GUI not available after adding own certificate

[muekno]

I added own certificate to my PVE. as I did some times before.

But this time I can not start the GUI again.
The PVE is still running, the VNs are still runing. I can log in the VMs via ssl and I can login to PVE host as root via SSL.
ss -TULPN | grep 8006 says port is open
What to do?
Appreiciate help

Think I made a mistake adding the .crt inststead of .pem

 

[cheiss]

I can log in the VMs via ssl and I can login to PVE host as root via SSL.

Do you mean SSH?

If yes, what does journalctl -b -u pveproxy.service say? Does it report any errors?
How exactly did you add the certificates? Via GUI/ACME?

But this time I can not start the GUI again.

What do you mean exactly by that?
Do you get some error message in your browser?
Have you tried curl -v https://<pve-ip>:8006?
What does that report?

 

[muekno]

Sure I mean SSH.
The browser gets a timeout, website unreachable

ournalctl -b -u pveproxy.service
Feb 28 14:39:46 me-fue-proxmox03 systemd[1]: Starting pveproxy.service - PVE API Proxy Server...
Feb 28 14:39:48 me-fue-proxmox03 pveproxy[2293]: starting server
Feb 28 14:39:48 me-fue-proxmox03 pveproxy[2293]: starting 3 worker(s)
Feb 28 14:39:48 me-fue-proxmox03 pveproxy[2293]: worker 2294 started
Feb 28 14:39:48 me-fue-proxmox03 pveproxy[2293]: worker 2295 started
Feb 28 14:39:48 me-fue-proxmox03 pveproxy[2293]: worker 2296 started
Feb 28 14:39:48 me-fue-proxmox03 systemd[1]: Started pveproxy.service - PVE API Proxy Server.
Feb 28 16:52:21 me-fue-proxmox03 pveproxy[2294]: worker exit
Feb 28 16:52:21 me-fue-proxmox03 pveproxy[2293]: worker 2294 finished
Feb 28 16:52:21 me-fue-proxmox03 pveproxy[2293]: starting 1 worker(s)
Feb 28 16:52:21 me-fue-proxmox03 pveproxy[2293]: worker 81463 started
Feb 28 16:57:56 me-fue-proxmox03 pveproxy[2293]: worker 2296 finished
Feb 28 16:57:56 me-fue-proxmox03 pveproxy[2293]: starting 1 worker(s)
Feb 28 16:57:56 me-fue-proxmox03 pveproxy[2293]: worker 84919 started
Feb 28 16:57:58 me-fue-proxmox03 pveproxy[84918]: got inotify poll request in wrong process - disabling inotify
Feb 28 17:00:01 me-fue-proxmox03 pveproxy[2295]: worker exit
Feb 28 17:00:01 me-fue-proxmox03 pveproxy[2293]: worker 2295 finished
Feb 28 17:00:01 me-fue-proxmox03 pveproxy[2293]: starting 1 worker(s)
Feb 28 17:00:01 me-fue-proxmox03 pveproxy[2293]: worker 86126 started
Feb 28 17:02:00 me-fue-proxmox03 pveproxy[84918]: worker exit
Mar 01 00:00:23 me-fue-proxmox03 systemd[1]: Reloading pveproxy.service - PVE API Proxy Server...
Mar 01 00:00:24 me-fue-proxmox03 pveproxy[335499]: send HUP to 2293
Mar 01 00:00:24 me-fue-proxmox03 pveproxy[2293]: received signal HUP
Mar 01 00:00:24 me-fue-proxmox03 pveproxy[2293]: server closing
Mar 01 00:00:24 me-fue-proxmox03 pveproxy[2293]: server shutdown (restart)
Mar 01 00:00:24 me-fue-proxmox03 systemd[1]: Reloaded pveproxy.service - PVE API Proxy Server.
Mar 01 00:00:26 me-fue-proxmox03 pveproxy[2293]: restarting server

curl -v https://192.168.100.243:8006
*   Trying 192.168.100.243:8006...
* Connected to 192.168.100.243 (192.168.100.243) port 8006
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none

 

[cheiss]

The browser gets a timeout

A timeout normally indicates some other network failure. Have you ensured that e.g. a firewall isn't blocking access between you machine and port 8006 of the PVE host?

Again, how did you add the certificates? Not via the GUI/built-in ACME support, I suppose? Did you use the web GUI to upload them?

Do curl -v https://192.168.100.243:8006 and curl -v https://localhost:8006 locally on the Proxmox VE host work?

 

[muekno]

there is no firewall at all. the problem is on customer side, I am connected via VPN wireguard to the custumer, no problem since years. did parts of the migration fromVMware to Proxmox last year over that connection, can still reach the second PVE and the PBS without any problem.
no not via the ACME Support. It is not the first time I did. Did it via upload custom certificate as I did at my own PVE

 

[muekno]

What I found out the pveproxy-ssl. key and .crt are wrong.
does it harm just delete them?
regards rainer

or can / should I replace them with correct ones?

 

[muekno]

journalctl -n 100 shows me

get /etc/pve/local/pveproxy-ssl.key: failed to load local private key (key_file or key) at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 2082.

that is correct as there is no pveproxy-ssl.key or .pem in the system at all

ss -tulpn | grep 8006
tcp   LISTEN 55     4096               *:8006            *:*    users:(("pveproxy",pid=1779234,fd=6),("pveproxy worker",pid=1778230,fd=6),("pveproxy worker",pid=1778229,fd=6),("pveproxy worker",pid=1778228,fd=6))

shows me a process "pveproxy worker"
Is a production enviorement
What risk do I have killing that process?
What will be restarting the GUI and how to do it?
What will be restarting the PVE, will the VMs come up even if teh GUI still fails?
I apreciate anny help or hint
Rainer