Workaround needed for default PVE self-signed CA/certs and python3.13's new strict cert checking

F

ftoomch

New Member
Feb 19, 2025
2
0
1
This is probably a pretty simple one, but how to I influence the various certificate attributes when creating node/api certs with:

Code: 
pvecm updatecerts

?

With a recent move to python3.13 and its new strict cert checking the normal certs as used by PVE are causing problems:

Here's the difference between python3.13:
Code: 
Python 3.13.5 (main, May  5 2026, 21:05:52) [GCC 14.2.0] on linux
>>> import ssl
>>> ssl.create_default_context().verify_flags
<VerifyFlags.VERIFY_X509_STRICT|VERIFY_X509_TRUSTED_FIRST|VERIFY_X509_PARTIAL_CHAIN: 557088>

vs the older 3.12:

Code: 
Python 3.12.13 (main, Mar 18 2026, 06:45:42) [Clang 19.1.7 ] on openbsd7
>>> import ssl
>>> ssl.create_default_context().verify_flags
<VerifyFlags.VERIFY_X509_TRUSTED_FIRST: 32768>

The actual error I'm getting is when using the ansible uri module (but it's the same for anything using ssl's defaults and cert validation):

Code: 
"Request failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: CA cert does not include key usage extension (_ssl.c:1029)>"

I'm running the latest PVE 9.2.3 and have naively run pvecm updatecerts --force on all my nodes.

What's the real solution to have PVE include this attribute as python now expects?

Thanks in advance!
 
Hey!

This has been fixed with pve-cluster 9.1.2 [0]:

Code: 
pve-cluster (9.1.2) trixie; urgency=medium

  * fix #6701: setup: add keyUsage extension to root CA for RFC 5280
    compliance. Python 3.13 now enforces strict X.509 validation, which broke
    clients like Ansible connecting to the API.

[...]

Note that pvecm updatecerts only updates a node's leaf certificate (/etc/pve/nodes/{node}/pve-ssl.pem), and this issue concerns the cluster CA certificate. In order to get an updated cluster CA, you can do the following (single-node installs only need the first step):

Delete and regenerate the CA on one node, then re-sign that node's leaf:
Code: 
rm /etc/pve/pve-root-ca.pem
pvecm updatecerts  # --force not needed, IIRC regenerating the CA sets it automatically
systemctl restart pveproxy pvedaemon
Then, on every other node, only re-sign the leaves (do not delete the CA again):
Code: 
pvecm updatecerts --force
systemctl restart pveproxy pvedaemon

[0] https://lore.proxmox.com/all/20260317165358.620306-2-a.bied-charreton@proxmox.com/
 
Last edited:
You must log in or register to reply here.
Top Bottom
Back