[pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Sep 9 12:04:47 CEST 2025
if nodes are offline for a longer period of time, they might not be renewed by
pveupdate before they expire. the `verify` call here just serves as an
extra safeguard to prevent accidental overwriting of certificates not actually
signed by the cluster CA, checking the expiry time servers no purpose.
Suggested-by: Stephane Chazelas
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
verified by manually creating an expired and a soon-to-be-expired certificate..
bin/pveupdate | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/bin/pveupdate b/bin/pveupdate
index 757cac868..9984c9369 100755
--- a/bin/pveupdate
+++ b/bin/pveupdate
@@ -111,7 +111,10 @@ eval {
# check if cert is really signed by the ca
# TODO: replace by low level ssleay interface if version 1.86 is available
- PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile', $capath, $certpath]);
+ my $cmd = [
+ '/usr/bin/openssl', 'verify', '-no_check_time', '-CAfile', $capath, '--', $certpath,
+ ];
+ PVE::Tools::run_command($cmd);
print "PVE certificate $msg\n";
# create new certificate
--
2.47.3
More information about the pve-devel
mailing list