Certificates for Web GUI

[toossivi]

Hello

I have a small silly question is there a way to have a selfsigned certificat like proxmoxnode.mydomain.loc together with proxmoxnode.mydomain.net . The .net is signed via letsencrypt (pveproxy-ssl.pem) and .loc (pve-ssl.pem) has been generated with my firewall. The cluster V 5.4 works perfectly when accessing the web UI via my proxmoxnode.domain.net i have the lock and the site is secured through letsencrypt. If i try proxmoxnode.domain.loc internally, the browser ask for security exception because the signed domain name remains proxmoxnode.domain.net. I add the exception then i can connect but that was not the goal. I precise that my selsigned certificate has the proper SAN and is valid and it has been added to the client (pvenode cert info) .
Is there a workaround to have these 2 certificates works simultaneously Internet / Local network?

Thanks even if my question is only cosmetics

 

[t.lamprecht]

Hi,

if its SAN lists both domains there should be no problem, we even support that with Let's Encrypt (setting alias for domains).
The browser could store such exceptions per domain, but that would be a bit weird.

 

[toossivi]

Thomas
This is the anonymised cert info so this should work?

+---------------------------------------------------------------------------------------------------------------+
¦ filename ¦ pve-root-ca.pem ¦
+-------------+-------------------------------------------------------------------------------------------------¦
¦ fingerprint ¦ ¦
+-------------+-------------------------------------------------------------------------------------------------¦
¦ subject ¦ /CN= CA mydomain.loc/C=FR/ST=Region/L=City/O=mydomain ¦
+-------------+-------------------------------------------------------------------------------------------------¦
¦ issuer ¦ /CN= CA mydomain.loc/C=FR/ST=Region/L=City/O=mydomain ¦
+-------------+-------------------------------------------------------------------------------------------------¦
¦ notbefore ¦ 2019-07-01 16:10:51 ¦
+-------------+-------------------------------------------------------------------------------------------------¦
¦ notafter ¦ 2024-06-28 16:10:51 ¦
+-------------+-------------------------------------------------------------------------------------------------¦
¦ san ¦ [] ¦
+---------------------------------------------------------------------------------------------------------------+
+---------------------------------------------------------------------------------------------------------------+
¦ filename ¦ pve-ssl.pem ¦
+-------------+-------------------------------------------------------------------------------------------------¦
¦ fingerprint ¦ ¦
+-------------+-------------------------------------------------------------------------------------------------¦
¦ subject ¦ /CN=mydomainpx1.mydomain.loc/C=FR/ST=Region/L=City/O=mydomain ¦
+-------------+-------------------------------------------------------------------------------------------------¦
¦ issuer ¦ /CN= CA mydomain.loc/C=FR/ST=Region/L=City/O=mydomain ¦
+-------------+-------------------------------------------------------------------------------------------------¦
¦ notbefore ¦ 2019-07-01 18:25:17 ¦
+-------------+-------------------------------------------------------------------------------------------------¦
¦ notafter ¦ 2024-06-28 18:25:17 ¦
+-------------+-------------------------------------------------------------------------------------------------¦
¦ san ¦ - mydomainpx1.mydomain.loc ¦
¦ ¦ - mydomainpx1 ¦
¦ ¦ - 10.33.19.3 ¦
¦ ¦ ¦
+---------------------------------------------------------------------------------------------------------------+
+---------------------------------------------------------------------------------------------------------------+
¦ filename ¦ pveproxy-ssl.pem ¦
+-------------+-------------------------------------------------------------------------------------------------¦
¦ fingerprint ¦ ¦
+-------------+-------------------------------------------------------------------------------------------------¦
¦ subject ¦ /CN=mydomainpx1.mydomain.fr ¦
+-------------+-------------------------------------------------------------------------------------------------¦
¦ issuer ¦ /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 ¦
+-------------+-------------------------------------------------------------------------------------------------¦
¦ notbefore ¦ 2020-05-18 03:15:36 ¦
+-------------+-------------------------------------------------------------------------------------------------¦
¦ notafter ¦ 2020-08-16 03:15:36 ¦
+-------------+-------------------------------------------------------------------------------------------------¦
¦ san ¦ - mydomainpx1.mydomain.fr ¦
+---------------------------------------------------------------------------------------------------------------+

 

[t.lamprecht]

OK, I just read your initial post a bit more closely. You have two certs in two files, and essentially overwrote an internal cert which is not advised.

Please read the following linked whole documentation section closely:
https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#sysadmin_certs_api_gui
Especially the warning:

Do not replace or manually modify the automatically generated node certificate files in /etc/pve/local/pve-ssl.pem and /etc/pve/local/pve-ssl.key or the cluster CA files in /etc/pve/pve-root-ca.pem and /etc/pve/priv/pve-root-ca.key.

Just use /etc/pve/local/pveproxy-ssl.pem (and /etc/pve/local/pveproxy-ssl.key), and have the SAN correctly there and it will work. If you the Proxmox VE let's encrypt integration you can specify multiple domains, or an "alias" (the latter only over CLI) if you want to access a node over multiple domains.

 

[toossivi]

Thank you

I knew that replacing the internal certificat was not advised but that was to overcome the issue with signing a non-standard TLD in my case .loc.
Alias is certainly a way but in my case it does not work as Letsencrypt would not let me issue the certificat see below their answer:
"no, that’s not possible. loc isn’t a public suffix (like .com, .de, .net, .eu, .us etc.). So the domain name isn’t unique"

When removing the letsencrypt certificat the internal certificate take over and i am secure on local network. ie https://10.33.19.3:8006
I could dream that for this particular case Proxmox could handle SNI to determine which certificate to present to the client

 

[t.lamprecht]

I knew that replacing the internal certificat was not advised but that was to overcome the issue with signing a non-standard TLD in my case .loc.

no, it's also then not advised or needed and wrong!

Alias is certainly a way but in my case it does not work as Letsencrypt would not let me issue the certificat see below their answer:
"no, that’s not possible. loc isn’t a public suffix (like .com, .de, .net, .eu, .us etc.). So the domain name isn’t unique"

Ah, yes - only saw now that the .loc was mean literally and is not an registered TLD.

I could dream that for this particular case Proxmox could handle SNI to determine which certificate to present to the client

Why do you even need a mix of an official TLD and a local non-registered TLD for the webinterface? What's the use case?

If you really need such a mix I'd move a (nginx) revers proxy in front of the webinterface, for one or both of those domains..
https://pve.proxmox.com/wiki/Web_Interface_Via_Nginx_Proxy

 

[toossivi]

Why do you even need a mix of an official TLD and a local non-registered TLD for the webinterface? What's the use case?

Well when in office why should i go to to the internet to access Proxmox UI, local access is safer and even better if the connection is secured trough a sign certificat. On the the other side the job i am doing take me quite often abroad so i need a secure access from the internet. You can object that i could use a VPN and i do have one but in case this is broken i must gain access to the infra directly.

If you really need such a mix I'd move a (nginx) revers proxy in front of the webinterface, for one or both of those domains..

That is really the direction i should follow and NGINX support SNI. I will give it a try in my lab. Thanks for the tip

 

[t.lamprecht]

Well when in office why should i go to to the internet to access Proxmox UI, local access is safer and even better if the connection is secured trough a sign certificat

Why not "just" resolve it to the local one at your work PC? Either with simple /etc/hosts, or maybe local DNS(masq) or your LAN DNS - this depends on how much is on that domain, but if it's strictly used for Proxmox VE and nothing in the office lab depends on connecting to this domain over the WAN it would be probably the more transparent solution, i.e., you do not need to care which specific domain you're going to use based on the fact where you work currently.