[SOLVED] Proxmox Mail Gateway 7.1-2 3 node Cluster Fingerprints out of sync

This problem keeps happening, and I can fix it, but it would be nice if it just didn't happen, or if there were a simple fix like pmgctl force-fingerprint --master_ip xxx.xxx.xxx.xxx from the child nodes. As it is, I have to manually open a text editor on the master node and copy / paste the child nodes fingerprint in there, and it will push out over the pmg tunnel service. Annoying and it keeps happening, I don't know what causes it.
 
This problem keeps happening, and I can fix it, but it would be nice if it just didn't happen, or if there were a simple fix like pmgctl force-fingerprint --master_ip xxx.xxx.xxx.xxx from the child nodes. As it is, I have to manually open a text editor on the master node and copy / paste the child nodes fingerprint in there, and it will push out over the pmg tunnel service. Annoying and it keeps happening, I don't know what causes it.
you can try (and read the manpage) on `pmgcm update-fingerprints` - this causes the masternode to connect to all nodes and gather their fingerprints and update the config file

if this does not resolve your issue - I'd check why the fingerprints keep changing?
 
you can try (and read the manpage) on `pmgcm update-fingerprints` - this causes the masternode to connect to all nodes and gather their fingerprints and update the config file

if this does not resolve your issue - I'd check why the fingerprints keep changing?
Thank you for your reply. I don't know how or why, but I forgot that command was available. I typed pmgcm and kept trying to use the pmgcm sync --master_ip 'xxx.xxx.xxx.xxx' I will try the update-fingerprints command next time. We think the fingreprints change when the pmg kernel updates, is that not correct? I will run that on the master node and update the status of it here. Thank you again for taking the time to answer.
Best Regards,
Bruce
 
We think the fingreprints change when the pmg kernel updates,
Not really - at least not by anything provided by PMG

one thing that could happen is that the certificate (and thus the fingerprint) changes at some point, but only gets reread after the reboot (which needs to be done for the new kernel) - but also in that case - nothing from PMG does automatically replace your certificate (short of the ACME renewal - but this also takes care of calling update-fingerprints)

put shortly - try to find out how/when/why the certificate (/etc/pmg/pmg-api.pem) changes on your system

ideas:
* some manually installed acme client (certbot, acme.sh)
* some configuration management system
* some other kind of cronjob or systemd-timer
 
We do use certbot to auto-renew ssl certs, but it doesn't change pmg-api.pem.
* which certificates does it change then? (only the postfix pmg-tls.pem?)
* maybe take a look at the config of certbot - and check the cert with openssl:
`openssl x509 -noout -text -in /etc/pmg/pmg-api.pem`
 
you can try (and read the manpage) on `pmgcm update-fingerprints` - this causes the masternode to connect to all nodes and gather their fingerprints and update the config file

I'm seeing the same problem as the OP so I tried the command above, yet:

Code:
root@proxmox01:/etc/pmg# pmgcm update-fingerprints
500 update fingerprints failed: unable to get remote node fingerprint from 'proxmox03': parsing failed

Any ideas? This is with pmg 8. Thanks!
 
Any ideas? This is with pmg 8. Thanks!
check that you've intstalled all updates - the issue should be fixed in pmg-api >=8.0.6

I hope this helps!
 
  • Like
Reactions: k4jh

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!