Custom private ACME CA

L

logopk

Member
May 15, 2021
4
1
8
55
Hello,

I am using a private CA that provides an ACME interface. I found that I can register and create certs from the CLI using

Code: 
pvenode acme account register default xx@xx.com
pvenode config set --acme domains=mox.int
pvenode acme cert order --force

with a custom URL and setting the HTTPS_CA_FILE environment variable to my root-cert.

However that is not working when requesting the certificate from the UI (and I guess also when auto-renewing)

Code: 
Can't connect to myca.int (certificate verify failed)  SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at /usr/share/perl5/LWP/Protocol/http.pm line 50

So far I have tried:

- putting my root-ca into /etc/ssl/certs and running c_rehash - curl works fine with that
- setting the env variable HTTPS_CA_FILE in /etc/profile.d/ca-env.sh (rebooted)

Where can I set environment variables that are honored by the pvedaemon or another way to make him trust my private ca?

Thanks

Peter
 
logopk said:
Where can I set environment variables that are honored by the pvedaemon or another way to make him trust my private ca?
Click to expand...
on Debian-based systems adding the CA certificate file (needs to end in .crt) in /usr/local/share/ca-certificates and running `update-ca-certificate` should add it to the trust-store on the system - check the manual page of `update-ca-certificates`

you will need to restart the PVE daemons to have them read the trust-store again (`systemctl restart pvedaemon pveproxy`)

I hope this helps!
 
Generated the ca-certificates exactly as you said and restarted pvedaemon and proxy.

Unfortunately that does not change anything in the ui when I order the certificate.
 
hmm - does a connect using openssl work successfully (with verifying the certificate)?:
`openssl s_client -connect myca.int:443`
 
Yes that works.

As I mentioned above pvenode acme account register default needs the variable HTTPS_CA_FILE.
And as the error message contains code in http.pm, I assume this varible may also necessary in the pvedaemon.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom