         die "unable to generate pve certificate request:\n$err";
     }
 
@@ -581,13 +559,12 @@ __EOD
             'openssl', 'x509', '-req', '-in', $reqfn, '-days', $daysleft, '-out',
             $pvessl_cert_fn,
             '-CAkey', $pveca_key_fn, '-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn,
-            '-extfile', $cfgfn,
+            '-copy_extensions', 'copyall',
         ]);
     };
     my $err = $@;
 
     unlink $reqfn or $!{ENOENT} or warn "failed to clean up '$reqfn' - $!";
-    unlink $cfgfn or $!{ENOENT} or warn "failed to clean up '$cfgfn' - $!";
 
     die "unable to generate pve ssl certificate:\n$err" if $err;
 }
-- 
2.47.3


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH pve-cluster v2 3/3] Create temporary CSR file in /run instead of /tmp

[Arthur Bied-Charreton]

Creating temp files in a world-writable directory such as /tmp could expose 
the config generation to symlink races. Use /run directory instead.

As suggested here:
https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t

Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
---
 src/PVE/Cluster/Setup.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
index b9cacfd..5ed85ad 100644
--- a/src/PVE/Cluster/Setup.pm
+++ b/src/PVE/Cluster/Setup.pm
@@ -504,7 +504,7 @@ sub gen_pve_ssl_cert {
         $names .= ",DNS:$fqdn";
     }
 
-    my $reqfn = "/tmp/pvecertreq-$$.tmp";
+    my $reqfn = "/run/pvecertreq-$$.tmp";
     unlink $reqfn;
 
     my $pvessl_key_fn = "$pmxcfs_base_dir/nodes/$nodename/pve-ssl.key";
-- 
2.47.3


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation

[Stoiko Ivanov]

Thanks for the quick iteration on this!

Changes look good to me - and I consider them an improvement to before.

Tested this quickly by:
1) removing pve-root-ca (key and cert), the node's pve-ssl (key and cert)
2) running `pvecm updatecerts --force`
3) installing pve-cluster packages with your patches applied
4) recreating the certificate (point 1+2) again
5) vimdiffing old and new files - changes look sensible (apart from the
   uuid, only the added keyUsage extension)
6) running the test-script from your commit-message after restarting
   pveproxy

did not read/recheck everything in RFC 5280 though.

consider this series
Reviewed-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Tested-by: Stoiko Ivanov <s.ivanov@proxmox.com>

On Mon, 26 Jan 2026 10:55:42 +0100
Arthur Bied-Charreton <a.bied-charreton@proxmox.com> wrote:

> The main fix (1/3) adds the keyUsage extension to PVE's root CA, which
> is required by RFC 5280.
> 
> {2,3}/3 address review feedback [1] by eliminating temporary config
> files and moving temp file creation from /tmp to /run to prevent symlink
> races.
> 
> More details in the commit messages.
> 
> [1]
> https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t
> 
> Arthur Bied-Charreton (3):
>   fix #6701: Add keyUsage extension to root CA
>   Convert SSL cert generation config to CLI arguments
>   Create temporary CSR file in /run instead of /tmp
> 
>  src/PVE/Cluster/Setup.pm | 45 +++++++++++-----------------------------
>  1 file changed, 12 insertions(+), 33 deletions(-)
> 

Re: [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation

[Arthur Bied-Charreton]

On Mon, Jan 26, 2026 at 10:55:42AM +0100, Arthur Bied-Charreton wrote:
> The main fix (1/3) adds the keyUsage extension to PVE's root CA, which
> is required by RFC 5280.
> 
> {2,3}/3 address review feedback [1] by eliminating temporary config
> files and moving temp file creation from /tmp to /run to prevent symlink
> races.
> 
> More details in the commit messages.
> 
> [1]
> https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t
> 
> Arthur Bied-Charreton (3):
>   fix #6701: Add keyUsage extension to root CA
>   Convert SSL cert generation config to CLI arguments
>   Create temporary CSR file in /run instead of /tmp
> 
>  src/PVE/Cluster/Setup.pm | 45 +++++++++++-----------------------------
>  1 file changed, 12 insertions(+), 33 deletions(-)
> 
> -- 
> 2.47.3
> 
Ping, RFC 5280-compliant HTTP clients do not work without this

Re: [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA

[Maximiliano Sandoval]

Arthur Bied-Charreton <a.bied-charreton@proxmox.com> writes:

> Add the keyUsage[1] extension to the PVE root CA to comply with RFC
> 5280, which Python decided to enforce as of 3.13 by adding the
> VERIFY_X509_STRICT flag, which breaks some clients like Ansible.

