[pve-devel] [PATCH manager] certs: early renew long-lived certificates

[Dominik Csapak]

LGTM

maybe we should shorten the lifespan to 1 year already?
according to [0], safari on macos will reject certs
that are longer valid than 398 days, when issued on/after
2020-09-01

0: https://support.apple.com/en-us/HT211025

On 4/23/20 12:20 PM, Fabian Grünbichler wrote:
> if our self-signed certificate expires in more than 825 days, but was
> created after July 2019 it won't be accepted by modern Apple devices. we
> fixed the issuance to generate shorter-lived certificates in November
> 2019, this cleans up the existing ones to fix this and similar future
> issues.
> 
> two years / 730 days as cut-off was chosen since it's our new maximum
> self-signed certificate lifetime, and should thus catch all old-style
> certificates.
> 
> another positive side-effect is that we can now phase out support for
> older certificates faster, e.g. if we want to move to bigger keys,
> different signature algorithms, or anything else in that direction.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> I'd also be fine with reducing both even more, e.g. to 1 year ;)
> 
>   bin/pveupdate | 15 ++++++++++++---
>   1 file changed, 12 insertions(+), 3 deletions(-)
> 
> diff --git a/bin/pveupdate b/bin/pveupdate
> index 15a2accc..36ac6814 100755
> --- a/bin/pveupdate
> +++ b/bin/pveupdate
> @@ -79,8 +79,9 @@ eval {
>       my $certpath = PVE::CertHelpers::default_cert_path_prefix($nodename).".pem";
>       my $capath = "/etc/pve/pve-root-ca.pem";
>   
> -    # check if expiry is < 2W
> -    if (PVE::Certificate::check_expiry($certpath, time() + 14*24*60*60)) {
> +    my $renew = sub {
> +	my ($msg) = @_;
> +
>   	# get CA info
>   	my $cainfo = PVE::Certificate::get_certificate_info($capath);
>   
> @@ -94,13 +95,21 @@ eval {
>   	# TODO: replace by low level ssleay interface if version 1.86 is available
>   	PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile', $capath, $certpath]);
>   
> -	print "PVE certificate expires soon, renewing...\n";
> +	print "PVE certificate $msg\n";
>   	# create new certificate
>   	my $ip = PVE::Cluster::remote_node_ip($nodename);
>   	PVE::Cluster::Setup::gen_pve_ssl_cert(1, $nodename, $ip);
>   
>   	print "Restarting pveproxy after renewing certificate\n";
>   	PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
> +    };
> +
> +    if (PVE::Certificate::check_expiry($certpath, time() + 14*24*60*60)) {
> +	# expires in next 2 weeks
> +	$renew->("expires soon, renewing...");
> +    } elsif (!PVE::Certificate::check_expiry($certpath, time() + 2*365*24*60*60)) {
> +	# expires in more than 2 years
> +	$renew->("expires in more than 2 years, renewing to reduce certificate life-span...");
>       }
>   };
>   syslog ('err', "Checking/Renewing SSL certificate failed: $@") if $@;
>