Certificate issues after failed import

Discussion in 'Proxmox VE: Installation and configuration' started by kawaklx650, Apr 19, 2019.

  1. kawaklx650

    kawaklx650 New Member

    Joined:
    Apr 19, 2019
    Messages:
    2
    Likes Received:
    1
    Hi there,

    it seems I did a BIG MISTAKE not reading the manual probably before uploading custom certificates in GUI, I'm very sorry about that. I really shot myself into foot doing that...

    I'm running a 2 node PVE-Cluster and tried to import self-signed certificates from a pfsense-ca in WebGUI on node 1. And there somethings gone wrong. I cannot reach the GUI (node1) anymore and system.log shows:

    Apr 19 16:38:02 pve1 pveproxy[1588]: worker 6347 started
    Apr 19 16:38:02 pve1 pveproxy[6347]: /etc/pve/local/pveproxy-ssl.key: failed to load local private key (key_file or key) at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 1683.
    Apr 19 16:38:02 pve1 pveproxy[6320]: worker exit
    Apr 19 16:38:02 pve1 pveproxy[1588]: worker 6320 finished

    The cluster seems to be still running, I can access VMs on both nodes over the WebGUI from node2. The datacenter shows everything is working fine. But I can't access the certificate configuration on node1, it runs into timeout.

    Because I definitv crashed something I'm very afraid to reboot one of the nodes. Is there any chance to fix that certificate problem?
     
  2. Chris

    Chris Proxmox Staff Member
    Staff Member

    Joined:
    Jan 2, 2019
    Messages:
    204
    Likes Received:
    22
    Hi,
    you can try to force regeneration of the ssl certificates by running
    Code:
    pvecm updatecerts --force
    systemctl restart pveproxy
    on the node.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    dkorzhevin likes this.
  3. Stoiko Ivanov

    Stoiko Ivanov Proxmox Staff Member
    Staff Member

    Joined:
    May 2, 2018
    Messages:
    1,106
    Likes Received:
    88
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. kawaklx650

    kawaklx650 New Member

    Joined:
    Apr 19, 2019
    Messages:
    2
    Likes Received:
    1
    Thanks for your replies.

    That didn't fix it. And I already found your documentation bevor I entered the forum, it says:

    "Do not replace or manually modify the automatically generated node certificate files in /etc/pve/local/pve-ssl.pem and /etc/pve/local/pve-ssl.key or the cluster CA files in /etc/pve/pve-root-ca.pem and /etc/pve/priv/pve-root-ca.key."

    That was the reason I was afraid of doing more mistakes and decided to ask here for help :)

    Replacing pveproxy-ssl.pem with the certificate of my internal CA did the trick. It seems I managed to crack that file for some reasons. Now everything works without error messages. The https-connection is still not trusted but I will read manuals now before doing weird stuff again to the certificates.
    Thanks for your help to figure out the problem :)
     
    dkorzhevin likes this.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice