1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cluster join error with LE certificates

Discussion in 'Mail Gateway: HA Cluster' started by DerDanilo, Feb 19, 2018.

  1. DerDanilo

    DerDanilo Member
    Proxmox VE Subscriber

    Joined:
    Jan 21, 2017
    Messages:
    138
    Likes Received:
    6
    When trying to join a node to the master node it fails with the below error message. How can I force the join command to accept the other certificate? Currently it does not seem to be possible.

    According to this line
    Code:
    cluster join failed: 500 Can't connect to MASTERIP:8006 (certificate verify failed)
    if expects the IP to be listed as valid name in the other certificate. Since this is not possible with valid certificates I'd like to know an alternative using valid certificates.

    Setup:
    - 2 Nodes
    - Both have valid LE certificates ( /etc/pmg/pmg-tls.pem and /etc/pmg/pmg-api.pem)
    - HaProxy as frontend via https://IP:8443
    - SSH password login denied for all EXCEPT IPs of cluster members (tested and working!)
    - Firewall allows all communication between PMG IPs, no blocking
    - rsync and scp tests between hosts work fine


    Code:
    root@pmg2:~# pmgcm join MASTERIP
    Enter password: ************
    The authenticity of host 'MASTERIP' can't be established.
    X509 SHA256 key fingerprint is xyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxxyx.
    Can't open join: No such file or directory at /usr/share/perl5/PVE/APIClient/LWP.pm line 149.
    Can't open MASTERIP: No such file or directory at /usr/share/perl5/PVE/APIClient/LWP.pm line 149.
    Use of uninitialized value $answer in pattern match (m//) at /usr/share/perl5/PVE/APIClient/LWP.pm line 151.
    cluster join failed: 500 Can't connect to MASTERIP:8006 (certificate verify failed)
    Are you sure you want to continue connecting (yes/no)? 
    Thanks in advance!
     
  2. ChFin

    ChFin Member
    Proxmox VE Subscriber

    Joined:
    Jan 30, 2018
    Messages:
    49
    Likes Received:
    10
    Do the fingerprints in cluster.conf match the fingerprints of your current certificates?
    EDIT: SSH Login without passwords possible? (authorized_keys)
     
    #2 ChFin, Feb 19, 2018
    Last edited: Feb 19, 2018
  3. DerDanilo

    DerDanilo Member
    Proxmox VE Subscriber

    Joined:
    Jan 21, 2017
    Messages:
    138
    Likes Received:
    6
    yes, they do.

    Yes it is, but not between nodes, as I didn't want to interfere with the setup process.
    How is this connected to the "not valid" certificate? (Each node has it's own certificate since they have other host names.)

    Since these are Let's Encrypt certificates I am afraid that the fingerprints change with every renewal. I am no advanced user regarding certificates though. I am aware of the part in the manual regarding chaning certificate fingerprints https://pmg1.domain.de:8006/pmg-docs/pmg-admin-guide.html#_change_certificate_for_cluster_setups

    Would it work to use the self signed certificate for the 'http-api' and the LE for TLS and HaProxy frontend?
     
  4. DerDanilo

    DerDanilo Member
    Proxmox VE Subscriber

    Joined:
    Jan 21, 2017
    Messages:
    138
    Likes Received:
    6
    I create self signed certificates and reset the cluster afterwards. Since the LE certificate is not important for the pmg-api.pem I can use a self signed certificate there.
    HaProxy uses the pmg-tls.pem certificate and therefore has a valid certificate that is can present users.

    It would be really nice if one could configure the URL including a custom port for the user frontend. We don't use ':8006' but ':8443' for the frontend and therefore the users "ticket url" links.
     
  5. tom

    tom Proxmox Staff Member
    Staff Member

    Joined:
    Aug 29, 2006
    Messages:
    12,669
    Likes Received:
    288
    Check Admin Guide, chapter "4.6.2. Quarantine"
     
    DerDanilo likes this.
  6. DerDanilo

    DerDanilo Member
    Proxmox VE Subscriber

    Joined:
    Jan 21, 2017
    Messages:
    138
    Likes Received:
    6
    Thanks! Could the port and protocol settings be added to the WEBUI? I am fine doing it in the config file, but having such options available in the GUI would be more straight forward for other users.

    I am still having a question regarding the sync status. Is it supposed to continuously show "syncing" on any slave nodes?
     
  7. tom

    tom Proxmox Staff Member
    Staff Member

    Joined:
    Aug 29, 2006
    Messages:
    12,669
    Likes Received:
    288
    Currently there is no GUI or this,.

    Asking once is enough, I already answered on your other post.
     
    DerDanilo likes this.
  8. DerDanilo

    DerDanilo Member
    Proxmox VE Subscriber

    Joined:
    Jan 21, 2017
    Messages:
    138
    Likes Received:
    6
    Sorry, didn't see it. Auto refresh doesn't seem to work with this forum in Firefox.
     
  9. Juliano Silva

    Juliano Silva Member

    Joined:
    Oct 15, 2017
    Messages:
    135
    Likes Received:
    0
    Hello

    I'm having problems too, after I change hostname and https, I receive the error below

    cluster join failed: 500 Can not connect to MASTERIP: 8006 (certificate verify failed)


    proxmox-mailgateway: 5.0-9 (API: 5.0-69/0617282d, running kernel: 4.13.16-1-pve)
    pmg-api: 5.0-69
    pmg-gui: 1.0-36
    proxmox-spamassassin: 3.4.1-54
    proxmox-widget-toolkit: 1.0-13
    pve-kernel-4.13.16-1-pve: 4.13.16-45
    pve-kernel-4.13: 5.1-43
    pve-kernel-4.13.13-5-pve: 4.13.13-38
    libpve-http-server-perl: 2.0-8
    lvm2: 2.02.168-2
    pve-firmware: 2.0-4
    libpve-common-perl: 5.0-30
    pmg-docs: 5.0-14
    pve-xtermjs: 1.0-2
    libarchive-perl: 3.2.1-1
    libxdgmime-perl: 0.01-3
    zfsutils-linux: 0.7.6-pve1~bpo9
    libpve-apiclient-perl: 2.0-2
    root@protection:~#
     

Share This Page