this call site was apparently missed when we refactored the node config
/ ACME interaction.
Suggested/Reported-by: Frédéric Bourqui
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
if our self-signed certificate expires in more than 825 days, but was
created after July 2019 it won't be accepted by modern Apple devices. we
fixed the issuance to generate shorter-lived certificates in November
2019, this cleans up the existing ones to fix this and similar future
issues.
two years / 730 days as cut-off was chosen since it's our new maximum
self-signed certificate lifetime, and should thus catch all old-style
certificates.
another positive side-effect is that we can now phase out support for
older certificates faster, e.g. if we want to move to bigger keys,
different signature algorithms, or anything else in that direction.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
but only if the cert is issued by the ca in /etc/pve/pve-root-ca.pem
(by checking the issuer and openssl verify)
this way we can reduce the lifetime of the certs without having
to worry that they ran out
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
renew certificate if an acme config entry and a custom certificate
exists on the local node and the certificate expires soon.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
