* [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA
@ 2026-03-17 14:20 Arthur Bied-Charreton
2026-03-17 14:20 ` [PATCH pve-cluster v3 1/3] " Arthur Bied-Charreton
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Arthur Bied-Charreton @ 2026-03-17 14:20 UTC (permalink / raw)
To: pve-devel
The main fix (1/3) adds the keyUsage extension to PVE's root CA, which
is required by RFC 5280.
{2,3}/3 address review feedback [0] by eliminating temporary config
files and moving temp file creation from /tmp to /run/pve-cluster to prevent symlink
races.
More details in the commit messages.
Changes since v2:
Create temp file in /run/pve-cluster instead of /run, as suggested by
Maximiliano here [1]
[0]
https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t
[1]
https://lore.proxmox.com/pve-devel/s8o7brad0e6.fsf@toolbox/
Arthur Bied-Charreton (3):
fix #6701: Add keyUsage extension to root CA
Convert SSL cert generation config to CLI arguments
Create temporary CSR file in /run instead of /tmp
src/PVE/Cluster/Setup.pm | 45 +++++++++++-----------------------------
1 file changed, 12 insertions(+), 33 deletions(-)
--
2.47.3
^ permalink raw reply [flat|nested] 7+ messages in thread* [PATCH pve-cluster v3 1/3] fix #6701: Add keyUsage extension to root CA 2026-03-17 14:20 [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton @ 2026-03-17 14:20 ` Arthur Bied-Charreton 2026-03-17 14:20 ` [PATCH pve-cluster v3 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton ` (2 subsequent siblings) 3 siblings, 0 replies; 7+ messages in thread From: Arthur Bied-Charreton @ 2026-03-17 14:20 UTC (permalink / raw) To: pve-devel Add the keyUsage[1] extension to the PVE root CA to comply with RFC 5280, which Python decided to enforce as of 3.13 by adding the VERIFY_X509_STRICT flag, which breaks some clients like Ansible. The authorityKeyIdentifier[2] and subjectKeyIdentifier[3] extensions are required by RFC 5280 as well, however OpenSSL adds them in by default based on /etc/ssl/openssl.cnf, so there is no need for explicitly passing them. Test script: ``` import socket, ssl ctx = ssl.create_default_context(cafile="/etc/pve/pve-root-ca.pem") ctx.wrap_socket(socket.create_connection(("localhost", 8006)), server_hostname="localhost") print("success") ``` [1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3 [2] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1 [3] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2 Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com> --- src/PVE/Cluster/Setup.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm index 75d3507..4f528ba 100644 --- a/src/PVE/Cluster/Setup.pm +++ b/src/PVE/Cluster/Setup.pm @@ -439,6 +439,8 @@ sub gen_pveca_cert { '-new', '-x509', '-nodes', + '-addext', + 'keyUsage=critical,keyCertSign,cRLSign', '-key', $pveca_key_fn, '-out', -- 2.47.3 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH pve-cluster v3 2/3] Convert SSL cert generation config to CLI arguments 2026-03-17 14:20 [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton 2026-03-17 14:20 ` [PATCH pve-cluster v3 1/3] " Arthur Bied-Charreton @ 2026-03-17 14:20 ` Arthur Bied-Charreton 2026-03-17 16:00 ` Thomas Lamprecht 2026-03-17 14:20 ` [PATCH pve-cluster v3 3/3] Create temporary CSR file in /run instead of /tmp Arthur Bied-Charreton 2026-03-17 16:56 ` superseded: [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton 3 siblings, 1 reply; 7+ messages in thread From: Arthur Bied-Charreton @ 2026-03-17 14:20 UTC (permalink / raw) To: pve-devel Replace temporary OpenSSL config file with direct CLI arguments in PVE node SSL cert generation. Changes: - Use '-subj' flag for distinguished name - Use '-addext' flag for cert extensions - Use '-copy_extensions copyall' to copy extensions from CSR to cert - Remove temp config file and cleanup code As suggested here: https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com> --- src/PVE/Cluster/Setup.pm | 41 +++++++++------------------------------- 1 file changed, 9 insertions(+), 32 deletions(-) diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm index 4f528ba..b9cacfd 100644 --- a/src/PVE/Cluster/Setup.pm +++ b/src/PVE/Cluster/Setup.pm @@ -504,33 +504,6 @@ sub gen_pve_ssl_cert { $names .