This is probably a pretty simple one, but how to I influence the various certificate attributes when creating node/api certs with:
?
With a recent move to python3.13 and its new strict cert checking the normal certs as used by PVE are causing problems:
Here's the difference between python3.13:
vs the older 3.12:
The actual error I'm getting is when using the ansible uri module (but it's the same for anything using ssl's defaults and cert validation):
I'm running the latest PVE 9.2.3 and have naively run
What's the real solution to have PVE include this attribute as python now expects?
Thanks in advance!
Code:
pvecm updatecerts?
With a recent move to python3.13 and its new strict cert checking the normal certs as used by PVE are causing problems:
Here's the difference between python3.13:
Code:
Python 3.13.5 (main, May 5 2026, 21:05:52) [GCC 14.2.0] on linux
>>> import ssl
>>> ssl.create_default_context().verify_flags
<VerifyFlags.VERIFY_X509_STRICT|VERIFY_X509_TRUSTED_FIRST|VERIFY_X509_PARTIAL_CHAIN: 557088>vs the older 3.12:
Code:
Python 3.12.13 (main, Mar 18 2026, 06:45:42) [Clang 19.1.7 ] on openbsd7
>>> import ssl
>>> ssl.create_default_context().verify_flags
<VerifyFlags.VERIFY_X509_TRUSTED_FIRST: 32768>The actual error I'm getting is when using the ansible uri module (but it's the same for anything using ssl's defaults and cert validation):
Code:
"Request failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: CA cert does not include key usage extension (_ssl.c:1029)>"I'm running the latest PVE 9.2.3 and have naively run
pvecm updatecerts --force on all my nodes.What's the real solution to have PVE include this attribute as python now expects?
Thanks in advance!