PBS Fingerprint

[Oasisnet77]

Hi all,
i have an Instance of PBS running backups for differents PVE
now I am attempting to test a disaster recovery creating a new PBS configured with same datastores of the old one and would like to use the same Fingerprint (and then the ip) so not to modify anything in PVE.
I found the Fingerprint of the old one but I can't find where to paste it in the new one
anybody knows where I can find the Fingerprint file?

thanks a lot
Emanuele

 

[mvs]

Fingerprint is not stored as a string. It is a sha256 hash of SSL certificate.
You can find certificate (proxy.pem) and corresponding private key (proxy.key) in /etc/proxmox-backup/ folder.

https://pbs.proxmox.com/wiki/index.php/HTTPS_Certificate_Configuration

 

[Oasisnet77]

many thanks for you reply
no I check it

 

[mvs]

To have same fingerprint on a new PBS server you need:

• copy proxy.pem and proxy.key files to your new PBS
• set permissions for this files
• restart proxy service

Execute following commands on your new PBS shell. oldpbs is IP-Address or name of your old PBS node.

scp oldpbs:/etc/proxmox-backup/proxy.pem /etc/proxmox-backup/proxy.pem
scp oldpbs:/etc/proxmox-backup/proxy.key /etc/proxmox-backup/proxy.key
chown root:backup /etc/proxmox-backup/proxy.pem /etc/proxmox-backup/proxy.key
chmod 640 /etc/proxmox-backup/proxy.pem /etc/proxmox-backup/proxy.key
systemctl reload proxmox-backup-proxy

 

[Oasisnet77]

great it works !!
thx a lot!

have a nice evening
bye

 

[WizzurdOfOdd]

great it works !!
thx a lot!

have a nice evening
bye

Hi all,
i have an Instance of PBS running backups for differents PVE
now I am attempting to test a disaster recovery creating a new PBS configured with same datastores of the old one and would like to use the same Fingerprint (and then the ip) so not to modify anything in PVE.
I found the Fingerprint of the old one but I can't find where to paste it in the new one
anybody knows where I can find the Fingerprint file?

thanks a lot
Emanuele

Just to check do you basically restore the the whole PBS with copying config files, if so, what folders and files do you backup? Im currently looking into the same

 

[cryptonym64]

Sorry to necro post, thought I'd share. If you set up ACME (Let's Encrypt) or use another means of creating TRUSTED certs, you can leave the fingerprint field blank on the clients. Just use the name (as supplied to create the cert) instead of IP address of the PBS. This won't work for the self-signed certs or if the clients do not trust the issuing cert authority.

 

[mram]

If you have an ACME cert and want to backup to a local IP don't forget to add a hosts entry to each node in your cluster. Instead of routing out over a public. This solves having to update the fingerprint when the cert renews.
/etc/hosts
10.0.0.123 pbs1.example.com pbs1

 

[spirit]

If you have an ACME cert and want to backup to a local IP don't forget to add a hosts entry to each node in your cluster. Instead of routing out over a public. This solves having to update the fingerprint when the cert renews.
/etc/hosts
10.0.0.123 pbs1.example.com pbs1

you don't need fingerprint with signed certificate from an authority (commercial or letsencrypt).

only self signed certificated need it

 

[cryptonym64]

If you have an ACME cert and want to backup to a local IP don't forget to add a hosts entry to each node in your cluster. Instead of routing out over a public. This solves having to update the fingerprint when the cert renews.
/etc/hosts
10.0.0.123 pbs1.example.com pbs1

My DNS is locally resolved on my unbound DNS resolver. No need for local hosts files and certainly not hitting public internet. I've not had an ACME failure, so will cross that bridge if I do. Thanks.