fix #904: wrap openssl with faketime

This should prevent issues when generating certificates on
first boot of a node with the RTC wrongly set to the local
timezone instead of UTC. Since we cannot require the node to
be synchronized with an NTP server, we pretend it's
yesterday when calling openssl.

diff --git a/data/PVE/Cluster.pm b/data/PVE/Cluster.pm
index b2416622b8f65e8130f207c81e66943b8f179163..88662173c29b99d95a1572e0bad781568b5bb61a 100644 (file)
--- a/data/PVE/Cluster.pm
+++ b/data/PVE/Cluster.pm
@@ -184,8 +184,9 @@ sub gen_pveca_cert {
     my $nid = (split (/\s/, `md5sum '$pveca_key_fn'`))[0] || time();
 
     eval {
-       run_silent_cmd(['openssl', 'req', '-batch', '-days', '3650', '-new',
-                       '-x509', '-nodes', '-key',
+       # wrap openssl with faketime to prevent bug #904
+       run_silent_cmd(['faketime', 'yesterday', 'openssl', 'req', '-batch',
+                       '-days', '3650', '-new', '-x509', '-nodes', '-key',
                        $pveca_key_fn, '-out', $pveca_cert_fn, '-subj',
                        "/CN=Proxmox Virtual Environment/OU=$nid/O=PVE Cluster Manager CA/"]);
     };
@@ -298,10 +299,11 @@ __EOD
     update_serial("0000000000000000") if ! -f $pveca_srl_fn;
 
     eval {
-       run_silent_cmd(['openssl', 'x509', '-req', '-in', $reqfn, '-days', '3650',
-                       '-out', $pvessl_cert_fn, '-CAkey', $pveca_key_fn,
-                       '-CA', $pveca_cert_fn, '-CAserial', $pveca_srl_fn,
-                       '-extfile', $cfgfn]);
+       # wrap openssl with faketime to prevent bug #904
+       run_silent_cmd(['faketime', 'yesterday', 'openssl', 'x509', '-req',
+                       '-in', $reqfn, '-days', '3650', '-out', $pvessl_cert_fn,
+                       '-CAkey', $pveca_key_fn, '-CA', $pveca_cert_fn,
+                       '-CAserial', $pveca_srl_fn, '-extfile', $cfgfn]);
     };
 
     if (my $err = $@) {

diff --git a/debian/control b/debian/control
index dd6273e5bb178a04df28a2efdf5e49870c1dc58c..be48dddc703ebe6e55fd53992d1443826b3abcc3 100644 (file)
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Standards-Version: 3.7.3
 Package: pve-cluster
 Architecture: any
 Pre-Depends: ${misc:Pre-Depends}
-Depends: ${shlibs:Depends}, ${misc:Depends}, ${perl:Depends}, perlapi-5.20.0, rsync, libsqlite3-0, sqlite3, libfuse2 (>= 2.9.2-4), fuse, corosync-pve (>= 2.3.4-1), libqb0 (>= 0.17.1-1), libpve-common-perl, libglib2.0-0 (>= 2.42.1-1), rsyslog, openssl, librrd4, librrds-perl, rrdcached, libdigest-hmac-perl, libxml-parser-perl, systemd
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${perl:Depends}, perlapi-5.20.0, rsync, libsqlite3-0, sqlite3, libfuse2 (>= 2.9.2-4), fuse, corosync-pve (>= 2.3.4-1), libqb0 (>= 0.17.1-1), libpve-common-perl, libglib2.0-0 (>= 2.42.1-1), rsyslog, openssl, librrd4, librrds-perl, rrdcached, libdigest-hmac-perl, libxml-parser-perl, systemd, faketime
 Description: Cluster Infrastructure for Proxmox Virtual Environment
  This package contains the Cluster Infrastructure for the Proxmox
  Virtual Environment, namely a distributed filesystem to store