= ",DNS:$fqdn"; } - my $sslconf = <<__EOD; -RANDFILE = /root/.rnd -extensions = v3_req - -[ req ] -default_bits = 2048 -distinguished_name = req_distinguished_name -req_extensions = v3_req -prompt = no -string_mask = nombstr - -[ req_distinguished_name ] -organizationalUnitName = PVE Cluster Node -organizationName = Proxmox Virtual Environment -commonName = $fqdn - -[ v3_req ] -basicConstraints = CA:FALSE -extendedKeyUsage = serverAuth -subjectAltName = $names -__EOD - - my $cfgfn = "/tmp/pvesslconf-$$.tmp"; - my $fh = IO::File->new($cfgfn, "w"); - print $fh $sslconf; - close($fh); - my $reqfn = "/tmp/pvecertreq-$$.tmp"; unlink $reqfn; @@ -541,18 +514,23 @@ __EOD 'req', '-batch', '-new', - '-config', - $cfgfn, '-key', $pvessl_key_fn, '-out', $reqfn, + '-subj', + "/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=$fqdn", + '-addext', + 'basicConstraints=CA:FALSE', + '-addext', + 'extendedKeyUsage=serverAuth', + '-addext', + "subjectAltName=$names", ]); }; if (my $err = $@) { unlink $reqfn; - unlink $cfgfn; die "unable to generate pve certificate request:\n$err"; } @@ -581,13 +559,12 @@ __EOD 'openssl', 'x509', '-req', '-in', $reqfn, '-days', $daysleft, '-out', $pvessl_cert_fn, '-CAkey', $pveca_key_fn, '-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn, - '-extfile', $cfgfn, + '-copy_extensions', 'copyall', ]); }; my $err = $@; unlink $reqfn or $!{ENOENT} or warn "failed to clean up '$reqfn' - $!"; - unlink $cfgfn or $!{ENOENT} or warn "failed to clean up '$cfgfn' - $!"; die "unable to generate pve ssl certificate:\n$err" if $err; } -- 2.47.3 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH pve-cluster v3 2/3] Convert SSL cert generation config to CLI arguments 2026-03-17 14:20 ` [PATCH pve-cluster v3 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton @ 2026-03-17 16:00 ` Thomas Lamprecht 2026-03-17 16:07 ` Arthur Bied-Charreton 0 siblings, 1 reply; 7+ messages in thread From: Thomas Lamprecht @ 2026-03-17 16:00 UTC (permalink / raw) To: Arthur Bied-Charreton, pve-devel Am 17.03.26 um 15:22 schrieb Arthur Bied-Charreton: > Replace temporary OpenSSL config file with direct CLI arguments in PVE > node SSL cert generation. > > Changes: > - Use '-subj' flag for distinguished name > - Use '-addext' flag for cert extensions > - Use '-copy_extensions copyall' to copy extensions from CSR to cert > - Remove temp config file and cleanup code IMO an odd way to write a commit message, especially as I can see most of that from checking the, well, actual changes below... And only some parts got picked out. Also, the 2048 bit is just silently dropped, is that implied somewhere? Such things should be actually mentioned. Please recheck all settings yourself to ensure this is a complete change. > As suggested here: > https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t would be good to include some actual rationale, not just the link, as unlike the changes described above I cannot just get that from the diff or rest of the commit's info. > > Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com> > --- > src/PVE/Cluster/Setup.pm | 41 +++++++++------------------------------- > 1 file changed, 9 insertions(+), 32 deletions(-) > > diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm > index 4f528ba..b9cacfd 100644 > --- a/src/PVE/Cluster/Setup.pm > +++ b/src/PVE/Cluster/Setup.pm > @@ -504,33 +504,6 @@ sub gen_pve_ssl_cert { > $names .