Custom private ACME CA

[logopk]

Hello,

I am using a private CA that provides an ACME interface. I found that I can register and create certs from the CLI using

pvenode acme account register default xx@xx.com
pvenode config set --acme domains=mox.int
pvenode acme cert order --force

with a custom URL and setting the HTTPS_CA_FILE environment variable to my root-cert.

However that is not working when requesting the certificate from the UI (and I guess also when auto-renewing)

Can't connect to myca.int (certificate verify failed)  SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at /usr/share/perl5/LWP/Protocol/http.pm line 50

So far I have tried:

- putting my root-ca into /etc/ssl/certs and running c_rehash - curl works fine with that
- setting the env variable HTTPS_CA_FILE in /etc/profile.d/ca-env.sh (rebooted)

Where can I set environment variables that are honored by the pvedaemon or another way to make him trust my private ca?

Thanks

Peter

 

[Stoiko Ivanov]

Where can I set environment variables that are honored by the pvedaemon or another way to make him trust my private ca?

on Debian-based systems adding the CA certificate file (needs to end in .crt) in /usr/local/share/ca-certificates and running `update-ca-certificate` should add it to the trust-store on the system - check the manual page of `update-ca-certificates`

you will need to restart the PVE daemons to have them read the trust-store again (`systemctl restart pvedaemon pveproxy`)

I hope this helps!

 

[logopk]

Generated the ca-certificates exactly as you said and restarted pvedaemon and proxy.

Unfortunately that does not change anything in the ui when I order the certificate.

 

[Stoiko Ivanov]

hmm - does a connect using openssl work successfully (with verifying the certificate)?:
`openssl s_client -connect myca.int:443`

 

[logopk]

Yes that works.

As I mentioned above pvenode acme account register default needs the variable HTTPS_CA_FILE.
And as the error message contains code in http.pm, I assume this varible may also necessary in the pvedaemon.

 

[Stoiko Ivanov]

As I mentioned above pvenode acme account register default needs the variable HTTPS_CA_FILE.

You can try to provide it via the systemd-service - see https://www.freedesktop.org/software/systemd/man/systemd.exec.html
(`systemctl edit pvedaemon.service`)

I'm just curious why this did not work - since I expected perl / LWP to trust the generated /etc/ssl/certs/ca-certificates.crt

I hope this helps!

 

[logopk]

[Service]
Environment="HTTPS_CA_FILE=/etc/ssl/certs/myca.pem"

solved this! Perfect Thank you!