Add the keyUsage[1] extension to the PVE root CA to comply with RFC 5280. Python started to enforce this as of 3.13 by defaulting to using the VERIFY_X509_STRICT flag, which breaks clients like Ansible.
The authorityKeyIdentifier[2] and subjectKeyIdentifier[3] extensions are not strictly required for fixing this issue, however RFC 5280 mandates them for conforming CAs, so adding them makes sense as well. [1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3 [2] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1 [3] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2 Signed-off-by: Arthur Bied-Charreton <[email protected]> --- This fix is not required for PBS and PDM, since they only use self-signed certificates. You can run the script below to test the changes, should fail with "CA cert does not include key usage extension" before applying the patch, and succeed afterwards. ``` #!/usr/bin/env python3 import socket import ssl import sys try: context = ssl.create_default_context(cafile="/etc/pve/pve-root-ca.pem") context.check_hostname = True context.verify_mode = ssl.CERT_REQUIRED with socket.create_connection(("localhost", 8006), timeout=10) as sock: with context.wrap_socket(sock, server_hostname="localhost") as ssock: print(f"success") except ssl.SSLCertVerificationError as e: print(e) ``` src/PVE/Cluster/Setup.pm | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/src/PVE/Cluster/Setup.pm b/src/PVE/Cluster/Setup.pm index 75d3507..d95a278 100644 --- a/src/PVE/Cluster/Setup.pm +++ b/src/PVE/Cluster/Setup.pm @@ -426,6 +426,25 @@ sub gen_pveca_cert { my $uuid_str; UUID::unparse($uuid, $uuid_str); + my $sslconf = <<__EOD; +[req] +distinguished_name = req_distinguished_name +x509_extensions = v3_ca + +[ req_distinguished_name ] + +[ v3_ca ] +basicConstraints = critical,CA:TRUE +keyUsage = critical,keyCertSign,cRLSign +authorityKeyIdentifier = keyid:always,issuer +subjectKeyIdentifier = hash +__EOD + + my $cfgfn = "/tmp/pvesslconf-$$.tmp"; + my $fh = IO::File->new($cfgfn, "w"); + print $fh $sslconf; + close($fh); + eval { # wrap openssl with faketime to prevent bug #904 run_silent_cmd([ @@ -439,6 +458,8 @@ sub gen_pveca_cert { '-new', '-x509', '-nodes', + '-config', + $cfgfn, '-key', $pveca_key_fn, '-out', @@ -448,6 +469,8 @@ sub gen_pveca_cert { ]); }; + unlink $cfgfn; + die "generating pve root certificate failed:\n$@" if $@; return 1; -- 2.47.3 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
