Backup to PBS failed. SSL certs verify fail

M

mailo95

Member
Sep 17, 2021
15
3
23
Hello all,

I'm trying to use PBS in LXC and everything is installed on top of Debian 12 LXC (installed proxmox-backup-server package) + NFS mount as datastore but after trying to backup from my PVE to PBS there is the error log:
Code: 
()
INFO: starting new backup job: vzdump 103 --node pve --remove 0 --mode snapshot --notification-mode auto --notes-template '{{guestname}}' --storage pbs
INFO: Starting Backup of VM 103 (qemu)
INFO: Backup started at 2024-05-08 10:59:28
INFO: status = running
INFO: VM Name: pfSense
INFO: include disk 'scsi0' 'local-lvm:vm-103-disk-0' 30G
INFO: backup mode: snapshot
INFO: ionice priority: 7
INFO: creating Proxmox Backup Server archive 'vm/103/2024-05-08T07:59:28Z'
INFO: issuing guest-agent 'fs-freeze' command
INFO: issuing guest-agent 'fs-thaw' command
ERROR: VM 103 qmp command 'backup' failed - backup connect failed: command error: error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1889:
INFO: aborting backup job
INFO: resuming VM again
ERROR: Backup of VM 103 failed - VM 103 qmp command 'backup' failed - backup connect failed: command error: error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1889:
INFO: Failed at 2024-05-08 10:59:28
INFO: Backup job finished with errors
INFO: notified via target `mail-to-root`
TASK ERROR: job errors

I have same wildcard self-signed SSL certs installed on both machines. Also noticed that after attaching the PBS in PVE there is a question mark and can't determine the free space. For the backup new user was created on PBS with permissions only to the datastore used for backups.
 
  • Like
Reactions: Unsubtle9244
Hi,
when configuring the PBS target in PVE, you can set a fingerprint that should be used to verify the certificate of PBS. You can get that fingerprint from the PBS dashboard. There should be a button in the summary pane that is called Show Fingerprint.
 
Folke said:
Hi,
when configuring the PBS target in PVE, you can set a fingerprint that should be used to verify the certificate of PBS. You can get that fingerprint from the PBS dashboard. There should be a button in the summary pane that is called Show Fingerprint.
Click to expand...
I already did that. If some details around my wildcard self-signed certs will help I can post some.
 
Last edited:
seems like the fix is not yet contained in the qemu library, you'll need to wait for an update!
 
  • Like
Reactions: Unsubtle9244 and mailo95
Unsubtle9244 said:
Had the same issue @mailo95 with my custom CA.
For me it helped to add the custom CA to trusted root certificates!

place the CA cert here:
/usr/local/share/ca-certificates/custom_ca.crt

execute:
update-ca-certificates
Click to expand...
Thank you. This is still a valid solution if you're running custom certs.
 
Hi @Unsubtle9244
I have same issue but I do not understand the
"
place the CA cert here:
/usr/local/share/ca-certificates/custom_ca.crt
"
Do you mean on PBS or on PVE?
Where do you take the CA cert: from the PBS or PVE?
And where is it?

Michel-André
 
Michel-André said:
Hi @Unsubtle9244
I have same issue but I do not understand the
"
place the CA cert here:
/usr/local/share/ca-certificates/custom_ca.crt
"
Do you mean on PBS or on PVE?
Where do you take the CA cert: from the PBS or PVE?
And where is it?

Michel-André
Click to expand...
CA Cert is locally available on PBS at below location. My understanding is CA cert is same

root@AAAA:~# ll /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 427554 Mar 12 12:07 /etc/ssl/certs/ca-certificates.crt
root@AAAA:~#

My issue got resolved, once I updated fingerprint in my remotes.
 
You must log in or register to reply here.
Top Bottom