[pve-devel] [PATCH manager/cluster v2] improve handling of issued certificates
Dominik Csapak
d.csapak at proxmox.com
Tue Nov 26 11:01:21 CET 2019
this series enabled auto-renewing of our self issued certificates
by checking the expiry time daily with 'pveupdate' and
renewing it if it expires in less than 2 weeks
also reduce the initial lifetime of the certificates to two years
this fixes an issue where some os/browsers (macOs Catalina) would
reject the certificate with the error: 'REVOKED' since
they have now stricter rules for certificates
since other os/browsers will probably also make the rules stricter,
it makes sense to shorten the time
changes from v1:
* rebase on master
* check only if the cert expires soon (to avoid noise)
* drop the requirement of a PVE issued CA
* limit the length of the renewal also by the expiry date of the ca
pve-manager:
Dominik Csapak (1):
renew pve-ssl.pem when it nearly expires
PVE/CertHelpers.pm | 6 ++++++
bin/pveupdate | 32 ++++++++++++++++++++++++++++++++
2 files changed, 38 insertions(+)
pve-cluster:
Dominik Csapak (1):
change certificate lifetime to two years
data/PVE/Cluster/Setup.pm | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
--
2.20.1
More information about the pve-devel
mailing list