Certificate issues after failed import

[kawaklx650]

Hi there,

it seems I did a BIG MISTAKE not reading the manual probably before uploading custom certificates in GUI, I'm very sorry about that. I really shot myself into foot doing that...

I'm running a 2 node PVE-Cluster and tried to import self-signed certificates from a pfsense-ca in WebGUI on node 1. And there somethings gone wrong. I cannot reach the GUI (node1) anymore and system.log shows:

Apr 19 16:38:02 pve1 pveproxy[1588]: worker 6347 started
Apr 19 16:38:02 pve1 pveproxy[6347]: /etc/pve/local/pveproxy-ssl.key: failed to load local private key (key_file or key) at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 1683.
Apr 19 16:38:02 pve1 pveproxy[6320]: worker exit
Apr 19 16:38:02 pve1 pveproxy[1588]: worker 6320 finished

The cluster seems to be still running, I can access VMs on both nodes over the WebGUI from node2. The datacenter shows everything is working fine. But I can't access the certificate configuration on node1, it runs into timeout.

Because I definitv crashed something I'm very afraid to reboot one of the nodes. Is there any chance to fix that certificate problem?

 

[Chris]

Hi,
you can try to force regeneration of the ssl certificates by running

pvecm updatecerts --force
systemctl restart pveproxy

on the node.

 

[Stoiko Ivanov]

Additionally to get your node's webUI accessible again - with the fix proposed by @Chris , the change to a custom certificate is quite well documented - https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_certificate_management
* the key goes to '/etc/pve/local/pveproxy-ssl.key'
* the signed pem (with intermediates if needed) to '/etc/pve/local/pveproxy-ssl.pem'
* afterwards restart pveproxy

 

[kawaklx650]

Thanks for your replies.

Hi,
you can try to force regeneration of the ssl certificates by running

pvecm updatecerts --force
systemctl restart pveproxy

on the node.

That didn't fix it. And I already found your documentation bevor I entered the forum, it says:

"Do not replace or manually modify the automatically generated node certificate files in /etc/pve/local/pve-ssl.pem and /etc/pve/local/pve-ssl.key or the cluster CA files in /etc/pve/pve-root-ca.pem and /etc/pve/priv/pve-root-ca.key."

That was the reason I was afraid of doing more mistakes and decided to ask here for help

Replacing pveproxy-ssl.pem with the certificate of my internal CA did the trick. It seems I managed to crack that file for some reasons. Now everything works without error messages. The https-connection is still not trusted but I will read manuals now before doing weird stuff again to the certificates.
Thanks for your help to figure out the problem