1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

External SSL in Proxmox

Discussion in 'Proxmox VE: Installation and configuration' started by symmcom, Sep 18, 2013.

  1. symmcom

    symmcom Active Member
    Proxmox VE Subscriber

    Joined:
    Oct 28, 2012
    Messages:
    1,024
    Likes Received:
    10
    Hello,
    How can i install external SSL certificates such from Comodo into Proxmox? I found this Proxmox wiki http://pve.proxmox.com/wiki/HTTPSCertificateConfiguration but it talked about 3 files needed. I only have 2 which i got from Comodo ca.crt and bundle.crt. There is no PEM for me.
    Can this comodo certificate be installed on Proxmox ?
    Thanks!
     
  2. Cloudrck

    Cloudrck New Member

    Joined:
    Apr 26, 2013
    Messages:
    26
    Likes Received:
    0
    PEM is a format, I've seen them in .pem and .crt
    https://support.ssl.com/index.php?/Knowledgebase/Article/View/19

    I also have a Comodo SSL cert and the files are in PEM format.

    The ca.crt and bundle.crt you received are most likely in PEM format.

    If you see
    in readable form than it's PEM
     
  3. symmcom

    symmcom Active Member
    Proxmox VE Subscriber

    Joined:
    Oct 28, 2012
    Messages:
    1,024
    Likes Received:
    10
    Yep both of the file have ----Begin Certificate----- in them. So technically just renaming them will work.

    Based on wiki here http://pve.proxmox.com/wiki/HTTPSCertificateConfiguration I need:

    ca.crt
    server.key
    server.pem

    From comodo i got:
    mydomain.crt
    bundle.crt

    So which should be replaced/renamed with which? Is it:
    ca.crt=mydomain.crt
    server.key=?
    server.pem=bundle.crt
     
  4. Cloudrck

    Cloudrck New Member

    Joined:
    Apr 26, 2013
    Messages:
    26
    Likes Received:
    0
    Your server key is the file that is generated by openssl when you create a CSR. Did you do that on your own server? It should be there.
     
    #4 Cloudrck, Sep 18, 2013
    Last edited: Sep 18, 2013
  5. symmcom

    symmcom Active Member
    Proxmox VE Subscriber

    Joined:
    Oct 28, 2012
    Messages:
    1,024
    Likes Received:
    10
    The CSR was originally created by my website hosting service. Since thats where mydomain.com is registered. I purchased Wildcard SSL to cover any subdomain since my LAN platform is also has same mydomain.com. All my local nodes are xxxxxx.mydomain.com. I imagined the purchased wildcard domain should cover all local subdomains(local servers) and website subdomains.
     
  6. Cloudrck

    Cloudrck New Member

    Joined:
    Apr 26, 2013
    Messages:
    26
    Likes Received:
    0
    It's irrelevant where your domain is registered. You could have generated a CSR on your own computer.
     
  7. symmcom

    symmcom Active Member
    Proxmox VE Subscriber

    Joined:
    Oct 28, 2012
    Messages:
    1,024
    Likes Received:
    10
    So i have successfully installed external SSL from Comodo on all nodes. I can connect to all nodes using https://mydomain.com:8006 and it shows valid certificate information. But when i try to open VM using Console or SPICE nothing works any more. I keep getting TLS Handshake failed javax.net.ssl.SSLHandshakeException..... error. How can i turn back time or get rid of this error? This appear to happen on all nodes.
     
  8. Cloudrck

    Cloudrck New Member

    Joined:
    Apr 26, 2013
    Messages:
    26
    Likes Received:
    0
    First run your domain and port (domain.com:8006) http://www.sslshopper.com/ssl-checker.html

    Replace the files with the original files you should have backed up.

    Do you have clusters? Did you update the nodes/* files?
     
    #8 Cloudrck, Sep 19, 2013
    Last edited: Sep 19, 2013
  9. symmcom

    symmcom Active Member
    Proxmox VE Subscriber

    Joined:
    Oct 28, 2012
    Messages:
    1,024
    Likes Received:
    10
    SSL Checker checks out validity for the domain with one error

    Seems to me the Intermediate Certificate causing all these issue. I think i skipped the Intermediate Certificate portion in the wiki:
    http://pve.proxmox.com/wiki/HTTPSCertificateConfiguration

    I received 2 files from Comodo
    1. mydomain.crt
    2. bundle.crt

    By following the wiki :
    mydomain.crt = pve-ssl.pem
    rsa-key = pve-ssl.pem
    bundle.ca = pve-root-ca.pem

    Intermediate Certificate portion calls for server.pem, intermediate_certificate.pem, ca.pem. Where do i find those? I know i am missing something here.
     
  10. mir

    mir Well-Known Member
    Proxmox VE Subscriber

    Joined:
    Apr 14, 2012
    Messages:
    3,314
    Likes Received:
    74
  11. symmcom

    symmcom Active Member
    Proxmox VE Subscriber

    Joined:
    Oct 28, 2012
    Messages:
    1,024
    Likes Received:
    10
    I have downloaded the Intermediate certificate and it completely broke the SSL and wont even login to the WebGUI.

