Cluster join error with LE certificates

DerDanilo

Renowned Member
Jan 21, 2017
476
132
83
When trying to join a node to the master node it fails with the below error message. How can I force the join command to accept the other certificate? Currently it does not seem to be possible.

According to this line
Code:
cluster join failed: 500 Can't connect to MASTERIP:8006 (certificate verify failed)
if expects the IP to be listed as valid name in the other certificate. Since this is not possible with valid certificates I'd like to know an alternative using valid certificates.

Setup:
- 2 Nodes
- Both have valid LE certificates ( /etc/pmg/pmg-tls.pem and /etc/pmg/pmg-api.pem)
- HaProxy as frontend via https://IP:8443
- SSH password login denied for all EXCEPT IPs of cluster members (tested and working!)
- Firewall allows all communication between PMG IPs, no blocking
- rsync and scp tests between hosts work fine


Code:
root@pmg2:~# pmgcm join MASTERIP
Enter password: ************
The authenticity of host 'MASTERIP' can't be established.
X509 SHA256 key fingerprint is xyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxxyx.
Can't open join: No such file or directory at /usr/share/perl5/PVE/APIClient/LWP.pm line 149.
Can't open MASTERIP: No such file or directory at /usr/share/perl5/PVE/APIClient/LWP.pm line 149.
Use of uninitialized value $answer in pattern match (m//) at /usr/share/perl5/PVE/APIClient/LWP.pm line 151.
cluster join failed: 500 Can't connect to MASTERIP:8006 (certificate verify failed)
Are you sure you want to continue connecting (yes/no)?

Thanks in advance!
 
Do the fingerprints in cluster.conf match the fingerprints of your current certificates?
EDIT: SSH Login without passwords possible? (authorized_keys)
 
Last edited:
Do the fingerprints in cluster.conf match the fingerprints of your current certificates?
yes, they do.

SSH Login without passwords possible? (authorized_keys)
Yes it is, but not between nodes, as I didn't want to interfere with the setup process.
How is this connected to the "not valid" certificate? (Each node has it's own certificate since they have other host names.)

Since these are Let's Encrypt certificates I am afraid that the fingerprints change with every renewal. I am no advanced user regarding certificates though. I am aware of the part in the manual regarding chaning certificate fingerprints https://pmg1.domain.de:8006/pmg-docs/pmg-admin-guide.html#_change_certificate_for_cluster_setups

Would it work to use the self signed certificate for the 'http-api' and the LE for TLS and HaProxy frontend?
 
I create self signed certificates and reset the cluster afterwards. Since the LE certificate is not important for the pmg-api.pem I can use a self signed certificate there.
HaProxy uses the pmg-tls.pem certificate and therefore has a valid certificate that is can present users.

It would be really nice if one could configure the URL including a custom port for the user frontend. We don't use ':8006' but ':8443' for the frontend and therefore the users "ticket url" links.
 
...
It would be really nice if one could configure the URL including a custom port for the user frontend. We don't use ':8006' but ':8443' for the frontend and therefore the users "ticket url" links.

Check Admin Guide, chapter "4.6.2. Quarantine"
 
  • Like
Reactions: DerDanilo
Check Admin Guide, chapter "4.6.2. Quarantine"
Thanks! Could the port and protocol settings be added to the WEBUI? I am fine doing it in the config file, but having such options available in the GUI would be more straight forward for other users.

I am still having a question regarding the sync status. Is it supposed to continuously show "syncing" on any slave nodes?
 
  • Like
Reactions: DerDanilo
Hello

I'm having problems too, after I change hostname and https, I receive the error below

cluster join failed: 500 Can not connect to MASTERIP: 8006 (certificate verify failed)


proxmox-mailgateway: 5.0-9 (API: 5.0-69/0617282d, running kernel: 4.13.16-1-pve)
pmg-api: 5.0-69
pmg-gui: 1.0-36
proxmox-spamassassin: 3.4.1-54
proxmox-widget-toolkit: 1.0-13
pve-kernel-4.13.16-1-pve: 4.13.16-45
pve-kernel-4.13: 5.1-43
pve-kernel-4.13.13-5-pve: 4.13.13-38
libpve-http-server-perl: 2.0-8
lvm2: 2.02.168-2
pve-firmware: 2.0-4
libpve-common-perl: 5.0-30
pmg-docs: 5.0-14
pve-xtermjs: 1.0-2
libarchive-perl: 3.2.1-1
libxdgmime-perl: 0.01-3
zfsutils-linux: 0.7.6-pve1~bpo9
libpve-apiclient-perl: 2.0-2
root@protection:~#
 
Change Certificate for Cluster Setups
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you change the API certificate of an active cluster node, you also
need to update the fingerprint inside the cluster configuration file
`cluster.conf`. It is best to edit that file on the master node.

To show the actual fingerprint use:

----
openssl x509 -in /etc/pmg/pmg-api.pem -noout -fingerprint -sha256
 
Self signed cert for the API works perfectly fine. Since the fingerprint has to be configured on all hosts and the front-end can be hidden behind a reverse proxy with a valid LE cert.
I might publish my solution on GitHub if someone is interested.
 
@proxmox Team
It would be awesome if you'd also add the LE Module in PMG that you implemented for PVE.

My only question is which SSL Cert Hash is required if all hosts have different certs. --> Not one cert but one per host. How does this work out?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!