Thanks! I installed only the leaf (the pbs server cert) and it works.
After that, i installed on pbs the complete chain (so the web gui is accessible without ssl exceptions). In order to let pve nodes to validate the chain, i installed the root ca (in PEM format) in /usr/local/share/ca-certificates/ on each pve node, running update-ca-certificate afterwards, so that our root being accepted by the system as a trusted one.
Problem resolved. Maybe the custom root should be part of the pve cluster fs, in order to propagate it cluster-wide, as other configuration?
Alternatively, maybe adding the fingerprint should work even for non self-signed custom certs?
Thanks,
rob
