Failed to start VNC server: Our own certificate

T

TechLineX

Active Member
Mar 2, 2015
213
5
38
Running as unit 109.scope.
kvm: -vnc unix:/var/run/qemu-server/109.vnc,x509,password: Failed to start VNC server: Our own certificate /etc/pve/local/pve-ssl.pem failed validation against /etc/pve/pve-root-ca.pem: The certificate hasn't got a known issuer

I used my own certificate. Cert is working all and all, but I can't start any servers. If i roll back to the self signet, i can start all normal.

https://pve.proxmox.com/wiki/HTTPSCertificateConfiguration

I copied my cert in
cp fullchain.pem /etc/pve/nodes/<node>/pve-ssl.pem
cp private-key.pem /etc/pve/nodes/<node>/pve-ssl.key

and restarted the proxy.
 
Please follow the instructions you linked! They clearly state how to enable your own non-selfsigned certificates.
 
31/5000
please help for these problems and how to overcome them
 

Attachments

  • Untitled.jpg
    Untitled.jpg
    222.6 KB · Views: 17
what is the same problem? there are two completely different issues in this thread..
 
I'm running pve-manager/5.0-10/0d270679.

I also encountered this error after installing my own cert following instructions at https://pve.proxmox.com/wiki/HTTPSCertificateConfiguration .

kvm: -vnc unix:/var/run/qemu-server/109.vnc,x509,password: Failed to start VNC server: Our own certificate /etc/pve/local/pve-ssl.pem failed validation against /etc/pve/pve-root-ca.pem: The certificate hasn't got a known issuer​

I solved it by replacing the contents of /etc/pve/pve-root-ca.pem with my SSL cert's Intermediate and Root CA information as a chained cert. I restarted pve proxy 'systemctl restart pveproxy' and tried firing up the vm with the error. It came up this time and the VNC console was working but failed shortly afterwards. I waited a few minutes and tried again, all appears to be working fine now.

My guess is this stems from /etc/pve/local being linked to /pve/nodes/<my node name>, and when you change the certs in the node directory, there are no instructions to also update the /etc/pve/pve-root-ca.pem which apparently is used by the VNC components. With it still being the old self-signed stuff, it fails validation.

 
Enph said:
kvm: -vnc unix:/var/run/qemu-server/109.vnc,x509,password: Failed to start VNC server: Our own certificate /etc/pve/local/pve-ssl.pem failed validation against /etc/pve/pve-root-ca.pem: The certificate hasn't got a known issuer
Click to expand...
if you follow the guide closely, you have to replace /etc/pve/local/pveproxy-ssl.[pem|key] not pve-ssl.[pem|key]
which should not introduce the above error
 
dcsapak said:
if you follow the guide closely, you have to replace /etc/pve/local/pveproxy-ssl.[pem|key] not pve-ssl.[pem|key]
which should not introduce the above error
Click to expand...

For my installation, pveproxy-ssl.pem or .key did not exist so I replaced the pve-ssl.pem and .key instead. I figured this was some kind of change done to the product in the beta version that I am running that the documentation did not catch up to. In hindsight I should have tried creating the pveproxy.pem and .key files to see if that worked first before going and assuming things.

edit: was due to my poor comprehension of the howto
 
no problem ;) , i just wanted to clarify so that future readers of this thread can see what went wrong
 
You must log in or register to reply here.
Top Bottom