Proxmox/pve-manager
5
0
Fork 0
Code Pull Requests Releases Activity

certs: early renew long-lived certificates

Browse Source 
if our self-signed certificate expires in more than 825 days, but was
created after July 2019 it won't be accepted by modern Apple devices. we
fixed the issuance to generate shorter-lived certificates in November
2019, this cleans up the existing ones to fix this and similar future
issues.

two years / 730 days as cut-off was chosen since it's our new maximum
self-signed certificate lifetime, and should thus catch all old-style
certificates.

another positive side-effect is that we can now phase out support for
older certificates faster, e.g. if we want to move to bigger keys,
different signature algorithms, or anything else in that direction.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2020-04-23 12:20:02 +02:00 committed by Thomas Lamprecht
parent efb9c36015
commit 34f8507b29
1 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
bin/pveupdate
View File

@ -79,8 +79,9 @@ eval {
my $certpath = PVE::CertHelpers::default_cert_path_prefix($nodename).".pem";
my $capath = "/etc/pve/pve-root-ca.pem";
# check if expiry is < 2W
if (PVE::Certificate::check_expiry($certpath, time() + 14*24*60*60)) {
my $renew = sub {
my ($msg) = @_;
# get CA info
my $cainfo = PVE::Certificate::get_certificate_info($capath);
@ -94,13 +95,21 @@ eval {
# TODO: replace by low level ssleay interface if version 1.86 is available
PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile', $capath, $certpath]);
print "PVE certificate expires soon, renewing...\n";
print "PVE certificate $msg\n";
# create new certificate
my $ip = PVE::Cluster::remote_node_ip($nodename);
PVE::Cluster::Setup::gen_pve_ssl_cert(1, $nodename, $ip);
print "Restarting pveproxy after renewing certificate\n";
PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
};
if (PVE::Certificate::check_expiry($certpath, time() + 14*24*60*60)) {
# expires in next 2 weeks
$renew->("expires soon, renewing...");
} elsif (!PVE::Certificate::check_expiry($certpath, time() + 2*365*24*60*60)) {
# expires in more than 2 years
$renew->("expires in more than 2 years, renewing to reduce certificate life-span...");
}
};
syslog ('err', "Checking/Renewing SSL certificate failed: $@") if $@;