[pve-devel] [PATCH manager] certs: early renew long-lived certificates

Thu, 23 Apr 2020 03:20:26 -0700 

if our self-signed certificate expires in more than 825 days, but was
created after July 2019 it won't be accepted by modern Apple devices. we
fixed the issuance to generate shorter-lived certificates in November
2019, this cleans up the existing ones to fix this and similar future
issues.

two years / 730 days as cut-off was chosen since it's our new maximum
self-signed certificate lifetime, and should thus catch all old-style
certificates.

another positive side-effect is that we can now phase out support for
older certificates faster, e.g. if we want to move to bigger keys,
different signature algorithms, or anything else in that direction.

Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com>
---
I'd also be fine with reducing both even more, e.g. to 1 year ;)

 bin/pveupdate | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/bin/pveupdate b/bin/pveupdate
index 15a2accc..36ac6814 100755
--- a/bin/pveupdate
+++ b/bin/pveupdate
@@ -79,8 +79,9 @@ eval {
     my $certpath = 
PVE::CertHelpers::default_cert_path_prefix($nodename).".pem";
     my $capath = "/etc/pve/pve-root-ca.pem";
 
-    # check if expiry is < 2W
-    if (PVE::Certificate::check_expiry($certpath, time() + 14*24*60*60)) {
+    my $renew = sub {
+       my ($msg) = @_;
+
        # get CA info
        my $cainfo = PVE::Certificate::get_certificate_info($capath);
 
@@ -94,13 +95,21 @@ eval {
        # TODO: replace by low level ssleay interface if version 1.86 is 
available
        PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile', 
$capath, $certpath]);
 
-       print "PVE certificate expires soon, renewing...\n";
+       print "PVE certificate $msg\n";
        # create new certificate
        my $ip = PVE::Cluster::remote_node_ip($nodename);
        PVE::Cluster::Setup::gen_pve_ssl_cert(1, $nodename, $ip);
 
        print "Restarting pveproxy after renewing certificate\n";
        PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
+    };
+
+    if (PVE::Certificate::check_expiry($certpath, time() + 14*24*60*60)) {
+       # expires in next 2 weeks
+       $renew->("expires soon, renewing...");
+    } elsif (!PVE::Certificate::check_expiry($certpath, time() + 
2*365*24*60*60)) {
+       # expires in more than 2 years
+       $renew->("expires in more than 2 years, renewing to reduce certificate 
life-span...");
     }
 };
 syslog ('err', "Checking/Renewing SSL certificate failed: $@") if $@;
-- 
2.20.1


_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to