If there is a v2, it would be good to mention that this flag
(ssl.VERIFY_X509_STRICT) comes from python's [ssl] module. And that the
change of behavior in 3.13 is documented at [create_default_context].

[ssl] https://docs.python.org/3/library/ssl.html
[create_default_context] https://docs.python.org/3/library/ssl.html#ssl.create_default_context

>
> The authorityKeyIdentifier[2] and subjectKeyIdentifier[3] extensions are
> required by RFC 5280 as well, however OpenSSL adds them in by default
> based on /etc/ssl/openssl.cnf, so there is no need for explicitly
> passing them.
>
> Test script:
> ```
> import socket, ssl
>
> ctx = ssl.create_default_context(cafile="/etc/pve/pve-root-ca.pem")
> ctx.wrap_socket(socket.create_connection(("localhost", 8006)),
> server_hostname="localhost")
> print("success")
> ```
>
> [1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
> [2] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1
> [3] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2
>
> Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
> ---
>  src/PVE/Cluster/Setup.pm | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
> index 75d3507..4f528ba 100644
> --- a/src/PVE/Cluster/Setup.pm
> +++ b/src/PVE/Cluster/Setup.pm
> @@ -439,6 +439,8 @@ sub gen_pveca_cert {
>              '-new',
>              '-x509',
>              '-nodes',
> +            '-addext',
> +            'keyUsage=critical,keyCertSign,cRLSign',
>              '-key',
>              $pveca_key_fn,
>              '-out',

-- 
Maximiliano

Re: [pve-devel] [PATCH pve-cluster v2 3/3] Create temporary CSR file in /run instead of /tmp

[Maximiliano Sandoval]

Arthur Bied-Charreton <a.bied-charreton@proxmox.com> writes:

> Creating temp files in a world-writable directory such as /tmp could expose 
> the config generation to symlink races. Use /run directory instead.
>
> As suggested here:
> https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t
>
> Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
> ---
>  src/PVE/Cluster/Setup.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
> index b9cacfd..5ed85ad 100644
> --- a/src/PVE/Cluster/Setup.pm
> +++ b/src/PVE/Cluster/Setup.pm
> @@ -504,7 +504,7 @@ sub gen_pve_ssl_cert {
>          $names .= ",DNS:$fqdn";
>      }
>  
> -    my $reqfn = "/tmp/pvecertreq-$$.tmp";
> +    my $reqfn = "/run/pvecertreq-$$.tmp";

Note that the cluster filesystem already creates a RUNDIR owned by
root:www-data with 710 permissions under /run/pve-cluster.

Perhaps that is more appropriate?

NOTE: It is a bit odd that in the pmxcfs.c there is an explicit call
mkdir(RUNDIR, 0755), but in practice it appears as 710.

>      unlink $reqfn;
>  
>      my $pvessl_key_fn = "$pmxcfs_base_dir/nodes/$nodename/pve-ssl.key";

-- 
Maximiliano

Re: [pve-devel] [PATCH pve-cluster v2 3/3] Create temporary CSR file in /run instead of /tmp

[Arthur Bied-Charreton]

On Tue, Mar 17, 2026 at 02:57:21PM +0100, Maximiliano Sandoval wrote:
> Arthur Bied-Charreton <a.bied-charreton@proxmox.com> writes:
> 
> > Creating temp files in a world-writable directory such as /tmp could expose 
> > the config generation to symlink races. Use /run directory instead.
> >
> > As suggested here:
> > https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t
> >
> > Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> > Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
> > ---
> >  src/PVE/Cluster/Setup.pm | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
> > index b9cacfd..5ed85ad 100644
> > --- a/src/PVE/Cluster/Setup.pm
> > +++ b/src/PVE/Cluster/Setup.pm
> > @@ -504,7 +504,7 @@ sub gen_pve_ssl_cert {
> >          $names .= ",DNS:$fqdn";
> >      }
> >  
> > -    my $reqfn = "/tmp/pvecertreq-$$.tmp";
> > +    my $reqfn = "/run/pvecertreq-$$.tmp";
> 
> Note that the cluster filesystem already creates a RUNDIR owned by
> root:www-data with 710 permissions under /run/pve-cluster.
> 
> Perhaps that is more appropriate?
Did not know about this, thanks! Sent a v3:
https://lore.proxmox.com/pve-devel/20260317142206.482976-1-a.bied-charreton@proxmox.com/T/#u
> 
> NOTE: It is a bit odd that in the pmxcfs.c there is an explicit call
> mkdir(RUNDIR, 0755), but in practice it appears as 710.
> 
> >      unlink $reqfn;
> >  
> >      my $pvessl_key_fn = "$pmxcfs_base_dir/nodes/$nodename/pve-ssl.key";
> 
> -- 
> Maximiliano

