certificate expiry

[drjaymz@]

All, over the last week there have been a few reports in the media of embarrassments caused by certificate expiries that apparently nobody was on top of. Chromecast is one of the high profile issues and it made things extremely hard to fix due to the nature of certificates and the fact that it broke the updates needed to fix it. Closer to home a certificate expiry on the same day was related to a core part of Firefox breaking all of our Firefox-based kiosks deployments with apparently no fix.
I feel certificate expiries like this seem to be a very contemporary issue brought about by a half-balked [sic] drive to make things more secure. The problem is, these time-bombs are not apparent the users of technology stacks, often with no easy way to be forewarned.

On that note, are there any certificates baked into the PVE or PBS codebase that could potentially cause them to break spontaneously? We keep our installations reasonably up to date, but there is always a chance there will be a system lurking in the shadows that isn't that causes a massive headache one day.

 

[sterzy]

On that note, are there any certificates baked into the PVE or PBS codebase that could potentially cause them to break spontaneously?

Well there is the self-generated web ui certificate, but those aren't automatically trusted as they are self-signed anyway. So most things in the stack rely on the fingerprints of certificates rather then expiry dates.

Ther are also the apt key's but they are valid for ten years or so for each release and should be updated on upgrade. So unless you really sleep on your updates for multiple years, this shouldn't be a problem either.

If you add a custom TLS certificate yourself, you will need to handle that yourself of course. Otherwise, we'd recommend using ACME to automate that task.