[SOLVED] After changeing pveproxycerts to owns (startssl) webinterface is no available anymore

fireon

Distinguished Member
Oct 25, 2010
4,542
504
183
Austria/Graz
deepdoc.at
Hello,

i've changed certs from pveproxy to my owns from startssl. I know yes, startssl is this time not trusted, but this is not a problem for internal sites, when you import the CA in the system or directly in the browser. Other websites are working fine.

I've changed it as described in wiki: https://pve.proxmox.com/wiki/HTTPS_...4.x_and_newer)#CAs_other_than_Let.27s_Encrypt
I put both certs (CA and Severcert) in one file (PEM). Copy the key and restart the proxy. In the log i see that the new certs are used. But webinterface is not available anymore.

I can solve the problem when i put only the servercert without the CA in the file pveproxy-ssl.pem. Then the webinterface is working again. But i think this is not really right.

The certfile is ok, i can open it with kleopatra or "view file". I see alle ca's and the servercert.

pve-manager/4.4-5/c43015a5 (running kernel: 4.4.35-2-pve)

Thanks a lot
 
Hello,

i've changed certs from pveproxy to my owns from startssl. I know yes, startssl is this time not trusted, but this is not a problem for internal sites, when you import the CA in the system or directly in the browser. Other websites are working fine.

I've changed it as described in wiki: https://pve.proxmox.com/wiki/HTTPS_...4.x_and_newer)#CAs_other_than_Let.27s_Encrypt
I put both certs (CA and Severcert) in one file (PEM). Copy the key and restart the proxy. In the log i see that the new certs are used. But webinterface is not available anymore.

I can solve the problem when i put only the servercert without the CA in the file pveproxy-ssl.pem. Then the webinterface is working again. But i think this is not really right.

The certfile is ok, i can open it with kleopatra or "view file". I see alle ca's and the servercert.

pve-manager/4.4-5/c43015a5 (running kernel: 4.4.35-2-pve)

Thanks a lot
Hi,
is the cert-chain complete inside the file? Or show Kleopatra an file from the cert-store?

Udo
 
I copied the plaintext from ca an cert in one file. ViewFile show both in the window.

So after i rebootet the server vm's do not start anymore.
Code:
kvm: -vnc unix:/var/run/qemu-server/110.vnc,x509,password: Failed to start VNC server: Our own certificate /etc/pve/local/pve-ss
l.pem failed validation against /etc/pve/pve-root-ca.pem: The certificate hasn't got a known issuer
So i've copied the cert and key in this files:
Code:
/etc/pve/pve-www.key
/etc/pve/pve-root-ca.pem
Restart the whole server, but the VM's do not start. Same error.

I put the cert also in "/etc/ldap/ssl/" and say "dpkg-reconfigure ca-certificates". But this does alos not helped.
 
Ok, find the Error. On real cert i have to change all certs, really all. After this change VMs do start, Spice and VNC do working fine. But strange, after the beginn of my changes, no after change alle my certs, i got an error on VMstart and alle about 5 seconds in the syslog:
Code:
Jan 29 15:19:37 virtu01 pvestatd[7144]: ipcc_send_rec failed: File too large 
Jan 29 15:19:47 virtu01 pvestatd[7144]: ipcc_send_rec failed: File too large 
Jan 29 15:19:57 virtu01 pvestatd[7144]: ipcc_send_rec failed: File too large 
Jan 29 15:20:07 virtu01 pvestatd[7144]: ipcc_send_rec failed: File too large 
Jan 29 15:20:17 virtu01 pvestatd[7144]: ipcc_send_rec failed: File too large 
Jan 29 15:20:27 virtu01 pvestatd[7144]: ipcc_send_rec failed: File too large
but only on on of my two clusternodes.
 
After some time the message is gone away. And i've done some reboot's, also no errors. So i think it is ok.
Solved :)