if nodes are offline for a longer period of time, they might not be renewed by
pveupdate before they expire. the `verify` call here just serves as an
extra safeguard to prevent accidental overwriting of certificates not actually
signed by the cluster CA, checking the expiry time servers no purpose.
Suggested-by: Stephane Chazelas
Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com>
---
verified by manually creating an expired and a soon-to-be-expired certificate..
bin/pveupdate | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/bin/pveupdate b/bin/pveupdate
index 757cac868..9984c9369 100755
--- a/bin/pveupdate
+++ b/bin/pveupdate
@@ -111,7 +111,10 @@ eval {
# check if cert is really signed by the ca
# TODO: replace by low level ssleay interface if version 1.86 is
available
- PVE::Tools::run_command(['/usr/bin/openssl', 'verify', '-CAfile',
$capath, $certpath]);
+ my $cmd = [
+ '/usr/bin/openssl', 'verify', '-no_check_time', '-CAfile',
$capath, '--', $certpath,
+ ];
+ PVE::Tools::run_command($cmd);
print "PVE certificate $msg\n";
# create new certificate
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
