[pve-devel] [PATCH manager v2 1/1] renew pve-ssl.pem when it nearly expires

Dominik Csapak d.csapak at proxmox.com
Tue Nov 26 11:01:22 CET 2019 

but only if the cert is issued by the ca in /etc/pve/pve-root-ca.pem
(by checking the issuer and openssl verify)

this way we can reduce the lifetime of the certs without having
to worry that they ran out

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
changes from v1:
* only make checks if the cert expires soon (to avoid noise)
* do not check if ca is issued by pve (just try it and log if it fails)
* better comments

 PVE/CertHelpers.pm |  6 ++++++
 bin/pveupdate      | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/PVE/CertHelpers.pm b/PVE/CertHelpers.pm
index 52316aa0..7e088cb9 100644
--- a/PVE/CertHelpers.pm
+++ b/PVE/CertHelpers.pm
@@ -38,6 +38,12 @@ sub cert_path_prefix {
     return "/etc/pve/nodes/${node}/pveproxy-ssl";
 }
 
+sub default_cert_path_prefix {
+    my ($node) = @_;
+
+    return "/etc/pve/nodes/${node}/pve-ssl";
+}
+
 sub cert_lock {
     my ($timeout, $code, @param) = @_;
 
diff --git a/bin/pveupdate b/bin/pveupdate
index d131673e..4ab4d79e 100755
--- a/bin/pveupdate
+++ b/bin/pveupdate
@@ -12,10 +12,12 @@ use PVE::Certificate;
 use PVE::NodeConfig;
 use PVE::INotify;
 use PVE::Cluster;
+use PVE::Cluster::Setup;
 use PVE::DataCenterConfig;
 use PVE::APLInfo;
 use PVE::SafeSyslog;
 use PVE::RPCEnvironment;
+use PVE::Tools;
 use PVE::API2::Subscription;
 use PVE::API2::APT;
 use PVE::API2::ACME;
@@ -73,6 +75,36 @@ eval {
 };
 syslog ('err', "Renewing ACME certificate failed: $@") if $@;
 
+eval {
+    my $certpath = PVE::CertHelpers::default_cert_path_prefix($nodename).".pem";
+    my $capath = "/etc/pve/pve-root-ca.pem";
+
+    # check if expiry is < 2W
+    if (PVE::Certificate::check_expiry($certpath, time() + 14*24*60*60)) {
+	# get CA info
+	my $cainfo = PVE::Certificate::get_certificate_info($capath);
+
+	# get cert and check issuer and chain metadata
+	my $certinfo = PVE::Certificate::get_certificate_info($certpath);
+	if ($certinfo->{issuer} ne $cainfo->{subject}) {
+	    die "SSL Certificate is not issued by root CA";
+	}
+
+	# check if cert is really signed by the ca
+
+	# TODO
+	# replace by low level interface in ssleay if version 1.86 is available
+	PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile', $capath, $certpath]);
+
+	# create new certificate
+	my $ip = PVE::Cluster::remote_node_ip($nodename);
+	PVE::Cluster::Setup::gen_pve_ssl_cert(1, $nodename, $ip);
+	print "Restarting pveproxy after renewing certificate\n";
+	PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
+    }
+};
+syslog ('err', "Checking/Renewing SSL certificate failed: $@") if $@;
+
 sub cleanup_tasks {
 
     my $taskdir = "/var/log/pve/tasks";
-- 
2.20.1

More information about the pve-devel mailing list