[pve-devel] [PATCH manager] certs: early renew long-lived certificates

Fabian Grünbichler f.gruenbichler at proxmox.com
Thu Apr 23 12:20:02 CEST 2020 

if our self-signed certificate expires in more than 825 days, but was
created after July 2019 it won't be accepted by modern Apple devices. we
fixed the issuance to generate shorter-lived certificates in November
2019, this cleans up the existing ones to fix this and similar future
issues.

two years / 730 days as cut-off was chosen since it's our new maximum
self-signed certificate lifetime, and should thus catch all old-style
certificates.

another positive side-effect is that we can now phase out support for
older certificates faster, e.g. if we want to move to bigger keys,
different signature algorithms, or anything else in that direction.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
I'd also be fine with reducing both even more, e.g. to 1 year ;)

 bin/pveupdate | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/bin/pveupdate b/bin/pveupdate
index 15a2accc..36ac6814 100755
--- a/bin/pveupdate
+++ b/bin/pveupdate
@@ -79,8 +79,9 @@ eval {
     my $certpath = PVE::CertHelpers::default_cert_path_prefix($nodename).".pem";
     my $capath = "/etc/pve/pve-root-ca.pem";
 
-    # check if expiry is < 2W
-    if (PVE::Certificate::check_expiry($certpath, time() + 14*24*60*60)) {
+    my $renew = sub {
+	my ($msg) = @_;
+
 	# get CA info
 	my $cainfo = PVE::Certificate::get_certificate_info($capath);
 
@@ -94,13 +95,21 @@ eval {
 	# TODO: replace by low level ssleay interface if version 1.86 is available
 	PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile', $capath, $certpath]);
 
-	print "PVE certificate expires soon, renewing...\n";
+	print "PVE certificate $msg\n";
 	# create new certificate
 	my $ip = PVE::Cluster::remote_node_ip($nodename);
 	PVE::Cluster::Setup::gen_pve_ssl_cert(1, $nodename, $ip);
 
 	print "Restarting pveproxy after renewing certificate\n";
 	PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
+    };
+
+    if (PVE::Certificate::check_expiry($certpath, time() + 14*24*60*60)) {
+	# expires in next 2 weeks
+	$renew->("expires soon, renewing...");
+    } elsif (!PVE::Certificate::check_expiry($certpath, time() + 2*365*24*60*60)) {
+	# expires in more than 2 years
+	$renew->("expires in more than 2 years, renewing to reduce certificate life-span...");
     }
 };
 syslog ('err', "Checking/Renewing SSL certificate failed: $@") if $@;
-- 
2.20.1

More information about the pve-devel mailing list