From 75456ef378cfe50c66eade06859736a8dc024f2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Thu, 23 Apr 2020 12:20:02 +0200 Subject: [PATCH] certs: early renew long-lived certificates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit if our self-signed certificate expires in more than 825 days, but was created after July 2019 it won't be accepted by modern Apple devices. we fixed the issuance to generate shorter-lived certificates in November 2019, this cleans up the existing ones to fix this and similar future issues. two years / 730 days as cut-off was chosen since it's our new maximum self-signed certificate lifetime, and should thus catch all old-style certificates. another positive side-effect is that we can now phase out support for older certificates faster, e.g. if we want to move to bigger keys, different signature algorithms, or anything else in that direction. Signed-off-by: Fabian Grünbichler --- bin/pveupdate | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/bin/pveupdate b/bin/pveupdate index 15a2accc..36ac6814 100755 --- a/bin/pveupdate +++ b/bin/pveupdate @@ -79,8 +79,9 @@ eval { my $certpath = PVE::CertHelpers::default_cert_path_prefix($nodename).".pem"; my $capath = "/etc/pve/pve-root-ca.pem"; - # check if expiry is < 2W - if (PVE::Certificate::check_expiry($certpath, time() + 14*24*60*60)) { + my $renew = sub { + my ($msg) = @_; + # get CA info my $cainfo = PVE::Certificate::get_certificate_info($capath); @@ -94,13 +95,21 @@ eval { # TODO: replace by low level ssleay interface if version 1.86 is available PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile', $capath, $certpath]); - print "PVE certificate expires soon, renewing...\n"; + print "PVE certificate $msg\n"; # create new certificate my $ip = PVE::Cluster::remote_node_ip($nodename); PVE::Cluster::Setup::gen_pve_ssl_cert(1, $nodename, $ip); print "Restarting pveproxy after renewing certificate\n"; PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']); + }; + + if (PVE::Certificate::check_expiry($certpath, time() + 14*24*60*60)) { + # expires in next 2 weeks + $renew->("expires soon, renewing..."); + } elsif (!PVE::Certificate::check_expiry($certpath, time() + 2*365*24*60*60)) { + # expires in more than 2 years + $renew->("expires in more than 2 years, renewing to reduce certificate life-span..."); } }; syslog ('err', "Checking/Renewing SSL certificate failed: $@") if $@;