[pve-devel] [PATCH manager/cluster v2] improve handling of issued certificates

Dominik Csapak d.csapak at proxmox.com
Tue Nov 26 11:01:21 CET 2019


this series enabled auto-renewing of our self issued certificates
by checking the expiry time daily with 'pveupdate' and
renewing it if it expires in less than 2 weeks

also reduce the initial lifetime of the certificates to two years

this fixes an issue where some os/browsers (macOs Catalina) would
reject the certificate with the error: 'REVOKED' since
they have now stricter rules for certificates

since other os/browsers will probably also make the rules stricter,
it makes sense to shorten the time

changes from v1:
* rebase on master
* check only if the cert expires soon (to avoid noise)
* drop the requirement of a PVE issued CA
* limit the length of the renewal also by the expiry date of the ca

pve-manager:

Dominik Csapak (1):
  renew pve-ssl.pem when it nearly expires

 PVE/CertHelpers.pm |  6 ++++++
 bin/pveupdate      | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

pve-cluster:

Dominik Csapak (1):
  change certificate lifetime to two years

 data/PVE/Cluster/Setup.pm | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

-- 
2.20.1





More information about the pve-devel mailing list