[pve-devel] [PATCH v3 manager 1/3] fix #4552: certhelpers: check if custom cert and key match on change

[Max Carrara]

On 3/14/23 16:08, Max Carrara wrote:
> It is now checked whether the new custom SSL certificate actually
> matches the provided or existing custom key.
> 
> Also, the new custom certificate and key pair is now validated
> *before* it is used or replaced with the existing pair. Safety copies
> are still made; if a pair is currently in use, it is therefore left
> untouched until the new one is valid.
> 
> Signed-off-by: Max Carrara <m.carrara at proxmox.com>
> ---
>  NOTE: This patch requies a version bump+upload of pve-common.
> 

Ping - I've been testing the most recent ISO of PVE 7.4 and I think
this patch should be included in the release, as it's now technically
even easier to encounter bug #4552[0]. Before the fix for the optional
cert upload in the UI was applied (thanks, btw!) the user was forced
to provide both key *and* cert, which is not necessary anymore now if
a key/cert pair was already uploaded some time before.

So, it's now easier to lock oneself out of their own PVE instance, imo.

Additionally, if the host with the invalid key/cert pair is in a
cluster, it cannot be accessed via another host in the same cluster
either - it's displayed as online, but *no* actions in the UI can be
performed anymore.

I'm not sure what other implications a key/cert mismatch has, but
since it requires the user to log in via SSH, manually delete the
mismatching key/cert pair, and then running `pvecm updatecerts -f`.

Therefore I feel like this is rather important to include in PVE 7.4,
so if there are any open questions/issues with this patch, I'd gladly
answer/fix/update/etc. anything if necessary.


[0] https://bugzilla.proxmox.com/show_bug.cgi?id=4552