[pve-devel] [PATCH manager] certs: early renew long-lived certificates
Dominik Csapak
d.csapak at proxmox.com
Thu Apr 23 13:07:22 CEST 2020
LGTM
maybe we should shorten the lifespan to 1 year already?
according to [0], safari on macos will reject certs
that are longer valid than 398 days, when issued on/after
2020-09-01
0: https://support.apple.com/en-us/HT211025
On 4/23/20 12:20 PM, Fabian Grünbichler wrote:
> if our self-signed certificate expires in more than 825 days, but was
> created after July 2019 it won't be accepted by modern Apple devices. we
> fixed the issuance to generate shorter-lived certificates in November
> 2019, this cleans up the existing ones to fix this and similar future
> issues.
>
> two years / 730 days as cut-off was chosen since it's our new maximum
> self-signed certificate lifetime, and should thus catch all old-style
> certificates.
>
> another positive side-effect is that we can now phase out support for
> older certificates faster, e.g. if we want to move to bigger keys,
> different signature algorithms, or anything else in that direction.
>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> I'd also be fine with reducing both even more, e.g. to 1 year ;)
>
> bin/pveupdate | 15 ++++++++++++---
> 1 file changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/bin/pveupdate b/bin/pveupdate
> index 15a2accc..36ac6814 100755
> --- a/bin/pveupdate
> +++ b/bin/pveupdate
> @@ -79,8 +79,9 @@ eval {
> my $certpath = PVE::CertHelpers::default_cert_path_prefix($nodename).".pem";
> my $capath = "/etc/pve/pve-root-ca.pem";
>
> - # check if expiry is < 2W
> - if (PVE::Certificate::check_expiry($certpath, time() + 14*24*60*60)) {
> + my $renew = sub {
> + my ($msg) = @_;
> +
> # get CA info
> my $cainfo = PVE::Certificate::get_certificate_info($capath);
>
> @@ -94,13 +95,21 @@ eval {
> # TODO: replace by low level ssleay interface if version 1.86 is available
> PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile', $capath, $certpath]);
>
> - print "PVE certificate expires soon, renewing...\n";
> + print "PVE certificate $msg\n";
> # create new certificate
> my $ip = PVE::Cluster::remote_node_ip($nodename);
> PVE::Cluster::Setup::gen_pve_ssl_cert(1, $nodename, $ip);
>
> print "Restarting pveproxy after renewing certificate\n";
> PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
> + };
> +
> + if (PVE::Certificate::check_expiry($certpath, time() + 14*24*60*60)) {
> + # expires in next 2 weeks
> + $renew->("expires soon, renewing...");
> + } elsif (!PVE::Certificate::check_expiry($certpath, time() + 2*365*24*60*60)) {
> + # expires in more than 2 years
> + $renew->("expires in more than 2 years, renewing to reduce certificate life-span...");
> }
> };
> syslog ('err', "Checking/Renewing SSL certificate failed: $@") if $@;
>
More information about the pve-devel
mailing list