[pve-devel] [PATCH manager 1/1] renew pve-ssl.pem when it nearly expires

Thomas Lamprecht t.lamprecht at proxmox.com
Thu Nov 21 13:19:48 CET 2019 

On 10/28/19 11:39 AM, Dominik Csapak wrote:
> but only if the ca is ours, and the cert is issued by our ca
> (by checking the issuer and openssl verify)
> 
> this way we can reduce the lifetime of the certs without having
> to worry that they ran out
> 
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
>  PVE/CertHelpers.pm |  6 ++++++
>  bin/pveupdate      | 33 +++++++++++++++++++++++++++++++++
>  2 files changed, 39 insertions(+)
> 
> diff --git a/PVE/CertHelpers.pm b/PVE/CertHelpers.pm
> index 52316aa0..7e088cb9 100644
> --- a/PVE/CertHelpers.pm
> +++ b/PVE/CertHelpers.pm
> @@ -38,6 +38,12 @@ sub cert_path_prefix {
>      return "/etc/pve/nodes/${node}/pveproxy-ssl";
>  }
>  
> +sub default_cert_path_prefix {
> +    my ($node) = @_;
> +
> +    return "/etc/pve/nodes/${node}/pve-ssl";
> +}
> +
>  sub cert_lock {
>      my ($timeout, $code, @param) = @_;
>  
> diff --git a/bin/pveupdate b/bin/pveupdate
> index 5a42ce73..10b5c8f0 100755
> --- a/bin/pveupdate
> +++ b/bin/pveupdate
> @@ -15,6 +15,7 @@ use PVE::Cluster;
>  use PVE::APLInfo;
>  use PVE::SafeSyslog;
>  use PVE::RPCEnvironment;
> +use PVE::Tools;
>  use PVE::API2::Subscription;
>  use PVE::API2::APT;
>  use PVE::API2::ACME;
> @@ -72,6 +73,38 @@ eval {
>  };
>  syslog ('err', "Renewing ACME certificate failed: $@") if $@;
>  
> +eval {
> +    # get CA and check issuer
> +    my $capath = "/etc/pve/pve-root-ca.pem";
> +    my $cainfo = PVE::Certificate::get_certificate_info($capath);
> +    if ($cainfo->{subject} !~ m|/CN=Proxmox Virtual Environment/.*/O=PVE Cluster Manager CA|) {
> +	die "Root CA is not issued by Proxmox VE";
> +    }

Hmm, a bit scaremongering for people having their own CA here, not?
This get's in the log _daily_. It could be best to first check expiry,
so that we do not long 2years (or whatever the users had set as expiry
for their custom cert for nothing)..

Then, maybe a syslog with info/notice level and a hint that the CA won't
get touched as it's not a PVE issued one would be better.
If it's about to expire this could also made a warning.

> +
> +    # get cert and check issuer and chain
> +    my $certpath = PVE::CertHelpers::default_cert_path_prefix($nodename).".pem";
> +    my $certinfo = PVE::Certificate::get_certificate_info($certpath);
> +    if ($certinfo->{issuer} ne $cainfo->{subject}) {
> +	die "SSL Certificate is not issued by Proxmox VE root CA";

same here

> +    }
> +
> +    # check if signed by our ca

what is this comment above?

> +    # TODO
> +    # replace by low level interface in ssleay if version 1.86 is available
> +    PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile', $capath, $certpath]);
> +
> +    # check if expiry is < 2W
> +    if (PVE::Certificate::check_expiry($certpath, time() + 14*24*60*60)) {
> +	# create new certificate
> +	my $ip = PVE::Cluster::remote_node_ip($nodename);
> +	PVE::Cluster::gen_pve_ssl_cert(1, $nodename, $ip);
> +	print "Restarting pveproxy\n";
> +	PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
> +    }
> +};
> +syslog ('err', "Checking/Renewing SSL certificate failed: $@") if $@;
> +
>  sub cleanup_tasks {
>  
>      my $taskdir = "/var/log/pve/tasks";
>

More information about the pve-devel mailing list