[SOLVED] After uploading a valid ssl-certificate the web-interface doesn't work any longer

[hape]

Hello all,

after i've uploaded a valid ssl-certificate via the certificate-page the web-interface doesn't work any longer. Prior there was a LE-certificate installed.

In /var/log/syslog i can see the following messages multiple times:

Sep  2 12:58:36 pmx-mg pmgproxy[1578]: worker exit
Sep  2 12:58:36 pmx-mg pmgproxy[1577]: worker exit
Sep  2 12:58:36 pmx-mg pmgproxy[989]: worker 1577 finished
Sep  2 12:58:36 pmx-mg pmgproxy[989]: starting 1 worker(s)
Sep  2 12:58:36 pmx-mg pmgproxy[989]: worker 1578 finished
Sep  2 12:58:36 pmx-mg pmgproxy[989]: worker 1580 started
Sep  2 12:58:36 pmx-mg pmgproxy[1579]: worker exit
Sep  2 12:58:36 pmx-mg pmgproxy[1580]: /etc/pmg/pmg-api.pem: failed to load local private key (key_file or key) at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 1943.
Sep  2 12:58:36 pmx-mg pmgproxy[989]: worker 1579 finished
Sep  2 12:58:36 pmx-mg pmgproxy[989]: starting 2 worker(s)
Sep  2 12:58:36 pmx-mg pmgproxy[989]: worker 1581 started
Sep  2 12:58:36 pmx-mg pmgproxy[989]: worker 1582 started
Sep  2 12:58:36 pmx-mg pmgproxy[1582]: /etc/pmg/pmg-api.pem: failed to load local private key (key_file or key) at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 1943.
Sep  2 12:58:36 pmx-mg pmgproxy[1581]: /etc/pmg/pmg-api.pem: failed to load local private key (key_file or key) at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 1943.

Any idea what i can do now?

 

[Stoiko Ivanov]

did you upload the key as well? (then this should have worked...)

in any case - the simples version would be:
* make sure to backup /etc/pmg/pmg-api.pem (if you need it)
* `rm /etc/pmg/pmg-api.pem`
* `pmgconfig init`
* `systemctl restart pmgproxy`

this should give you a running web-interface with a self-signed certificate

I hope this helps!

 

[hape]

I have uploaded the intermediate/fullchain-certificate as well.

I have also have done that in the tls-section, and here it works as i see.

Is that fully wrong? Do i have to upload the cert in both parts together with the private key?

 

[Stoiko Ivanov]

if you have a new certificate based on a new key - you need to provide the key as well - if the certificate is based on the existing key it should be enough to just provide the certificate-chain (everything up to the something that is signed by a CA that is in your system store)

I hope this explains it

 

[hape]

Yes it does

Thanks a lot and have a nice day !!!

 

[pianoman82]

Hello!

Unfortunately I have the same problem. The SSL certificate was reissued and imported together with the privatekey. After the reboot, the web server is no longer accessible. The error message in the syslog:

/etc/pmg/pmg-api.pem: failed to load local private key (key_file or key) at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 1899.

with this function i can restart the webserver but the problem is not solved.

* make sure to backup /etc/pmg/pmg-api.pem (if you need it)
* `rm /etc/pmg/pmg-api.pem`
* `pmgconfig init`
* `systemctl restart pmgproxy`

The version of proxmox is 7.2

what else can i do?

 

[Stoiko Ivanov]

Unfortunately I have the same problem. The SSL certificate was reissued and imported together with the privatekey.

How did you import certificate + key? using the GUI? (if not I'd suggest trying this as it orders the files correctly)

what kind of certificate and key is this?

 

[pianoman82]

Yes i import with the gui. It is an rapid ssl certificate with an 2048 bit rsa private key.

 

[Stoiko Ivanov]

Yes i import with the gui. It is an rapid ssl certificate with an 2048 bit rsa private key.

hm - maybe some small glitch while copy-pasting the certificate then

try:
* regenerating a selfsigned certificate `pmgconfig apicert -force 1`
* copy it (/etc/pmg/pmg-api.pem) to a backup-place
* upload your rapid ssl certificate via GUI - compare the 2 files - if they have the same structure

 

[pianoman82]

The problem could be solved. The private key was exported incorrectly. Thanks for the help.