= ",DNS:$fqdn"; > } > > - my $sslconf = <<__EOD; > -RANDFILE = /root/.rnd > -extensions = v3_req > - > -[ req ] > -default_bits = 2048 > -distinguished_name = req_distinguished_name > -req_extensions = v3_req > -prompt = no > -string_mask = nombstr > - > -[ req_distinguished_name ] > -organizationalUnitName = PVE Cluster Node > -organizationName = Proxmox Virtual Environment > -commonName = $fqdn > - > -[ v3_req ] > -basicConstraints = CA:FALSE > -extendedKeyUsage = serverAuth > -subjectAltName = $names > -__EOD > - > - my $cfgfn = "/tmp/pvesslconf-$$.tmp"; > - my $fh = IO::File->new($cfgfn, "w"); > - print $fh $sslconf; > - close($fh); > - > my $reqfn = "/tmp/pvecertreq-$$.tmp"; > unlink $reqfn; > > @@ -541,18 +514,23 @@ __EOD > 'req', > '-batch', > '-new', > - '-config', > - $cfgfn, > '-key', > $pvessl_key_fn, > '-out', > $reqfn, > + '-subj', > + "/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=$fqdn", > + '-addext', > + 'basicConstraints=CA:FALSE', > + '-addext', > + 'extendedKeyUsage=serverAuth', > + '-addext', > + "subjectAltName=$names", > ]); > }; > > if (my $err = $@) { > unlink $reqfn; > - unlink $cfgfn; > die "unable to generate pve certificate request:\n$err"; > } > > @@ -581,13 +559,12 @@ __EOD > 'openssl', 'x509', '-req', '-in', $reqfn, '-days', $daysleft, '-out', > $pvessl_cert_fn, > '-CAkey', $pveca_key_fn, '-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn, > - '-extfile', $cfgfn, > + '-copy_extensions', 'copyall', > ]); > }; > my $err = $@; > > unlink $reqfn or $!{ENOENT} or warn "failed to clean up '$reqfn' - $!"; > - unlink $cfgfn or $!{ENOENT} or warn "failed to clean up '$cfgfn' - $!"; > > die "unable to generate pve ssl certificate:\n$err" if $err; > } ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH pve-cluster v3 2/3] Convert SSL cert generation config to CLI arguments 2026-03-17 16:00 ` Thomas Lamprecht @ 2026-03-17 16:07 ` Arthur Bied-Charreton 0 siblings, 0 replies; 7+ messages in thread From: Arthur Bied-Charreton @ 2026-03-17 16:07 UTC (permalink / raw) To: Thomas Lamprecht; +Cc: pve-devel On Tue, Mar 17, 2026 at 05:00:20PM +0100, Thomas Lamprecht wrote: > Am 17.03.26 um 15:22 schrieb Arthur Bied-Charreton: > > Replace temporary OpenSSL config file with direct CLI arguments in PVE > > node SSL cert generation. > > > > Changes: > > - Use '-subj' flag for distinguished name > > - Use '-addext' flag for cert extensions > > - Use '-copy_extensions copyall' to copy extensions from CSR to cert > > - Remove temp config file and cleanup code > > IMO an odd way to write a commit message, especially as I can see most of > that from checking the, well, actual changes below... And only some parts > got picked out. > Good point, will rewrite this. > Also, the 2048 bit is just silently dropped, is that implied somewhere? > Such things should be actually mentioned. Please recheck all settings > yourself to ensure this is a complete change. > Yes, 2048 is the default (/etc/ssl/openssl.cnf). I should have made that clear in the commit message. Will add it in v4. > > As suggested here: > > https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t > > would be good to include some actual rationale, not just the link, as > unlike the changes described above I cannot just get that from the diff > or rest of the commit's info. > Thanks for the feedback! > > > > > > Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com> > > --- > > src/PVE/Cluster/Setup.pm | 41 +++++++++------------------------------- > > 1 file changed, 9 insertions(+), 32 deletions(-) > > > > diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm > > index 4f528ba..b9cacfd 100644 > > --- a/src/PVE/Cluster/Setup.pm > > +++ b/src/PVE/Cluster/Setup.pm > > @@ -504,33 +504,6 @@ sub gen_pve_ssl_cert { > > $names .= ",DNS:$fqdn"; > > } > > > > - my $sslconf = <<__EOD; > > -RANDFILE = /root/.rnd > > -extensions = v3_req > > - > > -[ req ] > > -default_bits = 2048 > > -distinguished_name = req_distinguished_name > > -req_extensions = v3_req > > -prompt = no > > -string_mask = nombstr > > - > > -[ req_distinguished_name ] > > -organizationalUnitName = PVE Cluster Node > > -organizationName = Proxmox Virtual Environment > > -commonName = $fqdn > > - > > -[ v3_req ] > > -basicConstraints = CA:FALSE > > -extendedKeyUsage = serverAuth > > -subjectAltName = $names > > -__EOD > > - > > - my $cfgfn = "/tmp/pvesslconf-$$.tmp"; > > - my $fh = IO::File->new($cfgfn, "w"); > > - print $fh $sslconf; > > - close($fh); > > - > > my $reqfn = "/tmp/pvecertreq-$$.tmp"; > > unlink $reqfn; > > > > @@ -541,18 +514,23 @@ __EOD > > 