Custom SSL Certificate Upload error

[LRA FFB]

Hey all,

I am trying to upload a custom certificate to our 3 Nodes. I have successfully uploaded custom certificates to the Datacenter Manager and the Proxmox Backup Server, but the PVE nodes keep telling me:
400 Parameter verification failed.
certificates: invalid format - not a valid PEM-formatted string.
I am using the same way as with the PDM and PBS.
Got the Private Key that starts with
-----BEGIN PRIVATE KEY-----
and ends with
-----END PRIVATE KEY-----
in the Private Key (Optional) field, and my full certificate chain in the Certificate Chain Field:
Starting with:
Bag Attributes
localKeyID
friendlyName
subject
issuer
-----BEGIN CERTIFICATE-----
The CI Cert is first, then the chain with empty bag attributes from our local CA

also tried some of the solutions i found in the forum already, but it does not work.
Get the same error via CLI
root@proxmox01:~$ pvenode cert set proxmox01.pem proxmox01-key.pem
400 Parameter verification failed.
certificates: invalid format - not a valid PEM-formatted string.


I hope you guys can help me.

 

[LRA FFB]

forgot to mention:
pve-manager/9.0.10/deb1ca707ec72a89 (PVE 9.0.10 - Enterprise Repo)
PBS: 4.0.18 (Non-Subscription Repo)
PDM: 0.9.2 (Non-Subscription Repo)

 

[Onslow]

Hi, what do you get if you issue the command
openssl x509 -in proxmox01.pem -noout -text

 

[LRA FFB]

Hi, what do you get if you issue the command
openssl x509 -in proxmox01.pem -noout -text

Hi,
I am not sure if this output contains sensitive data, so i redacted a little bit, hope that still works

root@proxmox01:~# openssl x509 -in proxmox01.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:00:02:4d:84:76:d1:0c:f8:b1:ff:c6:48:[...]:02:4d:84
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=de, DC=lra-ffb, DC=local, CN=Sub-CA-1
Validity
Not Before: Nov 7 11:19:14 2025 GMT
Not After : Nov 7 11:19:14 2027 GMT
Subject: CN=proxmox01
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
[REDACTED]
Exponent: 65537 (0x10001)
X509v3 extensions:
Microsoft certificate template:
0,.$+.....7....Y...e......-..2.....O......d...
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
Microsoft Application Policies Extension:
0.0
..+.......
X509v3 Subject Key Identifier:
FC:70:43:6A:8A:29:24:8B:E2:FE:80:[...]:91:CB:A2:0E:F4:63
X509v3 Subject Alternative Name:
DNS: proxmox01, DNS: proxmox01.local.lra-ffb.de
X509v3 Authority Key Identifier:
DD:CA:1B:85:53:E0:A0:27: D7:53:15[...]:E0:60:46:BA:7E:42
X509v3 CRL Distribution Points:
Full Name:
URI:ldap:///CN=Sub-CA-1,CN=PKISRV2,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=local,DC=lra-ffb,DC=de?certificateRevocationList?base?objectClass=cRLDistributionPoint

Authority Information Access:
CA Issuers - URI:ldap:///CN=Sub-CA-1,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=local,DC=lra-ffb,DC=de?cACertificate?base?objectClass=certificationAuthority
OCSP - URI:http://pkisrv3.local.lra-ffb.de/ocsp
Signature Algorithm: sha256WithRSAEncryption
Signature Value: [REDACTED]


(EDIT: removed the emojies and added a space to keep them away)

 

[Onslow]

It could be better readable (and not displaying smileys) if you used CODE tags (these < / > from the menu above) - I'm writing it for future postings.

I think I haven't run across fragments like
Microsoft certificate template:
0,.$+.....7....Y...e......-..2.....O......d...
in usual web certificates, but they may be quite OK as well, I don't know.

I'm afraid that without seeing all the files intact I'm not able to help. Of course I'm not suggesting you post them. Especially never share any private key.

What comes to my mind is the contents of the chain file... The command I posted above will not verify all of the certs in it. You would have to cut the file into particular certs. So without seeing it intact I can't check it.

But I think you can verify the files yourself using commands from
https://docs.acquia.com/acquia-cloud-platform/help/93661-verifying-validity-ssl-certificate

At least:

openssl rsa -inform PEM -in proxmox01-key.pem
openssl x509 -inform PEM -in proxmox01.pem

(the second command repeat for every cert cut from the chain)

openssl x509 -noout -modulus -in your_CN_cert.pem | openssl md5
openssl rsa -noout -modulus -in proxmox01-key.pem | openssl md5

openssl x509 -in your_CN_cert.pem -noout -pubkey
openssl rsa -in proxmox01-key.pem -pubout

Also, check the order of certs in the chain, as described in that page.

Edit: there is also "verify" subcommand.

https://unix.stackexchange.com/questions/16226/how-can-i-verify-ssl-certificates-on-the-command-line

openssl verify cert.pem

and:

"If your "ca-bundle" is a file containing additional intermediate certificates in PEM format:"

openssl verify -untrusted ca-bundle cert.pem

"If your openssl isn't set up to automatically use an installed set of root certificates (e.g. in /etc/ssl/certs), then you can use -CApath or -CAfile to specify the CA."

Hope that helps.