Re: [pve-devel] [PATCH pve-cluster v2 1/3] fix #6701: Add keyUsage extension to root CA

[Arthur Bied-Charreton]

On Tue, Mar 17, 2026 at 01:58:33PM +0100, Maximiliano Sandoval wrote:
> Arthur Bied-Charreton <a.bied-charreton@proxmox.com> writes:
> 
> > Add the keyUsage[1] extension to the PVE root CA to comply with RFC
> > 5280, which Python decided to enforce as of 3.13 by adding the
> > VERIFY_X509_STRICT flag, which breaks some clients like Ansible.
> 
> If there is a v2, it would be good to mention that this flag
> (ssl.VERIFY_X509_STRICT) comes from python's [ssl] module. And that the
> change of behavior in 3.13 is documented at [create_default_context].
> 
> [ssl] https://docs.python.org/3/library/ssl.html
> [create_default_context] https://docs.python.org/3/library/ssl.html#ssl.create_default_context
> 
I saw this right after sending the v3 :/ Good point! Maybe this could be
fixed up when applying if nothing else comes up?
> >
> > The authorityKeyIdentifier[2] and subjectKeyIdentifier[3] extensions are
> > required by RFC 5280 as well, however OpenSSL adds them in by default
> > based on /etc/ssl/openssl.cnf, so there is no need for explicitly
> > passing them.
> >
> > Test script:
> > ```
> > import socket, ssl
> >
> > ctx = ssl.create_default_context(cafile="/etc/pve/pve-root-ca.pem")
> > ctx.wrap_socket(socket.create_connection(("localhost", 8006)),
> > server_hostname="localhost")
> > print("success")
> > ```
> >
> > [1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
> > [2] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1
> > [3] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2
> >
> > Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> > Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
> > ---
> >  src/PVE/Cluster/Setup.pm | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
> > index 75d3507..4f528ba 100644
> > --- a/src/PVE/Cluster/Setup.pm
> > +++ b/src/PVE/Cluster/Setup.pm
> > @@ -439,6 +439,8 @@ sub gen_pveca_cert {
> >              '-new',
> >              '-x509',
> >              '-nodes',
> > +            '-addext',
> > +            'keyUsage=critical,keyCertSign,cRLSign',
> >              '-key',
> >              $pveca_key_fn,
> >              '-out',
> 
> -- 
> Maximiliano

superseded: [PATCH pve-cluster v2 0/3] fix #6701: Update PVE cert generation

[Arthur Bied-Charreton]

On Mon, Jan 26, 2026 at 10:55:42AM +0100, Arthur Bied-Charreton wrote:
> The main fix (1/3) adds the keyUsage extension to PVE's root CA, which
> is required by RFC 5280.
> 
> {2,3}/3 address review feedback [1] by eliminating temporary config
> files and moving temp file creation from /tmp to /run to prevent symlink
> races.
> 
> More details in the commit messages.
> 
> [1]
> https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t
> 
> Arthur Bied-Charreton (3):
>   fix #6701: Add keyUsage extension to root CA
>   Convert SSL cert generation config to CLI arguments
>   Create temporary CSR file in /run instead of /tmp
> 
>  src/PVE/Cluster/Setup.pm | 45 +++++++++++-----------------------------
>  1 file changed, 12 insertions(+), 33 deletions(-)
> 
> -- 
> 2.47.3
> 
> 
Superseded by: https://lore.proxmox.com/pve-devel/20260317142206.482976-1-a.bied-charreton@proxmox.com/T/#u