On 10/28/19 11:39 AM, Dominik Csapak wrote: > but only if the ca is ours, and the cert is issued by our ca > (by checking the issuer and openssl verify) > > this way we can reduce the lifetime of the certs without having > to worry that they ran out > > Signed-off-by: Dominik Csapak <d.csa...@proxmox.com> > --- > PVE/CertHelpers.pm | 6 ++++++ > bin/pveupdate | 33 +++++++++++++++++++++++++++++++++ > 2 files changed, 39 insertions(+) > > diff --git a/PVE/CertHelpers.pm b/PVE/CertHelpers.pm > index 52316aa0..7e088cb9 100644 > --- a/PVE/CertHelpers.pm > +++ b/PVE/CertHelpers.pm > @@ -38,6 +38,12 @@ sub cert_path_prefix { > return "/etc/pve/nodes/${node}/pveproxy-ssl"; > } > > +sub default_cert_path_prefix { > + my ($node) = @_; > + > + return "/etc/pve/nodes/${node}/pve-ssl"; > +} > + > sub cert_lock { > my ($timeout, $code, @param) = @_; > > diff --git a/bin/pveupdate b/bin/pveupdate > index 5a42ce73..10b5c8f0 100755 > --- a/bin/pveupdate > +++ b/bin/pveupdate > @@ -15,6 +15,7 @@ use PVE::Cluster; > use PVE::APLInfo; > use PVE::SafeSyslog; > use PVE::RPCEnvironment; > +use PVE::Tools; > use PVE::API2::Subscription; > use PVE::API2::APT; > use PVE::API2::ACME; > @@ -72,6 +73,38 @@ eval { > }; > syslog ('err', "Renewing ACME certificate failed: $@") if $@; > > +eval { > + # get CA and check issuer > + my $capath = "/etc/pve/pve-root-ca.pem"; > + my $cainfo = PVE::Certificate::get_certificate_info($capath); > + if ($cainfo->{subject} !~ m|/CN=Proxmox Virtual Environment/.*/O=PVE > Cluster Manager CA|) { > + die "Root CA is not issued by Proxmox VE"; > + }
Hmm, a bit scaremongering for people having their own CA here, not? This get's in the log _daily_. It could be best to first check expiry, so that we do not long 2years (or whatever the users had set as expiry for their custom cert for nothing).. Then, maybe a syslog with info/notice level and a hint that the CA won't get touched as it's not a PVE issued one would be better. If it's about to expire this could also made a warning. > + > + # get cert and check issuer and chain > + my $certpath = > PVE::CertHelpers::default_cert_path_prefix($nodename).".pem"; > + my $certinfo = PVE::Certificate::get_certificate_info($certpath); > + if ($certinfo->{issuer} ne $cainfo->{subject}) { > + die "SSL Certificate is not issued by Proxmox VE root CA"; same here > + } > + > + # check if signed by our ca what is this comment above? > + # TODO > + # replace by low level interface in ssleay if version 1.86 is available > + PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile', > $capath, $certpath]); > + > + # check if expiry is < 2W > + if (PVE::Certificate::check_expiry($certpath, time() + 14*24*60*60)) { > + # create new certificate > + my $ip = PVE::Cluster::remote_node_ip($nodename); > + PVE::Cluster::gen_pve_ssl_cert(1, $nodename, $ip); > + print "Restarting pveproxy\n"; > + PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']); > + } > +}; > +syslog ('err', "Checking/Renewing SSL certificate failed: $@") if $@; > + > sub cleanup_tasks { > > my $taskdir = "/var/log/pve/tasks"; > _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel