Cluster join error with LE certificates

DerDanilo

Well-Known Member
Jan 21, 2017
432
95
48
When trying to join a node to the master node it fails with the below error message. How can I force the join command to accept the other certificate? Currently it does not seem to be possible.

According to this line
Code:
cluster join failed: 500 Can't connect to MASTERIP:8006 (certificate verify failed)
if expects the IP to be listed as valid name in the other certificate. Since this is not possible with valid certificates I'd like to know an alternative using valid certificates.

Setup:
- 2 Nodes
- Both have valid LE certificates ( /etc/pmg/pmg-tls.pem and /etc/pmg/pmg-api.pem)
- HaProxy as frontend via https://IP:8443
- SSH password login denied for all EXCEPT IPs of cluster members (tested and working!)
- Firewall allows all communication between PMG IPs, no blocking
- rsync and scp tests between hosts work fine


Code:
root@pmg2:~# pmgcm join MASTERIP
Enter password: ************
The authenticity of host 'MASTERIP' can't be established.
X509 SHA256 key fingerprint is xyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxxyx.
Can't open join: No such file or directory at /usr/share/perl5/PVE/APIClient/LWP.pm line 149.
Can't open MASTERIP: No such file or directory at /usr/share/perl5/PVE/APIClient/LWP.pm line 149.
Use of uninitialized value $answer in pattern match (m//) at /usr/share/perl5/PVE/APIClient/LWP.pm line 151.
cluster join failed: 500 Can't connect to MASTERIP:8006 (certificate verify failed)
Are you sure you want to continue connecting (yes/no)?

Thanks in advance!
 
Jan 30, 2018
50
16
13
Do the fingerprints in cluster.conf match the fingerprints of your current certificates?
EDIT: SSH Login without passwords possible? (authorized_keys)
 
Last edited:

DerDanilo

Well-Known Member
Jan 21, 2017
432
95
48
Do the fingerprints in cluster.conf match the fingerprints of your current certificates?
yes, they do.

SSH Login without passwords possible? (authorized_keys)
Yes it is, but not between nodes, as I didn't want to interfere with the setup process.
How is this connected to the "not valid" certificate? (Each node has it's own certificate since they have other host names.)

Since these are Let's Encrypt certificates I am afraid that the fingerprints change with every renewal. I am no advanced user regarding certificates though. I am aware of the part in the manual regarding chaning certificate fingerprints https://pmg1.domain.de:8006/pmg-docs/pmg-admin-guide.html#_change_certificate_for_cluster_setups

Would it work to use the self signed certificate for the 'http-api' and the LE for TLS and HaProxy frontend?
 

DerDanilo

Well-Known Member
Jan 21, 2017
432
95
48
I create self signed certificates and reset the cluster afterwards. Since the LE certificate is not important for the pmg-api.pem I can use a self signed certificate there.
HaProxy uses the pmg-tls.pem certificate and therefore has a valid certificate that is can present users.

It would be really nice if one could configure the URL including a custom port for the user frontend. We don't use ':8006' but ':8443' for the frontend and therefore the users "ticket url" links.
 

tom

Proxmox Staff Member
Staff member
Aug 29, 2006
15,337
831
163
...
It would be really nice if one could configure the URL including a custom port for the user frontend. We don't use ':8006' but ':8443' for the frontend and therefore the users "ticket url" links.

Check Admin Guide, chapter "4.6.2. Quarantine"
 
  • Like
Reactions: DerDanilo

tom

Proxmox Staff Member
Staff member
Aug 29, 2006
15,337
831
163
  • Like
Reactions: DerDanilo

Juliano Silva

Active Member
Oct 15, 2017
185
3
38
37
Hello

I'm having problems too, after I change hostname and https, I receive the error below

cluster join failed: 500 Can not connect to MASTERIP: 8006 (certificate verify failed)


proxmox-mailgateway: 5.0-9 (API: 5.0-69/0617282d, running kernel: 4.13.16-1-pve)
pmg-api: 5.0-69
pmg-gui: 1.0-36
proxmox-spamassassin: 3.4.1-54
proxmox-widget-toolkit: 1.0-13
pve-kernel-4.13.16-1-pve: 4.13.16-45
pve-kernel-4.13: 5.1-43
pve-kernel-4.13.13-5-pve: 4.13.13-38
libpve-http-server-perl: 2.0-8
lvm2: 2.02.168-2
pve-firmware: 2.0-4
libpve-common-perl: 5.0-30
pmg-docs: 5.0-14
pve-xtermjs: 1.0-2
libarchive-perl: 3.2.1-1
libxdgmime-perl: 0.01-3
zfsutils-linux: 0.7.6-pve1~bpo9
libpve-apiclient-perl: 2.0-2
root@protection:~#
 

stalker

Member
May 3, 2015
9
1
23
Change Certificate for Cluster Setups
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you change the API certificate of an active cluster node, you also
need to update the fingerprint inside the cluster configuration file
`cluster.conf`. It is best to edit that file on the master node.

To show the actual fingerprint use:

----
openssl x509 -in /etc/pmg/pmg-api.pem -noout -fingerprint -sha256
 

DerDanilo

Well-Known Member
Jan 21, 2017
432
95
48
Self signed cert for the API works perfectly fine. Since the fingerprint has to be configured on all hosts and the front-end can be hidden behind a reverse proxy with a valid LE cert.
I might publish my solution on GitHub if someone is interested.
 

DerDanilo

Well-Known Member
Jan 21, 2017
432
95
48
@proxmox Team
It would be awesome if you'd also add the LE Module in PMG that you implemented for PVE.

My only question is which SSL Cert Hash is required if all hosts have different certs. --> Not one cert but one per host. How does this work out?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!