SSL certificate from Windows CA

[karnalta]

Hello,

I am trying to put a custom SSL certificate for the WebUI generated from a Windows Server CA but I keep getting an error :

/etc/pve/local/pveproxy-ssl.pem: failed to use local certificate chain (cert_file or cert) at /usr/share/perl5/PVE/APISe....

What I have done :

- Generated a RSA 2048 private key and a CSR using openssl from Proxmox host.
- Signed that CSR using the windows CA (using certreq.exe).
- Downloaded both *.cer files (CA and newly signed cert).
- Combined them into the same file to get the full chain cert (also tried without this step).
- Upload private key and cer file using the Proxmox webui.

I always end up with a bricked web ui and have to remove /etc/pve/local/pveproxy-ssl.pem and restart services.

Can I get more detailled info on the error ? I don't know what is causing this 'failed to use ...' ? The certificate look good to me.

Thank for your help.

 

[Sviat]

Hi,

Try to add the certificate again then check the journal

journalctl -xe

for lines mentioning pveproxy, ssl, or certificate errors.

 

[ltctech]

You don't need to include the CA unless you have intermediaries.

Maybe you're generating the cert request wrong, are you requesting one with SAN? What template are you using on the AD CA side?

I've included my Powershell example of generating a CSR on Windows using OpenSSL:

#Install latest Version of OpenSSL *Light* for Windows
#Install to OpenSSL /bin directory, not Windows System Directory
#https://slproweb.com/products/Win32OpenSSL.html

#Add OpenSSL to Machine Path using Powershell running as Admin (for initial setup)

$dirToAdd = 'C:\Program Files\OpenSSL-Win64\bin'
$path = [Environment]::GetEnvironmentVariable('Path', 'Machine')
$pathArray = $path -split ';' | Where-Object { $_ }
if ($pathArray -notcontains $dirToAdd) {
    $newPath = ($pathArray + $dirToAdd) -join ';'
    [Environment]::SetEnvironmentVariable('Path', $newPath, 'Machine')
}

#create directory for storing csr and crt (for initial setup)

mkdir C:\certs\csr
mkdir C:\certs\crt

#create csr
#if you need multiple SAN in CSR (SAN should always contain primary CN per spec, otherwise browsers will warn):
#-addext 'subjectAltName=DNS:testbox.pve.contoso.com,DNS:testbox.contoso.com'

$csrDir = 'C:\certs\csr\proxmox'
$hostname = 'testbox.pve.contoso.com'
openssl req -nodes -newkey rsa:2048 -sha256 -keyout "$csrDir\$hostname.key" -out "$csrDir\$hostname.csr" -subj "/CN=$hostname/emailAddress=it@contoso.com/OU=IT/O=Contoso Inc/L=Seattle/ST=WA/C=US" -addext "subjectAltName=DNS:$hostname"


#sign csr on Windows CA

certreq -attrib 'CertificateTemplate:WebServer' 'C:\certs\csr\testbox.pve.contoso.com.csr' 'C:\certs\crt\testbox.pve.contoso.com.crt'

#Select the CA and click OK.

 

[karnalta]

Hi,

Try to add the certificate again then check the journal

journalctl -xe

for lines mentioning pveproxy, ssl, or certificate errors.

I don't have more information unfortunately.

Only the error mentioned in my first post.

 

[karnalta]

You don't need to include the CA unless you have intermediaries.

Maybe you're generating the cert request wrong, are you requesting one with SAN? What template are you using on the AD CA side?

I've included my Powershell example of generating a CSR on Windows using OpenSSL:

#Install latest Version of OpenSSL *Light* for Windows
#Install to OpenSSL /bin directory, not Windows System Directory
#https://slproweb.com/products/Win32OpenSSL.html

#Add OpenSSL to Machine Path using Powershell running as Admin (for initial setup)

$dirToAdd = 'C:\Program Files\OpenSSL-Win64\bin'
$path = [Environment]::GetEnvironmentVariable('Path', 'Machine')
$pathArray = $path -split ';' | Where-Object { $_ }
if ($pathArray -notcontains $dirToAdd) {
    $newPath = ($pathArray + $dirToAdd) -join ';'
    [Environment]::SetEnvironmentVariable('Path', $newPath, 'Machine')
}

#create directory for storing csr and crt (for initial setup)

mkdir C:\certs\csr
mkdir C:\certs\crt

#create csr
#if you need multiple SAN in CSR (SAN should always contain primary CN per spec, otherwise browsers will warn):
#-addext 'subjectAltName=DNS:testbox.pve.contoso.com,DNS:testbox.contoso.com'

$csrDir = 'C:\certs\csr\proxmox'
$hostname = 'testbox.pve.contoso.com'
openssl req -nodes -newkey rsa:2048 -sha256 -keyout "$csrDir\$hostname.key" -out "$csrDir\$hostname.csr" -subj "/CN=$hostname/emailAddress=it@contoso.com/OU=IT/O=Contoso Inc/L=Seattle/ST=WA/C=US" -addext "subjectAltName=DNS:$hostname"


#sign csr on Windows CA

certreq -attrib 'CertificateTemplate:WebServer' 'C:\certs\csr\testbox.pve.contoso.com.csr' 'C:\certs\crt\testbox.pve.contoso.com.crt'

#Select the CA and click OK.

My workflow seem pretty close from your.

# Generate a key
openssl genrsa -out webuiCert.key 2048

# Generate a CSR
openssl req -new -key webuiCert.key -out webuiCert.csr -config cert.cfg -reqexts v3_req

# From windows powershell
certreq -attrib 'CertificateTemplate:WebServer' 'webuiCert.csr' 'webuiCert.crt'

cert.cfg content :

[ req ]
default_bits = 2048
prompt = no
days = 3650
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req

[ req_distinguished_name ]
countryName = xx
stateOrProvinceName = xxxx
localityName = xxxx
organizationName = xxxx
organizationalUnitName = Proxmox
commonName = Proxmox
emailAddress = xxxx@xxxx

[req_ext]
subjectAltName = @alt_names

[ v3_req ]
subjectAltName = @alt_names

[alt_names]
DNS.0 = localhost
DNS.1 = eb-px-01.xxx.local
IP.1 = 10.0.5.244