Updating remotes fingerprint via command line

cholywell

Active Member
Dec 5, 2017
1
0
41
48
When the ssl cert for the remotes are updated the fingerprint needs updating in Datacenter Manager. I can do this with the UI but is there a way to update the fingerprints with the command line? I would like to automate this with Ansible. I have found proxmox-datacenter-manager-admin but can't seem to do anything with it.
 
you can either directly modify the config file in /etc/proxmox-datacenter-manager/remotes.cfg
or you can use

Code:
proxmox-datacenter-manager-admin remote update <id>
 
not (yet) using datacenter manager. and this is not backup but rather remote-migrate. acme has updated the cert and qm remote-migrategets a fingerprint error on the fingerprint produced by openssl x509 -in /etc/pve/nodes/[hostname]/pve-ssl.pem -noout -sha256 -fingerprint. so how do i cause that fingerprint to be updated. and why does acme not do this automagically?
 
There's got to be a better way of doing this. Imagine having lots of clusters and having to do this for each host every time you renew your cert. Now imagine you're using letsencrypt certs and you're automating the renewal. suddenly it all breaks and you have to manually go and update each fingerprint.

Ansible looks like an option but something built in would be a lot better. Is there no "The certificate changed for this server, verify it and if it's ok I'll use that fingerprint from now on"
 
actually, for the purpose of qm remote-migrate,
Code:
ssh $TARGET sudo pvenode cert info --output-format json | jq -r '.[2]["fingerprint"]'
seems to work well and be stable.
 
Now imagine you're using letsencrypt certs and you're automating the renewal. suddenly it all breaks and you have to manually go and update each fingerprint.
FWIW; if you're using Let's Encrypt (or other public certificate provider which are trusted by default on a system level by Debian), this isn't an issue.

Since these certificates are trusted on a system level, you can just remove the pinned fingerprint and Proxmox Datacenter Manager will then try to verify against the system certificate store.
 
FWIW; if you're using Let's Encrypt (or other public certificate provider which are trusted by default on a system level by Debian), this isn't an issue.

Since these certificates are trusted on a system level, you can just remove the pinned fingerprint and Proxmox Datacenter Manager will then try to verify against the system certificate store.
If I do that I get :

Code:
api error (status = 400: connection failed: Could not establish a TLS connection. Check whether the fingerprint matches or the certificate on the remote is valid.

For each node I do it to.