[pve-devel] [PATCH manager 1/2] fix #6779: pveupdate: renew already expired certificates

[Fabian Grünbichler]

if nodes are offline for a longer period of time, they might not be renewed by
pveupdate before they expire. the `verify` call here just serves as an
extra safeguard to prevent accidental overwriting of certificates not actually
signed by the cluster CA, checking the expiry time servers no purpose.

Suggested-by: Stephane Chazelas
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
verified by manually creating an expired and a soon-to-be-expired certificate..

 bin/pveupdate | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/bin/pveupdate b/bin/pveupdate
index 757cac868..9984c9369 100755
--- a/bin/pveupdate
+++ b/bin/pveupdate
@@ -111,7 +111,10 @@ eval {
 
         # check if cert is really signed by the ca
         # TODO: replace by low level ssleay interface if version 1.86 is available
-        PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile', $capath, $certpath]);
+        my $cmd = [
+            '/usr/bin/openssl', 'verify', '-no_check_time', '-CAfile', $capath, '--', $certpath,
+        ];
+        PVE::Tools::run_command($cmd);
 
         print "PVE certificate $msg\n";
         # create new certificate
-- 
2.47.3