[pve-devel] [PATCH cluster] fix #904: wrap openssl with faketime

Fabian Grünbichler f.gruenbichler at proxmox.com
Fri Mar 11 09:37:19 CET 2016 

This should prevent issues when generating certificates on
first boot of a node with the RTC wrongly set to the local
timezone instead of UTC. Since we cannot require the node to
be synchronized with an NTP server, we pretend it's
yesterday when calling openssl.
---
 data/PVE/Cluster.pm | 14 ++++++++------
 debian/control      |  4 ++--
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/data/PVE/Cluster.pm b/data/PVE/Cluster.pm
index b241662..8866217 100644
--- a/data/PVE/Cluster.pm
+++ b/data/PVE/Cluster.pm
@@ -184,8 +184,9 @@ sub gen_pveca_cert {
     my $nid = (split (/\s/, `md5sum '$pveca_key_fn'`))[0] || time();
 
     eval {
-	run_silent_cmd(['openssl', 'req', '-batch', '-days', '3650', '-new',
-			'-x509', '-nodes', '-key',
+	# wrap openssl with faketime to prevent bug #904
+	run_silent_cmd(['faketime', 'yesterday', 'openssl', 'req', '-batch',
+			'-days', '3650', '-new', '-x509', '-nodes', '-key',
 			$pveca_key_fn, '-out', $pveca_cert_fn, '-subj',
 			"/CN=Proxmox Virtual Environment/OU=$nid/O=PVE Cluster Manager CA/"]);
     };
@@ -298,10 +299,11 @@ __EOD
     update_serial("0000000000000000") if ! -f $pveca_srl_fn;
 
     eval {
-	run_silent_cmd(['openssl', 'x509', '-req', '-in', $reqfn, '-days', '3650',
-			'-out', $pvessl_cert_fn, '-CAkey', $pveca_key_fn,
-			'-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn,
-			'-extfile', $cfgfn]);
+	# wrap openssl with faketime to prevent bug #904
+	run_silent_cmd(['faketime', 'yesterday', 'openssl', 'x509', '-req',
+			'-in', $reqfn, '-days', '3650', '-out', $pvessl_cert_fn,
+			'-CAkey', $pveca_key_fn, '-CA', $pveca_cert_fn,
+			'-CAserial', $pveca_srl_fn, '-extfile', $cfgfn]);
     };
 
     if (my $err = $@) {
diff --git a/debian/control b/debian/control
index dd6273e..df577fd 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Standards-Version: 3.7.3
 Package: pve-cluster
 Architecture: any
 Pre-Depends: ${misc:Pre-Depends}
-Depends: ${shlibs:Depends}, ${misc:Depends}, ${perl:Depends}, perlapi-5.20.0, rsync, libsqlite3-0, sqlite3, libfuse2 (>= 2.9.2-4), fuse, corosync-pve (>= 2.3.4-1), libqb0 (>= 0.17.1-1), libpve-common-perl, libglib2.0-0 (>= 2.42.1-1), rsyslog, openssl, librrd4, librrds-perl, rrdcached, libdigest-hmac-perl, libxml-parser-perl, systemd
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${perl:Depends}, perlapi-5.20.0, rsync, libsqlite3-0, sqlite3, libfuse2 (>= 2.9.2-4), fuse, corosync-pve (>= 2.3.4-1), libqb0 (>= 0.17.1-1), libpve-common-perl, libglib2.0-0 (>= 2.42.1-1), rsyslog, openssl, librrd4, librrds-perl, rrdcached, libdigest-hmac-perl, libxml-parser-perl, systemd, faketime
 Description: Cluster Infrastructure for Proxmox Virtual Environment
  This package contains the Cluster Infrastructure for the Proxmox
  Virtual Environment, namely a distributed filesystem to store
-- 
2.1.4

More information about the pve-devel mailing list