Add the keyUsage[1] extension to the PVE root CA to comply with RFC
5280, which Python decided to enforce as of 3.13 by adding the
VERIFY_X509_STRICT flag, which breaks some clients like Ansible.
The authorityKeyIdentifier[2] and subjectKeyIdentifier[3] extensions are
required by RFC 5280 as well, however OpenSSL adds them in by default
based on /etc/ssl/openssl.cnf, so there is no need for explicitly
passing them.
Test script:
```
import socket, ssl
ctx = ssl.create_default_context(cafile="/etc/pve/pve-root-ca.pem")
ctx.wrap_socket(socket.create_connection(("localhost", 8006)),
server_hostname="localhost")
print("success")
```
[1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
[2] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1
[3] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2
Suggested-by: Stoiko Ivanov <[email protected]>
Signed-off-by: Arthur Bied-Charreton <[email protected]>
---
src/PVE/Cluster/Setup.pm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm
index 75d3507..4f528ba 100644
--- a/src/PVE/Cluster/Setup.pm
+++ b/src/PVE/Cluster/Setup.pm
@@ -439,6 +439,8 @@ sub gen_pveca_cert {
'-new',
'-x509',
'-nodes',
+ '-addext',
+ 'keyUsage=critical,keyCertSign,cRLSign',
'-key',
$pveca_key_fn,
'-out',
--
2.47.3
_______________________________________________
pve-devel mailing list
[email protected]
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
