Force pvecm to use FQDN?

kotakomputer

Renowned Member
May 14, 2012
414
10
83
Jakarta, Indonesia
www.proxmoxindo.com
How to force "pvecm updatecerts" to use FQDN, I try "pvecm updatecerts --force" but still the Hostname used.
Should I manually use openssl?

Note: this case happen after I change Hostname then run pvecm updatecerts --force, the result is just the Hostname not FQDN.
 
Last edited:
Use a real cert from... example... startssl. It is easy to generate and class1 is for free :)
 
You can check the method gen_pve_ssl_cert in pve-cluster/data/PVE/Cluster.pm to see which openssl configuration and commands are used to generate the selfsigned certificates. If you really need selfsigned certificates with a FQDN, this should be easy enough to adapt (you could even use the already existing cluster CA certificate and key).
 
You can check the method gen_pve_ssl_cert in pve-cluster/data/PVE/Cluster.pm to see which openssl configuration and commands are used to generate the selfsigned certificates.
Still find how to check the method
If you really need selfsigned certificates with a FQDN, this should be easy enough to adapt (you could even use the already existing cluster CA certificate and key).
I think using existing certificate from other Server will cause security issue? Becase verify the certificate's name against host will failed?
 
Still find how to check the method

I think using existing certificate from other Server will cause security issue? Becase verify the certificate's name against host will failed?

I said that you can use the existing cluster CA certificate and key to generate a self signed certificate with a different configuration than pcm updatecerts, not that you should copy a self-signed certificate and key from a different node (that won't work well for obvious reasons, and would not solve your FQDN issue at all..). Still, I don't really see the use case for this. If you are fine with self-signed certificates, you are probably also fine with accessing the node using its IP address or short hostname..
 
pvecm uses openssl to generate the certificates. I already mentioned the module where the configuration and command line parameters are assembled (pve-cluster/data/PVE/Cluster.pm), but adapting those is at your own risk. A pvecm updatecerts -f should always revert to the default self signed setup for the node it is run on.
 
I think https://www.startssl.com/ is free for first year only? A self signed is enough for me because our Proxmox Server only access by our API.
It is always free. Class costs, about 55 USDollar. You can use an Wildcartcert too. But yes, you can alos use an self signed :)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!