vrr/Pulse
2
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-05-01 04:50:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

fix(proxmox): prevent broken TLS config on auto-register fingerprint failure (#1303)

Browse source 
When FetchFingerprint fails during agent auto-registration, set verifySSL
based on whether a fingerprint was captured rather than hardcoding true.
Also heal already-broken nodes (verifySSL=true with empty fingerprint) on
legacy re-register to prevent permanent connection failures with self-signed
Proxmox certs.
This commit is contained in:
rcourtman 2026-03-04 23:47:54 +00:00
parent cdceccef05
commit 72be883f4e
1 changed files with 12 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

14
internal/api/config_handlers.go
View file

@ -5316,7 +5316,7 @@ func (h *ConfigHandlers) HandleAutoRegister(w http.ResponseWriter, r *http.Reque
// Create a node configuration
boolFalse := false
boolTrue := true
verifySSL := true
verifySSL := fingerprint != "" // Only enforce strict TLS when we have a fingerprint to verify against
nodeConfig := NodeConfigRequest{
Type: req.Type,
Name: req.ServerName,
@ -5501,6 +5501,11 @@ func (h *ConfigHandlers) HandleAutoRegister(w http.ResponseWriter, r *http.Reque
if nodeConfig.Fingerprint != "" {
instance.Fingerprint = nodeConfig.Fingerprint
}
// Fix broken state: verifySSL=true with no fingerprint can never connect
// to self-signed Proxmox certs. Downgrade to insecure if no fingerprint. Refs: #1303
if instance.VerifySSL && instance.Fingerprint == "" {
instance.VerifySSL = false
}
// Update source if provided (allows upgrade from script to agent)
if req.Source != "" {
instance.Source = req.Source
@ -5545,6 +5550,11 @@ func (h *ConfigHandlers) HandleAutoRegister(w http.ResponseWriter, r *http.Reque
if nodeConfig.Fingerprint != "" {
instance.Fingerprint = nodeConfig.Fingerprint
}
// Fix broken state: verifySSL=true with no fingerprint can never connect
// to self-signed Proxmox certs. Downgrade to insecure if no fingerprint. Refs: #1303
if instance.VerifySSL && instance.Fingerprint == "" {
instance.VerifySSL = false
}
// Update source if provided (allows upgrade from script to agent)
if req.Source != "" {
instance.Source = req.Source
@ -5860,7 +5870,7 @@ func (h *ConfigHandlers) handleSecureAutoRegister(w http.ResponseWriter, r *http
} else {
fingerprint = fp
}
verifySSL := true
verifySSL := fingerprint != "" // Only enforce strict TLS when we have a fingerprint to verify against
existingTokenID := ""
existingTokenValue := ""