Can't add ProxmoxBackupServer after changed HTTPS certificate

[nicedevil]

Hi guys,

I have renewed my wildcard-certificate on all my hosts (proxmox, host1, host2 and proxmox backup 1 and offsite backup 2). I case someone asks, I have a qdevice setup.

Now my backup storage is marked with a questionmark



I already removed it and readded it with the freshly copied fingerprint and so on. What am I doing wrong?

On my offsite backup-server I get this message:

2023-02-28T21:43:43+01:00: TASK ERROR: remote connection to '10.0.78.5' failed - error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1914:

Same message on the PVE Host.

I already did this

update-ca-certificates -f

And rebootet alle Backup Servers or Hosts for PVE

 

[nicedevil]

Ok I fixed it by adding my ca-certificate to the /etc/ssl/certs folder and running this afterwards => update-ca-certificates -f
What I don't understand is, why I have to upload a fullchain cert and then do the manual step inside this folder?

On my fresh installation, that wasn't neccessary

 

[Matthias.]

Did you follow the instructions from our docs? https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_certificate_management
I.e. use pvenode to manage certs.
If yes, how did d you update your certificate?

 

[nicedevil]

On my fresh installation I just uploaded my cert via webui and now after renewing the cert I did the same, nothing more. Leaded to the error I got above.

 

[B.Otto]

I suppose you added the Proxmox Backup Server by copying its fingerprint? That is only necessary if you are using a self-signed certificate, or are accessing your PBS via IP address. The fingerprint of your PBS does change every time you update its certificate.

You seem to have a valid certificate for your domain, so you can leave the fingerprint-field empty.

 

[nicedevil]

that is correct I added the fingerprint months ago, addded the cert later and now renewed it.
then i deleted the backupserver's storage on my host and readded it with the new fingerprint, also tested it without, was the same issue.

for me I'm absolutly fine with my solution I provided above but just wondering if there is an other one doable with the webui for the future