Broken Certs

[horus]

Hi,

I have 7 hosts in proxmox cluster. On each I have my own CA and keys with certs signed by CA.

Couple days ago I was upgraded pve to lasted version.

(Reading database ... 56162 files and directories currently installed.)
Preparing to unpack .../00-idn_1.33-2.2_amd64.deb ...
Unpacking idn (1.33-2.2) ...
Preparing to unpack .../01-libpve-cluster-api-perl_6.1-8_all.deb ...
Unpacking libpve-cluster-api-perl (6.1-8) over (6.1-4) ...
Preparing to unpack .../02-libpve-cluster-perl_6.1-8_all.deb ...
Unpacking libpve-cluster-perl (6.1-8) over (6.1-4) ...
Preparing to unpack .../03-pve-cluster_6.1-8_amd64.deb ...
Unpacking pve-cluster (6.1-8) over (6.1-4) ...
Preparing to unpack .../04-libpve-access-control_6.0-7_all.deb ...
Unpacking libpve-access-control (6.0-7) over (6.0-6) ...
Preparing to unpack .../05-pve-firewall_4.1-2_amd64.deb ...
Unpacking pve-firewall (4.1-2) over (4.0-10) ...
Preparing to unpack .../06-libpve-common-perl_6.1-1_all.deb ...
Unpacking libpve-common-perl (6.1-1) over (6.0-17) ...
Preparing to unpack .../07-pve-container_3.1-4_all.deb ...
Unpacking pve-container (3.1-4) over (3.0-23) ...
Preparing to unpack .../08-qemu-server_6.1-20_amd64.deb ...
Unpacking qemu-server (6.1-20) over (6.1-7) ...
Preparing to unpack .../09-libpve-guest-common-perl_3.0-10_all.deb ...
Unpacking libpve-guest-common-perl (3.0-10) over (3.0-5) ...
Preparing to unpack .../10-libpve-storage-perl_6.1-7_all.deb ...
Unpacking libpve-storage-perl (6.1-7) over (6.1-5) ...
Preparing to unpack .../11-lxcfs_4.0.3-pve2_amd64.deb ...
Unpacking lxcfs (4.0.3-pve2) over (4.0.1-pve1) ...
Preparing to unpack .../12-lxc-pve_4.0.2-1_amd64.deb ...
Unpacking lxc-pve (4.0.2-1) over (3.2.1-1) ...
Preparing to unpack .../13-libproxmox-acme-perl_1.0.2_all.deb ...
Unpacking libproxmox-acme-perl (1.0.2) ...
Preparing to unpack .../14-proxmox-widget-toolkit_2.1-6_all.deb ...
Unpacking proxmox-widget-toolkit (2.1-6) over (2.1-3) ...
Preparing to unpack .../15-pve-i18n_2.1-1_all.deb ...
Unpacking pve-i18n (2.1-1) over (2.0-4) ...
Preparing to unpack .../16-pve-kernel-helper_6.1-9_all.deb ...
Unpacking pve-kernel-helper (6.1-9) over (6.1-8) ...
Preparing to unpack .../17-zstd_1.3.8+dfsg-3_amd64.deb ...
Unpacking zstd (1.3.8+dfsg-3) ...
Preparing to unpack .../18-pve-manager_6.1-11_amd64.deb ...
Unpacking pve-manager (6.1-11) over (6.1-8) ...

After upgrade everyday my certs are purged.. on each node.

Example from one node:

-rw-r----- 1 root www-data 1704 Apr 30 12:58 pve-ssl.key
-rw-r----- 1 root www-data 1724 May 10 09:31 pve-ssl.pem

and after purge:

-rw-r----- 1 root www-data 1704 Apr 29 14:21 pve-ssl.key
-rw-r----- 1 root www-data 0 May 12 04:04 pve-ssl.pem

Ofcourse when I write again certs then all works great, but from 2:00 to 5:00 some process running and purge certs again.

 

[dcsapak]

hi, if you want to use custom ssl certificates, please use pveproxy-ssl.pem and pveproxy-ssl.key instead of pve-ssl.key (and pem)
like it is described in the documentation: https://pve.proxmox.com/wiki/Certificate_Management

the pve-ssl.key and pem are managed by us and used for more than the webui (e.g. spice tickets)

 

[t.lamprecht]

After upgrade everyday my certs are purged.. on each node.

And the reason because it failed now is that we update all certs signed by the internal root cluster CA with a lifetime of more than two years, as most browsers enforce that now or soon. As you updated the internal root CA too it made the check for "is this cert owned by us" a false positive, thus triggering a re-sign with the shorter lifetime.