According to rfc2986 the only valid version is 0. No newer rfc changed that. See section 4.1: https://www.rfc-editor.org/rfc/rfc2986#section-4.1
Manually verifying the CSR with openssl results in the following error: ``` $ openssl req -in bad.csr -text -noout Certificate Request: Data: Version: Unknown (2) ``` Signed-off-by: Mira Limbeck <m.limb...@proxmox.com> --- I wasn't able to create a test setup where I could test this yet, will try again on monday. Stoiko tested it on his setup with Let's Encrypt Staging and it worked fine. Although he didn't extract the CSR to verify it. A customer reported the issue in the enterprise support portal and provided the fix as well. src/PVE/Certificate.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/PVE/Certificate.pm b/src/PVE/Certificate.pm index 4ce7364..f67f6cd 100644 --- a/src/PVE/Certificate.pm +++ b/src/PVE/Certificate.pm @@ -430,7 +430,7 @@ sub generate_csr { $cleanup->("Failed to set public key\n") if !Net::SSLeay::X509_REQ_set_pubkey($req, $pk); - $cleanup->("Failed to set CSR version\n") if !Net::SSLeay::X509_REQ_set_version($req, 2); + $cleanup->("Failed to set CSR version\n") if !Net::SSLeay::X509_REQ_set_version($req, 0); $cleanup->("Failed to sign CSR\n") if !Net::SSLeay::X509_REQ_sign($req, $pk, $md); -- 2.30.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel