[SOLVED] Dedicated cluster sync IP does not appear in X.509 HTTPS API certificate

S

sdettmer

Active Member
Sep 13, 2022
124
40
33
Hi,

we created a distinct VLAN with private IPs (even private for the corporate LAN we have here). Now I like to use this for cluster communication (pvecm add ...), but I cannot add nodes during certificate hostname error.
I noticed that in the X.509 certificate (generated by pvecm updatecerts) only one of the host IPs is included.

I found that /usr/share/perl5/PVE/Cluster/Setup.pm:838 contains:

my $local_ip_address = PVE::Cluster::remote_node_ip($nodename);

so there is only a single local IP address supported. Also the function gen_pve_ssl_cert() seems to work for single-IP-hosts only (line 485: $names .= ",IP:$ip";). Similarly, it seems to be limited to a single FQDN.

So on the one hand I think it is recommended to use a dedicated cluster sync network with dedicated IP addresses, but on the other hand it seems impossible to generate self-signed certificates for it.

What do I do wrongly?

ps: pvecm add --use_ssh=1 does work, but still I'd have a wrong certificate that surely creates issues later.
I think this certificate must be compatible to the browser, so is limited from Googles Requirements To Rule Us All, such as limited life time duration of roughly a single year and so on, as one certificate is used for corosync links, pvecm commands and for Browser requests, is this the case?
 
Last edited:
Just in case someone else wonders, I created own test certificates using easyrsa:

Code: 
EASYRSA_BATCH=1 EASYRSA_REQ_CN=pve-test ./easyrsa --subject-alt-name="IP:10.1.99.100,DNS:pve-test-100,DNS:pve-test-100.mydom.com,IP:172.31.99.100,DNS:pve-test-100.adm,IP:10.1.99.101,DNS:pve-test-101,DNS:pve-test-101.mydom.com,IP:172.31.99.101,DNS:pve-test-101.adm,...,IP:127.0.0.1,IP:0:0:0:0:0:0:0:1,DNS:localhost" gen-req pve-test nopass

EASYRSA_BATCH=1 EASYRSA_REQ_CN=pve-test ./easyrsa --subject-alt-name="IP:10.1.99.100,DNS:pve-test-100,DNS:pve-test-100.mydom.com,IP:172.31.99.100,DNS:pve-test-100.adm,IP:10.1.99.101,DNS:pve-test-101,DNS:pve-test-101.mydom.com,IP:172.31.99.101,DNS:pve-test-101.adm,...,IP:127.0.0.1,IP:0:0:0:0:0:0:0:1,DNS:localhost" gen-req pve-test nopass

EASYRSA_BATCH=1 ./easyrsa sign-req server pve-test

Ansible had trouble copying to /etc/pve/local/pveproxy-ssl.pem, apparently this file system has different semantics (chmod does not work as expected), so I had to first copy: dest:/root/ssl/ and then use command: cp tasks. Finally I copied the ca-cert to /usr/local/share/ca-certificates and run command: update-ca-certificates (with changed_when: '"1 added" in result.stdout' and notify: restart pveproxy)

I think this probably is the correct solution.
 
You must log in or register to reply here.
Top Bottom
Back