Custom certificates upload

[mdepasca]

Hi,

I'm trying to create custom certs form my development ProxMox setup (proxmox version 8.2.2).

I create the certs with the following script:

#!/bin/bash -f


openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
openssl genrsa -out 192.168.178.82.key 2048
openssl req -new -sha256 -key 192.168.178.82.key -subj "/C=IT/ST=GE/O=company/CN=192.168.178.82" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:*.local.box")) -out 192.168.178.82.csr
openssl x509 -req -extfile <(printf "[v3_req]\nextendedKeyUsage=serverAuth\nsubjectAltName=DNS:*.local.box") -in 192.168.178.82.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out 192.168.178.82.crt -days 500 -sha256
openssl x509 -in rootCA.crt -outform PEM -out rootCA.pem
openssl rsa -in 192.168.178.82.key -outform PEM -out 192.168.178.82.key.pem

However, when I load the certs (192.168.178.82.key.pem and rootCA.pem) I get error:

Secure Connection Failed

              
An error occurred during a connection to 192.168.178.82:8006. PR_END_OF_FILE_ERROR

I'm really unable to figure out what I'm doing wrong, anyone can give it a loog for directions ?

Thanks in advance,

Mauro

 

[mdepasca]

Hi,

I replay myself because I figured out just after posting the message above: I was thinking I had to load both the CA and the site cert, being fooled by the cert page, where is it possible to see both PVE's default root CA end the site's SSL cert with details about exposed IP and domain name.

I was wrong and confused.

I put here what I've understood for discussion and to be of help to anyone with same issues:

Proxmox uses many certs, what I understood is that it uses one cert to protect ssl connection in between nodes, and one cert to expose WEB GUI for each node.
Proxmox is creating web site certs on its own, it uses the internally configured rootCA chain for each node into the cluster.
It does it in a not interactive way, for this reason the cert must be NOT password protected so it could be used to emit new certificates by automation.
Is it possible to customize both kind of certs, for the SSL using the cli while for the WEB GUI using the UI interface itself.
So, here the main points:

• Prepare the custom rootCA in PEM format, please be aware that just having PEM certs is not enough, file extension must be .pem too.
  Eventually use openssl to convert to PEM:
  

  openssl x509 -in <yourcert>.crt -outform PEM -out <yourcert>.crt.pem
  openssl rsa -in <yourcert>.key -outform PEM -out <yourcert>.key.pem

  
  
• Be sure to remove password from the rootCA key file, it could be done this way:
  openssl rsa -in <yourcert>.key -out <yourcert>.unprotected.key

To set the SSL cert do access the cli, i.e. by ssh into the proxmox server; be sure to have loaded cert locally too, then run following commands:
pvenode cert set <youcert>.crt <yourcert>.key -force

In this way, you'll be able to configure the PVE node SSL certificate only.

To setup the WEB GUI certificate, you need to prepare the SITE cert yourself respecting the reccomendation above, plus:

• Put the SITE cert together with the RootCA and eventually the intermediate certs into a bundle.
  Please note that order is relevant:
  cat domain.crt.pem <intermediate.crt.pem> rootCA.pem > certs_bundle.pem
• Be sure to convert to pem the SITE key too:
  openssl rsa -in domain.key -out domain.key.pem -outform PEM
• On the WEB GUI, navigate to Datacenter->pve->certificates and it "Upload Custom Certificate"
  Into the "Certificate chain" load the certs_bundle file
  Into the Private Key load the domain.key file
  Hit the upload key, the UI will reload with your new certs.

I hope this would be of help to anyone.