Cluster join error with LE certificates

[DerDanilo]

When trying to join a node to the master node it fails with the below error message. How can I force the join command to accept the other certificate? Currently it does not seem to be possible.

According to this line

cluster join failed: 500 Can't connect to MASTERIP:8006 (certificate verify failed)

if expects the IP to be listed as valid name in the other certificate. Since this is not possible with valid certificates I'd like to know an alternative using valid certificates.

Setup:
- 2 Nodes
- Both have valid LE certificates ( /etc/pmg/pmg-tls.pem and /etc/pmg/pmg-api.pem)
- HaProxy as frontend via https://IP:8443
- SSH password login denied for all EXCEPT IPs of cluster members (tested and working!)
- Firewall allows all communication between PMG IPs, no blocking
- rsync and scp tests between hosts work fine

root@pmg2:~# pmgcm join MASTERIP
Enter password: ************
The authenticity of host 'MASTERIP' can't be established.
X509 SHA256 key fingerprint is xyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxxyx.
Can't open join: No such file or directory at /usr/share/perl5/PVE/APIClient/LWP.pm line 149.
Can't open MASTERIP: No such file or directory at /usr/share/perl5/PVE/APIClient/LWP.pm line 149.
Use of uninitialized value $answer in pattern match (m//) at /usr/share/perl5/PVE/APIClient/LWP.pm line 151.
cluster join failed: 500 Can't connect to MASTERIP:8006 (certificate verify failed)
Are you sure you want to continue connecting (yes/no)?

Thanks in advance!

 

[ChFin]

Do the fingerprints in cluster.conf match the fingerprints of your current certificates?
EDIT: SSH Login without passwords possible? (authorized_keys)

 

[DerDanilo]

Do the fingerprints in cluster.conf match the fingerprints of your current certificates?

yes, they do.

SSH Login without passwords possible? (authorized_keys)

Yes it is, but not between nodes, as I didn't want to interfere with the setup process.
How is this connected to the "not valid" certificate? (Each node has it's own certificate since they have other host names.)

Since these are Let's Encrypt certificates I am afraid that the fingerprints change with every renewal. I am no advanced user regarding certificates though. I am aware of the part in the manual regarding chaning certificate fingerprints https://pmg1.domain.de:8006/pmg-docs/pmg-admin-guide.html#_change_certificate_for_cluster_setups

Would it work to use the self signed certificate for the 'http-api' and the LE for TLS and HaProxy frontend?

 

[DerDanilo]

I create self signed certificates and reset the cluster afterwards. Since the LE certificate is not important for the pmg-api.pem I can use a self signed certificate there.
HaProxy uses the pmg-tls.pem certificate and therefore has a valid certificate that is can present users.

It would be really nice if one could configure the URL including a custom port for the user frontend. We don't use ':8006' but ':8443' for the frontend and therefore the users "ticket url" links.

 

[tom]

...
It would be really nice if one could configure the URL including a custom port for the user frontend. We don't use ':8006' but ':8443' for the frontend and therefore the users "ticket url" links.

Check Admin Guide, chapter "4.6.2. Quarantine"

 

[DerDanilo]

Check Admin Guide, chapter "4.6.2. Quarantine"

Thanks! Could the port and protocol settings be added to the WEBUI? I am fine doing it in the config file, but having such options available in the GUI would be more straight forward for other users.

I am still having a question regarding the sync status. Is it supposed to continuously show "syncing" on any slave nodes?

 

[tom]

Thanks! Could the port and protocol settings be added to the WEBUI? I am fine doing it in the config file, but having such options available in the GUI would be more straight forward for other users.

Currently there is no GUI or this,.

I am still having a question regarding the sync status. Is it supposed to continuously show "syncing" on any slave nodes?

Asking once is enough, I already answered on your other post.

 

[DerDanilo]

Asking once is enough, I already answered on your other post.

Sorry, didn't see it. Auto refresh doesn't seem to work with this forum in Firefox.

 

[Juliano Silva]

Hello

I'm having problems too, after I change hostname and https, I receive the error below

cluster join failed: 500 Can not connect to MASTERIP: 8006 (certificate verify failed)


proxmox-mailgateway: 5.0-9 (API: 5.0-69/0617282d, running kernel: 4.13.16-1-pve)
pmg-api: 5.0-69
pmg-gui: 1.0-36
proxmox-spamassassin: 3.4.1-54
proxmox-widget-toolkit: 1.0-13
pve-kernel-4.13.16-1-pve: 4.13.16-45
pve-kernel-4.13: 5.1-43
pve-kernel-4.13.13-5-pve: 4.13.13-38
libpve-http-server-perl: 2.0-8
lvm2: 2.02.168-2
pve-firmware: 2.0-4
libpve-common-perl: 5.0-30
pmg-docs: 5.0-14
pve-xtermjs: 1.0-2
libarchive-perl: 3.2.1-1
libxdgmime-perl: 0.01-3
zfsutils-linux: 0.7.6-pve1~bpo9
libpve-apiclient-perl: 2.0-2
root@protection:~#

 

[stalker]

Change Certificate for Cluster Setups
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you change the API certificate of an active cluster node, you also
need to update the fingerprint inside the cluster configuration file
`cluster.conf`. It is best to edit that file on the master node.

To show the actual fingerprint use:

----
openssl x509 -in /etc/pmg/pmg-api.pem -noout -fingerprint -sha256

 

[DerDanilo]

Self signed cert for the API works perfectly fine. Since the fingerprint has to be configured on all hosts and the front-end can be hidden behind a reverse proxy with a valid LE cert.
I might publish my solution on GitHub if someone is interested.

 

[stalker]

LetsEncrypt works fine too.

Everything you need is this howto https://forum.proxmox.com/threads/cluster-join-error-with-le-certificates.41525/ and change fingerprint in cluster.conf.

 

[DerDanilo]

@proxmox Team
It would be awesome if you'd also add the LE Module in PMG that you implemented for PVE.

My only question is which SSL Cert Hash is required if all hosts have different certs. --> Not one cert but one per host. How does this work out?