[pve-devel] [PATCH manager] certs: early renew long-lived certificates

Fabian Grünbichler f.gruenbichler at proxmox.com
Thu Apr 23 13:59:00 CEST 2020 

On April 23, 2020 1:07 pm, Dominik Csapak wrote:
> LGTM
> 
> maybe we should shorten the lifespan to 1 year already?
> according to [0], safari on macos will reject certs
> that are longer valid than 398 days, when issued on/after
> 2020-09-01
> 
> 0: https://support.apple.com/en-us/HT211025
> 

forgot to include this tidbit: that change was actually the reason for 
looking at it, but it only affects certificates issued by CAs shipped in 
the Apple Trust Stores, not those issued by CAs manually trusted by a 
user. so our self-signed CA and its certificates are not affected (for 
now).

I don't have any objections to shortening both the issuance and the 
check here to 1 year though.

> On 4/23/20 12:20 PM, Fabian Grünbichler wrote:
>> if our self-signed certificate expires in more than 825 days, but was
>> created after July 2019 it won't be accepted by modern Apple devices. we
>> fixed the issuance to generate shorter-lived certificates in November
>> 2019, this cleans up the existing ones to fix this and similar future
>> issues.
>> 
>> two years / 730 days as cut-off was chosen since it's our new maximum
>> self-signed certificate lifetime, and should thus catch all old-style
>> certificates.
>> 
>> another positive side-effect is that we can now phase out support for
>> older certificates faster, e.g. if we want to move to bigger keys,
>> different signature algorithms, or anything else in that direction.
>> 
>> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
>> ---
>> I'd also be fine with reducing both even more, e.g. to 1 year ;)
>> 
>>   bin/pveupdate | 15 ++++++++++++---
>>   1 file changed, 12 insertions(+), 3 deletions(-)
>> 
>> diff --git a/bin/pveupdate b/bin/pveupdate
>> index 15a2accc..36ac6814 100755
>> --- a/bin/pveupdate
>> +++ b/bin/pveupdate
>> @@ -79,8 +79,9 @@ eval {
>>       my $certpath = PVE::CertHelpers::default_cert_path_prefix($nodename).".pem";
>>       my $capath = "/etc/pve/pve-root-ca.pem";
>>   
>> -    # check if expiry is < 2W
>> -    if (PVE::Certificate::check_expiry($certpath, time() + 14*24*60*60)) {
>> +    my $renew = sub {
>> +	my ($msg) = @_;
>> +
>>   	# get CA info
>>   	my $cainfo = PVE::Certificate::get_certificate_info($capath);
>>   
>> @@ -94,13 +95,21 @@ eval {
>>   	# TODO: replace by low level ssleay interface if version 1.86 is available
>>   	PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile', $capath, $certpath]);
>>   
>> -	print "PVE certificate expires soon, renewing...\n";
>> +	print "PVE certificate $msg\n";
>>   	# create new certificate
>>   	my $ip = PVE::Cluster::remote_node_ip($nodename);
>>   	PVE::Cluster::Setup::gen_pve_ssl_cert(1, $nodename, $ip);
>>   
>>   	print "Restarting pveproxy after renewing certificate\n";
>>   	PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
>> +    };
>> +
>> +    if (PVE::Certificate::check_expiry($certpath, time() + 14*24*60*60)) {
>> +	# expires in next 2 weeks
>> +	$renew->("expires soon, renewing...");
>> +    } elsif (!PVE::Certificate::check_expiry($certpath, time() + 2*365*24*60*60)) {
>> +	# expires in more than 2 years
>> +	$renew->("expires in more than 2 years, renewing to reduce certificate life-span...");
>>       }
>>   };
>>   syslog ('err', "Checking/Renewing SSL certificate failed: $@") if $@;
>> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>

More information about the pve-devel mailing list