[pve-devel] applied: [PATCH cluster v2 1/1] change certificate lifetime to two years

Tue Nov 26 13:11:49 CET 2019

On 11/26/19 11:01 AM, Dominik Csapak wrote:
> instead of 10 years, to avoid issues with browsers/os that reject
> certificates which have a longer lifetime
> (e.g. macOs Catalina only accepts max 825 days if issued after july 2019)
> 
> also limit the lifetime by the expiry date of the ca, since
> a certifiacte cannot be valid longer than its ca
> 
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
> changes from v1:
> * limit by expiry date of ca also
> 
>  data/PVE/Cluster/Setup.pm | 20 +++++++++++++++++++-
>  1 file changed, 19 insertions(+), 1 deletion(-)
> 
> diff --git a/data/PVE/Cluster/Setup.pm b/data/PVE/Cluster/Setup.pm
> index 81e3ef8..7b3bc31 100644
> --- a/data/PVE/Cluster/Setup.pm
> +++ b/data/PVE/Cluster/Setup.pm
> @@ -18,6 +18,7 @@ use PVE::INotify;
>  use PVE::JSONSchema;
>  use PVE::Network;
>  use PVE::Tools;
> +use PVE::Certificate;
>  
>  my $pmxcfs_base_dir = PVE::Cluster::base_dir();
>  my $pmxcfs_auth_dir = PVE::Cluster::auth_dir();
> @@ -488,10 +489,27 @@ __EOD
>  
>      update_serial("0000000000000000") if ! -f $pveca_srl_fn;
>  
> +    # get ca expiry
> +    my $cainfo = PVE::Certificate::get_certificate_info($pveca_cert_fn);
> +    my $daysleft = int(($cainfo->{notafter} - time())/(24*60*60));
> +
> +    if ($daysleft < 14) {
> +	die "CA expires in less than 2 weeks, unable to generate certificate.\n";
> +    }
> +
> +    # let the certificate expire a little sooner that the ca, so subtract 2 days
> +    $daysleft -= 2;
> +
> +    # we want the certificates to only last 2 years, since some browsers
> +    # do not accept certificates with very long expiry time
> +    if ($daysleft >= 2*365) {
> +	$daysleft = 2*365;
> +    }
> +
>      eval {
>  	# wrap openssl with faketime to prevent bug #904
>  	run_silent_cmd(['faketime', 'yesterday', 'openssl', 'x509', '-req',
> -			'-in', $reqfn, '-days', '3650', '-out', $pvessl_cert_fn,
> +			'-in', $reqfn, '-days', $daysleft, '-out', $pvessl_cert_fn,
>  			'-CAkey', $pveca_key_fn, '-CA', $pveca_cert_fn,
>  			'-CAserial', $pveca_srl_fn, '-extfile', $cfgfn]);
>      };
> 

applied, thanks!