[pve-devel] [PATCH cluster v2 1/1] change certificate lifetime to two years
Dominik Csapak
d.csapak at proxmox.com
Tue Nov 26 11:01:23 CET 2019
instead of 10 years, to avoid issues with browsers/os that reject
certificates which have a longer lifetime
(e.g. macOs Catalina only accepts max 825 days if issued after july 2019)
also limit the lifetime by the expiry date of the ca, since
a certifiacte cannot be valid longer than its ca
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
changes from v1:
* limit by expiry date of ca also
data/PVE/Cluster/Setup.pm | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/data/PVE/Cluster/Setup.pm b/data/PVE/Cluster/Setup.pm
index 81e3ef8..7b3bc31 100644
--- a/data/PVE/Cluster/Setup.pm
+++ b/data/PVE/Cluster/Setup.pm
@@ -18,6 +18,7 @@ use PVE::INotify;
use PVE::JSONSchema;
use PVE::Network;
use PVE::Tools;
+use PVE::Certificate;
my $pmxcfs_base_dir = PVE::Cluster::base_dir();
my $pmxcfs_auth_dir = PVE::Cluster::auth_dir();
@@ -488,10 +489,27 @@ __EOD
update_serial("0000000000000000") if ! -f $pveca_srl_fn;
+ # get ca expiry
+ my $cainfo = PVE::Certificate::get_certificate_info($pveca_cert_fn);
+ my $daysleft = int(($cainfo->{notafter} - time())/(24*60*60));
+
+ if ($daysleft < 14) {
+ die "CA expires in less than 2 weeks, unable to generate certificate.\n";
+ }
+
+ # let the certificate expire a little sooner that the ca, so subtract 2 days
+ $daysleft -= 2;
+
+ # we want the certificates to only last 2 years, since some browsers
+ # do not accept certificates with very long expiry time
+ if ($daysleft >= 2*365) {
+ $daysleft = 2*365;
+ }
+
eval {
# wrap openssl with faketime to prevent bug #904
run_silent_cmd(['faketime', 'yesterday', 'openssl', 'x509', '-req',
- '-in', $reqfn, '-days', '3650', '-out', $pvessl_cert_fn,
+ '-in', $reqfn, '-days', $daysleft, '-out', $pvessl_cert_fn,
'-CAkey', $pveca_key_fn, '-CA', $pveca_cert_fn,
'-CAserial', $pveca_srl_fn, '-extfile', $cfgfn]);
};
--
2.20.1
More information about the pve-devel
mailing list