[SOLVED] No Webinterface access: pveproxy-ssl.key: failed to load local private key (key_file or key) at /usr/share/perl5/PVE/APIServer/AnyEvent

M

mx-738

New Member
Apr 14, 2022
13
0
1
Hello together,


I did something wrong when setting up Let's Encrypt certificates manually.
Now the web interface is no longer accessible.
Code: 
systemctl status pveproxy
Error message:
Code: 
pveproxy[47500]: /etc/pve/local/pveproxy-ssl.key: failed to load local private key (key_file or key) at /usr/share/perl5/PVE/APIServer/AnyEvent>
pveproxy[47501]: /etc/pve/local/pveproxy-ssl.key: failed to load local private key (key_file or key) at /usr/share/perl5/PVE/APIServer/AnyEvent>
pveproxy[47502]: /etc/pve/local/pveproxy-ssl.key: failed to load local private key (key_file or key) at /usr/share/perl5/PVE/APIServer/AnyEvent>

I have already recreated the certificates according to the instructions https://pve.proxmox.com/wiki/Proxmox_SSL_Error_Fixing
Unfortunately, the error message still comes when restarting the pveproxy services.

The host settings are unchanged and correct.

Code: 
pvenode cert info
outputs the two new certificates created according to the instructions.

Anyone have an idea in which direction I can look further?
 
Last edited:
the key file is missing.. what does /etc/pve/local contain?
 
It's a symlink to
/etc/pve/nodes/Servername

Content:
Code: 
-rw-r----- 1 root www-data   19 Apr 28  2022 config
-rw-r----- 1 root www-data  103 Apr 26  2022 host.fw
-rw-r----- 1 root www-data   83 Nov 15 10:21 lrm_status
drwxr-xr-x 2 root www-data    0 Apr 19  2022 lxc
drwxr-xr-x 2 root www-data    0 Apr 19  2022 openvz
drwx------ 2 root www-data    0 Apr 19  2022 priv
-rw-r----- 1 root www-data 1.8K Nov 15 07:47 pveproxy-ssl.key
-rw-r----- 1 root www-data 1.7K Nov 15 07:47 pveproxy-ssl.pem
-rw-r----- 1 root www-data 1.7K Nov 15 08:05 pve-ssl.key
-rw-r----- 1 root www-data 1.3K Nov 15 08:05 pve-ssl.pem
drwxr-xr-x 2 root www-data    0 Apr 19  2022 qemu-server
 
okay, and are you sure pveproxy-ssl.key actually contains the private key matching the certificate in pveproxy-ssl.pem? (you can use the 'openssl' CLI tool, but it's interface is not very beginner friendly)
 
your link clearly states it's for older versions of PVE.. you need to ensure that the key file matches the certificate. if you just want to get the GUI going again for now, the following should work

Code: 
rm /etc/pve/local/pveproxy-ssl.* /etc/pve/local/pve-ssl.*
pvecm updatecerts -f
systemctl restart pveproxy
 
I got an error:

Code: 
(re)generate node files
generate new node certificate
Signature ok
subject=OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = Servername
Getting CA Private Key
CA certificate and CA private key do not match
139793274571648:error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters:../crypto/evp/p_lib.c:93:
139793274571648:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:../crypto/x509/x509_cmp.c:303:
unable to generate pve ssl certificate:
command 'faketime yesterday openssl x509 -req -in /tmp/pvecertreq-276055.tmp -days 362 -out /etc/pve/nodes/Servername/pve-ssl.pem -CAkey /etc/pve/priv/pve-root-ca.key -CA /etc/pve/pve-root-ca.pem -CAserial /etc/pve/priv/pve-root-ca.srl -extfile /tmp/pvesslconf-276055.tmp' failed: exit code 1
 
then you previously touched the cluster CA that is not user modifiable.. is this system part of a cluster?
 
then you can run rm /etc/pve/pve-root-ca.pem /etc/pve/priv/pve-root-ca.* and re-run the updatecerts command.
 
That worked great, thank you for your help.
What was my error? Did i copy my widecard certificate to the wrong files?
 
I don't know, but likely (either now or at some point in the past). if you want to use a custom certificate, you should pass both the certificate and the key file in PEM format to pvenode cert set:

Code: 
pvenode cert set <certificates> [<key>] [OPTIONS] [FORMAT_OPTIONS]
Upload or update custom certificate chain and key.
<certificates>: <string>
PEM encoded certificate (chain).
<key>: <string>
PEM encoded private key.
--force <boolean> (default =0)
Overwrite existing custom or ACME certificate files.
--restart <boolean> (default =0)
Restart pveproxy.

both files *must* match (the private key in the key file and the public key in the certificate file)!
 
Thank you for this information.
I will use the pvenode certset command, in the future.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back