    Looking through the wiki, i have realized i made a grave mistake. I actually replaced the ca.pem under /etc/pve in all nodes. The wiki said do it only on one node. I know it is a quite a mess. Is there any way i can recreate self-signed SSL certificate and start from the beginning?
     
  12. dietmar

    dietmar Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    15,030
    Likes Received:
    142
    It is a distributed, replicated file system, so you always replace the same file.

    should be no problem at all.

    # pvecm updatecerts --force

    (not sure if the ca is replaced - maybe you need to delete it first).
     
  13. symmcom

    symmcom Active Member
    Proxmox VE Subscriber

    Joined:
    Oct 28, 2012
    Messages:
    1,024
    Likes Received:
    10
    I replaced all cert using #pvecm updatecerts and restarted whole SSL installation process.

    I can login WebGUI and the browser seems to show valid certificate. SSL Checker still says Intermediate chain is not correct and not browseable by all browser. I tried to install Comodo Intermediate SSL into Proxmox using the wiki Intermediate Certificate section. If i follow the wiki to the letter, it breaks the SSL completely and WebGUI becomes unusable with SSL Connection error. After replacing SSL with valid one WebGUI works fully but now if i click on SPICE for a VM it downloads nothing. If i try Console the console pops gives this error.
    Any clue?
     
  14. symmcom

    symmcom Active Member
    Proxmox VE Subscriber

    Joined:
    Oct 28, 2012
    Messages:
    1,024
    Likes Received:
    10
    Finally!! Got the SSL working.
    Strangest thing using the cat command in wiki http://pve.proxmox.com/wiki/HTTPSCertificateConfiguration was the causing issue.

    I opened a GUI text editor, did copy/paste all certs individually into pve-ssl.pem and pve-root-ca.pem. After restarting pveproxy and pvedaemon SSL worked completely. SSL Checker could see the chain of Intermediate certs and the SPICE config started downloading again.
    I know it is very odd that cat command did not work. But i do not have any explanation.

    To sum it up this is what i did:

    1. # cp /etc/pve/local/pve-ssl.pem /etc/pve/local/pve-ssl.pem.bak
    2. # cp /etc/pve/local/pve-ssl.key /etc/pve/local/pve-ssl.key.bak
    3. # cp /etc/pve/pve-root-ca.pem /etc/pve/pve-root-ca.pem.bak
    4. Download certs from provider
    5. On a windows pc opened 3 copies of Wordpad with blank pages. Saved one of them as pve-ssl.pem.txt, second one as pve-root-ca.pem.txt and third one pve-ssl.key.txt
    6. Opened mydomain.crt, ca.crt and all 3 Intermediate certs on different WordPad
    7. Copy/paste certs on pve-ssl.pem.txt in this order: mydomain.crt, Intermediate Cert #3, Intermediate Cert #2, Intermediate Cert #1
    8. Copy/paste certs on pve-root-ca.pem.txt in this order: Intermediate Cert #3, Intermediate Cert #2, Intermediate Cert #1, ca.crt
    9. Copy/paste server key on pve-ssl.ket.txt
    10. Copy all 3 files : pve-ssl.pem.txt, pve-root-ca.pem.txt, pve-ssl.key.txt to /home/ssl
    11. # cp /home/ssl/pve-ssl.pem.txt /etc/pve/local/pve-ssl.pem
    12. # cp /home/ssl/pve-ssl.key.txt /etc/pve/local/pve-ssl.key
    13. # cp /home/ssl/pve-root-ca.pem.txt /etc/pve/pve-root-ca.pem
    14. # service pveproxy restart
    15. # service pvedaemon restart.

    The steps are pretty much what the wiki says, just without cat command.

    Now the only problem is after clicking on downloaded SPICE config, it says Unable to connect to Graphics Server.Also the Console says Network Error. If i can access the VMs remotely with newly installed SSL, i will be back in business.
     
    mhagen and kassav like this.
  15. symmcom

    symmcom Active Member
    Proxmox VE Subscriber

    Joined:
    Oct 28, 2012
    Messages:
    1,024
    Likes Received:
    10
    Everything is back to normal again. All i needed was a full node reboot. :) Thanks everybody who replied in this post!
     
  16. Cloudrck

    Cloudrck New Member

    Joined:
    Apr 26, 2013
    Messages:
    26
    Likes Received:
    0
    I was going to suggest restarting a few services. But a reboot takes care of everything.
     
  17. symmcom

    symmcom Active Member
    Proxmox VE Subscriber

    Joined:
    Oct 28, 2012
    Messages:
    1,024
    Likes Received:
    10
    Which services would you have suggested? Just for future reference, if something like this happens again, i much rather restart some services than entire node. Hassle to migrate all VMs just for reboot purpose.
     

Share This Page