Hi,
we created a distinct VLAN with private IPs (even private for the corporate LAN we have here). Now I like to use this for cluster communication (pvecm add ...), but I cannot add nodes during certificate hostname error.
I noticed that in the X.509 certificate (generated by pvecm updatecerts) only one of the host IPs is included.
I found that /usr/share/perl5/PVE/Cluster/Setup.pm:838 contains:
so there is only a single local IP address supported. Also the function gen_pve_ssl_cert() seems to work for single-IP-hosts only (line 485:
So on the one hand I think it is recommended to use a dedicated cluster sync network with dedicated IP addresses, but on the other hand it seems impossible to generate self-signed certificates for it.
What do I do wrongly?
ps: pvecm add --use_ssh=1 does work, but still I'd have a wrong certificate that surely creates issues later.
I think this certificate must be compatible to the browser, so is limited from Googles Requirements To Rule Us All, such as limited life time duration of roughly a single year and so on, as one certificate is used for corosync links, pvecm commands and for Browser requests, is this the case?
we created a distinct VLAN with private IPs (even private for the corporate LAN we have here). Now I like to use this for cluster communication (pvecm add ...), but I cannot add nodes during certificate hostname error.
I noticed that in the X.509 certificate (generated by pvecm updatecerts) only one of the host IPs is included.
I found that /usr/share/perl5/PVE/Cluster/Setup.pm:838 contains:
my $local_ip_address = PVE::Cluster::remote_node_ip($nodename);so there is only a single local IP address supported. Also the function gen_pve_ssl_cert() seems to work for single-IP-hosts only (line 485:
$names .= ",IP:$ip";). Similarly, it seems to be limited to a single FQDN.So on the one hand I think it is recommended to use a dedicated cluster sync network with dedicated IP addresses, but on the other hand it seems impossible to generate self-signed certificates for it.
What do I do wrongly?
ps: pvecm add --use_ssh=1 does work, but still I'd have a wrong certificate that surely creates issues later.
I think this certificate must be compatible to the browser, so is limited from Googles Requirements To Rule Us All, such as limited life time duration of roughly a single year and so on, as one certificate is used for corosync links, pvecm commands and for Browser requests, is this the case?
Last edited: