External SSL in Proxmox

[wahmed]

Hello,
How can i install external SSL certificates such from Comodo into Proxmox? I found this Proxmox wiki http://pve.proxmox.com/wiki/HTTPSCertificateConfiguration but it talked about 3 files needed. I only have 2 which i got from Comodo ca.crt and bundle.crt. There is no PEM for me.
Can this comodo certificate be installed on Proxmox ?
Thanks!

 

[Cloudrck]

PEM is a format, I've seen them in .pem and .crt
https://support.ssl.com/index.php?/Knowledgebase/Article/View/19

I also have a Comodo SSL cert and the files are in PEM format.

The ca.crt and bundle.crt you received are most likely in PEM format.

If you see

-----BEGIN CERTIFICATE-----

in readable form than it's PEM

 

[wahmed]

Yep both of the file have ----Begin Certificate----- in them. So technically just renaming them will work.

Based on wiki here http://pve.proxmox.com/wiki/HTTPSCertificateConfiguration I need:

ca.crt
server.key
server.pem

From comodo i got:
mydomain.crt
bundle.crt

So which should be replaced/renamed with which? Is it:
ca.crt=mydomain.crt
server.key=?
server.pem=bundle.crt

 

[Cloudrck]

Yep both of the file have ----Begin Certificate----- in them. So technically just renaming them will work.

Based on wiki here http://pve.proxmox.com/wiki/HTTPSCertificateConfiguration I need:

ca.crt
server.key
server.pem

From comodo i got:
mydomain.crt
bundle.crt

So which should be replaced/renamed with which? Is it:
ca.crt=mydomain.crt
server.key=?
server.pem=bundle.crt

Your server key is the file that is generated by openssl when you create a CSR. Did you do that on your own server? It should be there.

 

[wahmed]

The CSR was originally created by my website hosting service. Since thats where mydomain.com is registered. I purchased Wildcard SSL to cover any subdomain since my LAN platform is also has same mydomain.com. All my local nodes are xxxxxx.mydomain.com. I imagined the purchased wildcard domain should cover all local subdomains(local servers) and website subdomains.

 

[Cloudrck]

It's irrelevant where your domain is registered. You could have generated a CSR on your own computer.

 

[wahmed]

So i have successfully installed external SSL from Comodo on all nodes. I can connect to all nodes using https://mydomain.com:8006 and it shows valid certificate information. But when i try to open VM using Console or SPICE nothing works any more. I keep getting TLS Handshake failed javax.net.ssl.SSLHandshakeException..... error. How can i turn back time or get rid of this error? This appear to happen on all nodes.

 

[Cloudrck]

So i have successfully installed external SSL from Comodo on all nodes. I can connect to all nodes using https://mydomain.com:8006 and it shows valid certificate information. But when i try to open VM using Console or SPICE nothing works any more. I keep getting TLS Handshake failed javax.net.ssl.SSLHandshakeException..... error. How can i turn back time or get rid of this error? This appear to happen on all nodes.

First run your domain and port (domain.com:8006) http://www.sslshopper.com/ssl-checker.html

Replace the files with the original files you should have backed up.

Do you have clusters? Did you update the nodes/* files?

 

[wahmed]

SSL Checker checks out validity for the domain with one error

[h=3]The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. You can fix this by following Comodo's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.[/h]

Seems to me the Intermediate Certificate causing all these issue. I think i skipped the Intermediate Certificate portion in the wiki:
http://pve.proxmox.com/wiki/HTTPSCertificateConfiguration

cat server.pem intermediate_certificate.pem > /etc/pve/local/pve-ssl.pem
cat intermediate_certificate.pem ca.pem > /etc/pve/pve-root-ca.pem

I received 2 files from Comodo
1. mydomain.crt
2. bundle.crt

By following the wiki :
mydomain.crt = pve-ssl.pem
rsa-key = pve-ssl.pem
bundle.ca = pve-root-ca.pem

Intermediate Certificate portion calls for server.pem, intermediate_certificate.pem, ca.pem. Where do i find those? I know i am missing something here.

 

[mir]

https://support.comodo.com/index.php?_m=downloads&_a=viewdownload&downloaditemid=122&nav=0,1

 

[wahmed]

https://support.comodo.com/index.php?_m=downloads&_a=viewdownload&downloaditemid=122&nav=0,1

I have downloaded the Intermediate certificate and it completely broke the SSL and wont even login to the WebGUI.

Looking through the wiki, i have realized i made a grave mistake. I actually replaced the ca.pem under /etc/pve in all nodes. The wiki said do it only on one node. I know it is a quite a mess. Is there any way i can recreate self-signed SSL certificate and start from the beginning?

 

[dietmar]

I actually replaced the ca.pem under /etc/pve in all nodes.

It is a distributed, replicated file system, so you always replace the same file.

The wiki said do it only on one node. I know it is a quite a mess.

should be no problem at all.

Is there any way i can recreate self-signed SSL certificate and start from the beginning?

# pvecm updatecerts --force

(not sure if the ca is replaced - maybe you need to delete it first).

 

[wahmed]

I replaced all cert using #pvecm updatecerts and restarted whole SSL installation process.

I can login WebGUI and the browser seems to show valid certificate. SSL Checker still says Intermediate chain is not correct and not browseable by all browser. I tried to install Comodo Intermediate SSL into Proxmox using the wiki Intermediate Certificate section. If i follow the wiki to the letter, it breaks the SSL completely and WebGUI becomes unusable with SSL Connection error. After replacing SSL with valid one WebGUI works fully but now if i click on SPICE for a VM it downloads nothing. If i try Console the console pops gives this error.

Error input too long - aborting (500)

Any clue?

 

[wahmed]

Finally!! Got the SSL working.
Strangest thing using the cat command in wiki http://pve.proxmox.com/wiki/HTTPSCertificateConfiguration was the causing issue.

I opened a GUI text editor, did copy/paste all certs individually into pve-ssl.pem and pve-root-ca.pem. After restarting pveproxy and pvedaemon SSL worked completely. SSL Checker could see the chain of Intermediate certs and the SPICE config started downloading again.
I know it is very odd that cat command did not work. But i do not have any explanation.

To sum it up this is what i did:

1. # cp /etc/pve/local/pve-ssl.pem /etc/pve/local/pve-ssl.pem.bak
2. # cp /etc/pve/local/pve-ssl.key /etc/pve/local/pve-ssl.key.bak
3. # cp /etc/pve/pve-root-ca.pem /etc/pve/pve-root-ca.pem.bak
4. Download certs from provider
5. On a windows pc opened 3 copies of Wordpad with blank pages. Saved one of them as pve-ssl.pem.txt, second one as pve-root-ca.pem.txt and third one pve-ssl.key.txt
6. Opened mydomain.crt, ca.crt and all 3 Intermediate certs on different WordPad
7. Copy/paste certs on pve-ssl.pem.txt in this order: mydomain.crt, Intermediate Cert #3, Intermediate Cert #2, Intermediate Cert #1
8. Copy/paste certs on pve-root-ca.pem.txt in this order: Intermediate Cert #3, Intermediate Cert #2, Intermediate Cert #1, ca.crt
9. Copy/paste server key on pve-ssl.ket.txt
10. Copy all 3 files : pve-ssl.pem.txt, pve-root-ca.pem.txt, pve-ssl.key.txt to /home/ssl
11. # cp /home/ssl/pve-ssl.pem.txt /etc/pve/local/pve-ssl.pem
12. # cp /home/ssl/pve-ssl.key.txt /etc/pve/local/pve-ssl.key
13. # cp /home/ssl/pve-root-ca.pem.txt /etc/pve/pve-root-ca.pem
14. # service pveproxy restart
15. # service pvedaemon restart.

The steps are pretty much what the wiki says, just without cat command.

Now the only problem is after clicking on downloaded SPICE config, it says Unable to connect to Graphics Server.Also the Console says Network Error. If i can access the VMs remotely with newly installed SSL, i will be back in business.

 

[wahmed]

Everything is back to normal again. All i needed was a full node reboot. Thanks everybody who replied in this post!

 

[Cloudrck]

Everything is back to normal again. All i needed was a full node reboot. Thanks everybody who replied in this post!

I was going to suggest restarting a few services. But a reboot takes care of everything.

 

[wahmed]

I was going to suggest restarting a few services. But a reboot takes care of everything.

Which services would you have suggested? Just for future reference, if something like this happens again, i much rather restart some services than entire node. Hassle to migrate all VMs just for reboot purpose.