'req', > > '-batch', > > '-new', > > - '-config', > > - $cfgfn, > > '-key', > > $pvessl_key_fn, > > '-out', > > $reqfn, > > + '-subj', > > + "/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=$fqdn", > > + '-addext', > > + 'basicConstraints=CA:FALSE', > > + '-addext', > > + 'extendedKeyUsage=serverAuth', > > + '-addext', > > + "subjectAltName=$names", > > ]); > > }; > > > > if (my $err = $@) { > > unlink $reqfn; > > - unlink $cfgfn; > > die "unable to generate pve certificate request:\n$err"; > > } > > > > @@ -581,13 +559,12 @@ __EOD > > 'openssl', 'x509', '-req', '-in', $reqfn, '-days', $daysleft, '-out', > > $pvessl_cert_fn, > > '-CAkey', $pveca_key_fn, '-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn, > > - '-extfile', $cfgfn, > > + '-copy_extensions', 'copyall', > > ]); > > }; > > my $err = $@; > > > > unlink $reqfn or $!{ENOENT} or warn "failed to clean up '$reqfn' - $!"; > > - unlink $cfgfn or $!{ENOENT} or warn "failed to clean up '$cfgfn' - $!"; > > > > die "unable to generate pve ssl certificate:\n$err" if $err; > > } > ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH pve-cluster v3 3/3] Create temporary CSR file in /run instead of /tmp 2026-03-17 14:20 [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton 2026-03-17 14:20 ` [PATCH pve-cluster v3 1/3] " Arthur Bied-Charreton 2026-03-17 14:20 ` [PATCH pve-cluster v3 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton @ 2026-03-17 14:20 ` Arthur Bied-Charreton 2026-03-17 16:56 ` superseded: [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton 3 siblings, 0 replies; 7+ messages in thread From: Arthur Bied-Charreton @ 2026-03-17 14:20 UTC (permalink / raw) To: pve-devel As suggested here [0], creating temp files in a world-writable directory such as /tmp could expose the config generation to symlink races. Use the /run/pve-cluster directory instead, which is the rundir created by the cluster filesystem for this purpose [1]. [0] https://lore.proxmox.com/pve-devel/20260123195300.0ae7fcc9@rosa.proxmox.com/T/#t [1] https://lore.proxmox.com/pve-devel/s8o7brad0e6.fsf@toolbox/ Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com> Suggested-by: Maximiliano Sandoval <m.sandoval@proxmox.com> Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com> --- src/PVE/Cluster/Setup.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm index b9cacfd..e718611 100644 --- a/src/PVE/Cluster/Setup.pm +++ b/src/PVE/Cluster/Setup.pm @@ -504,7 +504,7 @@ sub gen_pve_ssl_cert { $names .= ",DNS:$fqdn"; } - my $reqfn = "/tmp/pvecertreq-$$.tmp"; + my $reqfn = "/run/pve-cluster/pvecertreq-$$.tmp"; unlink $reqfn; my $pvessl_key_fn = "$pmxcfs_base_dir/nodes/$nodename/pve-ssl.key"; -- 2.47.3 ^ permalink raw reply [flat|nested] 7+ messages in thread
* superseded: [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA 2026-03-17 14:20 [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton ` (2 preceding siblings ...) 2026-03-17 14:20 ` [PATCH pve-cluster v3 3/3] Create temporary CSR file in /run instead of /tmp Arthur Bied-Charreton @ 2026-03-17 16:56 ` Arthur Bied-Charreton 3 siblings, 0 replies; 7+ messages in thread From: Arthur Bied-Charreton @ 2026-03-17 16:56 UTC (permalink / raw) To: pve-devel superseded by: https://lore.proxmox.com/all/20260317165358.620306-1-a.bied-charreton@proxmox.com/T/#t ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2026-03-17 16:56 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2026-03-17 14:20 [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton 2026-03-17 14:20 ` [PATCH pve-cluster v3 1/3] " Arthur Bied-Charreton 2026-03-17 14:20 ` [PATCH pve-cluster v3 2/3] Convert SSL cert generation config to CLI arguments Arthur Bied-Charreton 2026-03-17 16:00 ` Thomas Lamprecht 2026-03-17 16:07 ` Arthur Bied-Charreton 2026-03-17 14:20 ` [PATCH pve-cluster v3 3/3] Create temporary CSR file in /run instead of /tmp Arthur Bied-Charreton 2026-03-17 16:56 ` superseded: [PATCH cluster v3 0/3] fix #6701: Add keyUsage extension to root CA Arthur Bied-Charreton
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox