Cannot install SSL

Chris L.

Member
May 26, 2017
12
0
6
49
I am trying to replace the self-signed SSL at least for the GUI.
I have tried putting a chain of key&cert within the /etc/pmg/pmg-api.pem and then restarting with the command systemctl restart pmgproxy.
Before I even tried to login to the GUI I see the syslog throwing this error every few seconds:

Feb 4 13:39:37 pmg pmgproxy[27665]: /etc/pmg/pmg-api.pem: failed to load local private key (key_file or key) at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 1699.

What I am missing here?
I tried both a wildcard SSL we have as well as LetsEncrypt (generated in another server temporarily).

Any help is much appreciated.
 
As this is a new install and I am reviewing the product I have done everything I could before asking in the forums.
Amongst others:
1) Restarted the server almost every time I was making a change
2) Removed the line from the /etc/hosts which was resolving the domain to the local IP (as suggested in another post
3) Used a pre-issued LetsEncrypt to see if the problem was that initially I was using a proper but wildcard SSL

I am still getting the error :(
 
how does the created key+certificate file look like?
Code:
-----BEGIN PRIVATE KEY-----
BASE64DATA
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
BASE64DATA
-----END CERTIFICATE-----

should work
 
I am dealing with SSLs daily on Apache servers without issues.
Yes the /etc/pmg-api.pem file has the structure below.
It is those sections that I tried replace using two types of certificates without luck.
I remind everyone that I was trying both restating the pmgproxy as well as the whole server.
The actual restart pmgproxy command does not return an error.
It is the GUI that doesn't work and also the syslog (seen via a terminal) throws the above errors every few seconds.
Replacing the contents to the original content works fine (as self issued).
My guess is that simply changing the contents of /etc/pmg-api.pem and restarting the pmgproxy is not enough.

:(

how does the created key+certificate file look like?
Code:
-----BEGIN PRIVATE KEY-----
BASE64DATA
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
BASE64DATA
-----END CERTIFICATE-----

should work
 
In regards to the type of cert our own is a Wildcard AlphaSSL CA - SHA256 - G2
But I also tried a LetsEncrypt (issued it on another server and then moved it to pmg)
Note: I have also installed WEBMIN on the pmg server. This is working fine with LetsEncrypt.
 
Also make sure that the combined key+cert has:
* mode 640
* group: www-data
(pmgproxy, runs as www-data)
 
The SSL for the GUI is finally installed (File /etc/pmg/pmg-api.pem)
I had to include the CA intermediary SSL cert in the chain.
Cert+Key was simply not enough.

Now my question is:
Do I need to put the same contents into the /etc/pmg/pmg-tls.pem for the TLS purposes?
(I have done it already, I just need your reassurance that I am doing the correct steps)

And to finish with SSLs... do I need to enter our SSL data into any OTHER file?