backup failed: could not activate storage [..] error fetching datastores - fingerprint

[AlpsView]

Hi all

I have PBS running in a VM on PVE. On the PVE host I have pbs_backup_usb_8TB (a 8TB USB drive) connected and passed trough to PBS. Mounted in PBS. This setup was running fine.

3 days ago, i added a USB Stick to PVE, passing it trough to another VM, not PBS.

The next (and all subsequent) backup runs failed with the folling error message:

Jan 28 09:49:37 proxmox pvedaemon[6667]: could not activate storage 'pbs_backup_usb_8TB': pbs_backup_usb_8TB: error fetching datastores - fingerprint '38:F0:A1:16:F5:32:A95:A38:BF:1F:39:BA:FC:C7:BE:1E:28:C4:7FA:A0:81:27:30:0B:71:55:7A:BC:E4' not verified, abort!
Jan 28 09:49:37 proxmox pvedaemon[1211]: <root@pam> end task UPIDroxmox:00001A0B:00026698:6979CDA0:vzdump::root@pam: could not activate storage 'pbs_backup_usb_8TB': pbs_backup_usb_8TB: error fetching datastores - fingerprint '38:F0:A1:16:F5:32:A95:A38:BF:1F:39:BA:FC:C7:BE:1E:28:C4:7FA:A0:81:27:30:0B:71:55:7A:BC:E4' not verified, abort!
Jan 28 09:49:42 proxmox pvestatd[1186]: pbs_backup_usb_8TB: error fetching datastores - fingerprint '38:F0:A1:16:F5:32:A95:A38:BF:1F:39:BA:FC:C7:BE:1E:28:C4:7FA:A0:81:27:30:0B:71:55:7A:BC:E4' not verified, abort!

"Funny" thing is, that on the PVE Web Interace, pbs_backup_usb_8TB indeed is marked with a "?" and no metadata from the drive and the backup runs can be displayed.
However, in the PBS web interface, also after rebooting PBS and the whole PVE server, pbs_backup_usb_8TB is mounted and metadata is displayed, everything looks fine.
Also i compared the fingerprints from pbs_backup_usb_8TB in PBS and in the configuration of the datastore in PVE and they (still) are the same.

The logs gives no additional fingerpoints to what the problem is. The only correlation I have is with the USB stick. First i was thinking maybe the stick shifted port addresses on the USB Host somehow, but as the disks is passed trough and PBS seems to be fine with the disk, it must be something different.

Before I start removing and re-adding datastores on PVE (and maybe risking to lose something), I'd like to ask for your experience, if you have an idea, what could be going on here?

Thanks a lot!

 

[Chris]

Also i compared the fingerprints from pbs_backup_usb_8TB in PBS and in the configuration of the datastore in PVE and they (still) are the same.

Does the fingerprint match the one shown in the error log? Are you accessing the PBS trough a reverse proxy?

 

[AlpsView]

Yes, both fingerprints are identical.
No reverse proxy, Web UI is accessed directly.
There where no other changes than the added USD Stick on PVE as far as I know.

 

[AlpsView]

I was also thinking, the fingerprint could contain a hash of the USB address and the additional USB stick could have led to a shift in the usb addresses so the fingerprint if evaluated is not matching.
But then, the fingerprint seems to be created on PBS where the drive obv is mounted correctly, so there is no indication something with the fingerprint could have gone wrong (other than the error message )

 

[AlpsView]

Just to mention: In PVE UI the letters in the fingerprint are all showing lower case while in the PVE connection information the letters are shown upper case. However I think that was also the case before when it was working. Else than this, the fingerprints are the same. And assuming the letters represent hex values, caps shoudn't make any difference.

 

[Chris]

The fingerprint is the one of the TLS certificate on the PBS host, this has nothing to do with local storages. Check the output of proxmox-backup-manager cert info on the PBS host and compare it to openssl s_client -connect <your-PBS-host-IP>:8007 < /dev/null | openssl x509 -fingerprint -sha256 -noout executed on the PVE host. Also check the certificates lifetime. Are you using custom certificates or using the self-signed certificates from the PBS host?

 

[AlpsView]

> The fingerprint is the one of the TLS certificate on the PBS host,

Ah, i see, didn't know this and this then sounds as if it's the reason as the TLS cert has changed. This means, each time the cert is renew, the fingerprint becomes invalid. Good to know. And very hard to detect as in PBS there was no warning that the fingerprint of the configured backup storage doesn't match the new cert.

Thanks for pointing this out Chris, I will check how to update the fingerprint on PBS and change the configuration on PVE accoringly. I will report back.

 

[Chris]

Not sure if I understand exactly what you are trying to say, but if you are not using a self-signed certificate (e.g. provided by let's encrypt), you do not need to set the fingerprint at all.

 

[AlpsView]

Ah, okay. Now I think I fully get it.

Point is, when I first created the datastore, there was only the self-signed cert. So i used the fingerprint in the PVE configration.
Later i changed it to a letsencrytp cert. Interesstingly altought I did't change the configuration on the PVE host, it remained running without problem. Only a couple of days ago it broke.

I just removed the fingerprint from the PBS storage configuration in PVE and PVE sees the storage again. I will run a backup later on to check everything works fine, but I guess the problem is solved.

Thanks a lot for your support and the insights Chris!

 

[Chris]

Point is, when I first created the datastore, there was only the self-signed cert. So i used the fingerprint in the PVE configration.
Later i changed it to a letsencrytp cert. Interesstingly altought I did't change the configuration on the PVE host, it remained running without problem. Only a couple of days ago it broke.

Might the old certificate still have been in use? And only after a service restart picked up by the PBS? How did you set up the certificate, using the PBS tooling or manually?

 

[AlpsView]

Might the old certificate still have been in use?

Not that i was aware of. I replaced it a couple of times in the meantime using the UI.

And only after a service restart picked up by the PBS?

Since i use the same cert for the PVE too, i restart PVE after each cert renewel and then check in the browser PVE has picked up the right cert.

How did you set up the certificate, using the PBS tooling or manually?

I retrieved it outside PVE/PBS and configured manually in the PVE/PBS UI (uploading the related private key and fullchain).

 

[AlpsView]

Backup job ran fine again.