Cluster sync failed (SSL certificate error)

Walhalla

Well-Known Member
Jan 26, 2018
51
4
48
54
Hi,
on the node we get the following error (administration interface) when trying to go on some configuration sites (Mailfilter, Configuration):

tls_process_server_certificate: certificate verify failed (596)

What we have changed: we changed the HTTPS-certificate (pmg-api.pem). Put in our own as described in the manual and is working.

Log slave:
Jan 29 08:38:07 pmgmirror[4232]: starting cluster syncronization
Jan 29 08:38:07 pmgmirror[4232]: fingerprint: ...
Jan 29 08:38:07 pmgmirror[4232]: database sync ' ***' failed - 500 Can't connect to xxx.xxx.xxx.xxx:8006 (certificate verify failed)
Jan 29 08:38:07 pmgmirror[4232]: cluster syncronization finished (1 errors, 0.32 seconds (files 0.00, database 0.19, config 0.14))

Log master:
Jan 29 08:47:26 pmgmirror[27048]: database sync ' ***' failed - DBD::pg::st execute failed: ERROR: duplicate key value violates unique constraint "localstat_time_key"#012DETAIL: Key ("time")=(1517202000) already exists. at /usr/share/perl5/PMG/Cluster.pm line 751.

It is a wildcard - certificate from COMODO. Webinterfaces working well (SSL secured) without any errors.
 

Attachments

  • pmg_sync_error.jpg
    pmg_sync_error.jpg
    18.9 KB · Views: 18
Last edited:
If you change the certificate when nodes are part of the cluster, you need to update the certificate fingerprint in /etc/pmg/cluster.conf.

To query the fingerprint use

# openssl x509 -in /etc/pmg/pmg-api.pem -noout -fingerprint -sha256
 
Last edited:
Log master:
Jan 29 08:47:26 pmgmirror[27048]: database sync ' ***' failed - DBD::pg::st execute failed: ERROR: duplicate key value violates unique constraint "localstat_time_key"#012DETAIL: Key ("time")=(1517202000) already exists. at /usr/share/perl5/PMG/Cluster.pm line 751.

This specific problem should be fixed with the latest updates.
 
Thanks for the answer. Just to be sure: will a change of the fingerprint solve the problem or doesnt it help and I have to wait for the update? Are this two different errors or do they depend on each other and only changing the fingerprint will not help with this version?

Thanks

Walhalla
 
you do not have to wait for the update, just install it via GUI.
(pmg-api_5.0-56_all.deb)

I assume you already configured your update repositories correctly or you even purchased a support key?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!