proxmox-mirrors/pve-manager
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-manager synced 2025-10-04 07:48:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

renew pve-ssl.pem when it nearly expires

Browse Source 
but only if the cert is issued by the ca in /etc/pve/pve-root-ca.pem
(by checking the issuer and openssl verify)

this way we can reduce the lifetime of the certs without having
to worry that they ran out

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
This commit is contained in:
Dominik Csapak 2019-11-26 11:01:22 +01:00 committed by Thomas Lamprecht
parent 6159470e4d
commit 784a50cca0
2 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
PVE/CertHelpers.pm
View File

@ -38,6 +38,12 @@ sub cert_path_prefix {
return "/etc/pve/nodes/${node}/pveproxy-ssl"; return "/etc/pve/nodes/${node}/pveproxy-ssl";
} }
sub default_cert_path_prefix {
my ($node) = @_;
return "/etc/pve/nodes/${node}/pve-ssl";
}
sub cert_lock { sub cert_lock {
my ($timeout, $code, @param) = @_; my ($timeout, $code, @param) = @_;

32
bin/pveupdate
View File

@ -12,10 +12,12 @@ use PVE::Certificate;
use PVE::NodeConfig; use PVE::NodeConfig;
use PVE::INotify; use PVE::INotify;
use PVE::Cluster; use PVE::Cluster;
use PVE::Cluster::Setup;
use PVE::DataCenterConfig; use PVE::DataCenterConfig;
use PVE::APLInfo; use PVE::APLInfo;
use PVE::SafeSyslog; use PVE::SafeSyslog;
use PVE::RPCEnvironment; use PVE::RPCEnvironment;
use PVE::Tools;
use PVE::API2::Subscription; use PVE::API2::Subscription;
use PVE::API2::APT; use PVE::API2::APT;
use PVE::API2::ACME; use PVE::API2::ACME;
@ -73,6 +75,36 @@ eval {
}; };
syslog ('err', "Renewing ACME certificate failed: $@") if $@; syslog ('err', "Renewing ACME certificate failed: $@") if $@;
eval {
my $certpath = PVE::CertHelpers::default_cert_path_prefix($nodename).".pem";
my $capath = "/etc/pve/pve-root-ca.pem";
# check if expiry is < 2W
if (PVE::Certificate::check_expiry($certpath, time() + 14*24*60*60)) {
# get CA info
my $cainfo = PVE::Certificate::get_certificate_info($capath);
# get cert and check issuer and chain metadata
my $certinfo = PVE::Certificate::get_certificate_info($certpath);
if ($certinfo->{issuer} ne $cainfo->{subject}) {
die "SSL Certificate is not issued by root CA";
}
# check if cert is really signed by the ca
# TODO
# replace by low level interface in ssleay if version 1.86 is available
PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile', $capath, $certpath]);
# create new certificate
my $ip = PVE::Cluster::remote_node_ip($nodename);
PVE::Cluster::Setup::gen_pve_ssl_cert(1, $nodename, $ip);
print "Restarting pveproxy after renewing certificate\n";
PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
}
};
syslog ('err', "Checking/Renewing SSL certificate failed: $@") if $@;
sub cleanup_tasks { sub cleanup_tasks {
my $taskdir = "/var/log/pve/tasks"; my $taskdir = "/var/log/pve/tasks";