[SOLVED] After changeing pveproxycerts to owns (startssl) webinterface is no available anymore

[fireon]

Hello,

i've changed certs from pveproxy to my owns from startssl. I know yes, startssl is this time not trusted, but this is not a problem for internal sites, when you import the CA in the system or directly in the browser. Other websites are working fine.

I've changed it as described in wiki: https://pve.proxmox.com/wiki/HTTPS_...4.x_and_newer)#CAs_other_than_Let.27s_Encrypt
I put both certs (CA and Severcert) in one file (PEM). Copy the key and restart the proxy. In the log i see that the new certs are used. But webinterface is not available anymore.

I can solve the problem when i put only the servercert without the CA in the file pveproxy-ssl.pem. Then the webinterface is working again. But i think this is not really right.

The certfile is ok, i can open it with kleopatra or "view file". I see alle ca's and the servercert.

pve-manager/4.4-5/c43015a5 (running kernel: 4.4.35-2-pve)

Thanks a lot

 

[udo]

Hello,

i've changed certs from pveproxy to my owns from startssl. I know yes, startssl is this time not trusted, but this is not a problem for internal sites, when you import the CA in the system or directly in the browser. Other websites are working fine.

I've changed it as described in wiki: https://pve.proxmox.com/wiki/HTTPS_...4.x_and_newer)#CAs_other_than_Let.27s_Encrypt
I put both certs (CA and Severcert) in one file (PEM). Copy the key and restart the proxy. In the log i see that the new certs are used. But webinterface is not available anymore.

I can solve the problem when i put only the servercert without the CA in the file pveproxy-ssl.pem. Then the webinterface is working again. But i think this is not really right.

The certfile is ok, i can open it with kleopatra or "view file". I see alle ca's and the servercert.

pve-manager/4.4-5/c43015a5 (running kernel: 4.4.35-2-pve)

Thanks a lot

Hi,
is the cert-chain complete inside the file? Or show Kleopatra an file from the cert-store?

Udo

 

[fireon]

I copied the plaintext from ca an cert in one file. ViewFile show both in the window.

So after i rebootet the server vm's do not start anymore.

kvm: -vnc unix:/var/run/qemu-server/110.vnc,x509,password: Failed to start VNC server: Our own certificate /etc/pve/local/pve-ss
l.pem failed validation against /etc/pve/pve-root-ca.pem: The certificate hasn't got a known issuer

So i've copied the cert and key in this files:

/etc/pve/pve-www.key
/etc/pve/pve-root-ca.pem

Restart the whole server, but the VM's do not start. Same error.

I put the cert also in "/etc/ldap/ssl/" and say "dpkg-reconfigure ca-certificates". But this does alos not helped.

 

[udo]

Hi,
I would say, the cert-chain aren't right.

Udo

 

[fireon]

Ok, find the Error. On real cert i have to change all certs, really all. After this change VMs do start, Spice and VNC do working fine. But strange, after the beginn of my changes, no after change alle my certs, i got an error on VMstart and alle about 5 seconds in the syslog:

Jan 29 15:19:37 virtu01 pvestatd[7144]: ipcc_send_rec failed: File too large 
Jan 29 15:19:47 virtu01 pvestatd[7144]: ipcc_send_rec failed: File too large 
Jan 29 15:19:57 virtu01 pvestatd[7144]: ipcc_send_rec failed: File too large 
Jan 29 15:20:07 virtu01 pvestatd[7144]: ipcc_send_rec failed: File too large 
Jan 29 15:20:17 virtu01 pvestatd[7144]: ipcc_send_rec failed: File too large 
Jan 29 15:20:27 virtu01 pvestatd[7144]: ipcc_send_rec failed: File too large

but only on on of my two clusternodes.

 

[fireon]

After some time the message is gone away. And i've done some reboot's, also no errors. So i think it is ok.
Solved