[SOLVED] GUI self signed certificates for IPv4 and IPv6 pve addresses

[janfi67]

Newbie here.

I just installed Proxmox 8.1.3 with IPv4@
Thru the GUI (IPv4), I've added an IPv6 address in the vmbr0 configuration.
I generated new certificates by pvecm updatecerts --force, restarted pveproxy service.

I can access to the GUI thru IPv4 in HTTPS but the new pve-ssl.pem contains only my IPv4 address not the IPv6 one.
And of course, I cannot establish an HTTPS connection thru IPv6, only HTTP,

If I modify my etc/hosts and replace my IPv4@ by my IPv6@, the certificate contains only the IPv6 address. I have HTTPS for IPv6, but not for IPv4 anymore

How to allow HTTPS for both IPv4 and IPv6 with self signed certificates ?
Is it possible ?

Thanks for your help.

 

[LnxBil]

You have a nice problem here. Never thought of that one. Easiest way to fix it would be an access via dns, wouldn't it? Have you considered that?

 

[janfi67]

Sometimes I feel so stupid !


Thanks a lot for the tip.
If you cannot modify the certificate, change the request.
I configured ccorrectly this time) the local DNS of my Box and it works.

 

[LnxBil]

Sometimes I feel so stupid !

No worries ... we all feel stupid sometimes.

Thanks a lot for the tip.
If you cannot modify the certificate, change the request.
I configured ccorrectly this time) the local DNS of my Box and it works.

Perfect. Please mark the thread as SOLVED (edit the first post)

 

[janfi67]

Done.

 

[esi_y]

Perfect. Please mark the thread as SOLVED (edit the first post)

I do not know if this would qualify as SOLVED. It did help moving on, but what is solved by introducing dependency on DNS or all hosts records being in sync?

Looking into what is run when updatecerts is forced should have included SANs for the cert:
https://github.com/proxmox/pve-clus...a11b0f864f5b9dc/src/PVE/Cluster/Setup.pm#L473

Spoiler: Setup.pm

    my $sslconf = <<__EOD;
RANDFILE = /root/.rnd
extensions = v3_req

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
string_mask = nombstr

[ req_distinguished_name ]
organizationalUnitName = PVE Cluster Node
organizationName = Proxmox Virtual Environment
commonName = $fqdn

[ v3_req ]
basicConstraints = CA:FALSE
extendedKeyUsage = serverAuth
subjectAltName = $names
__EOD

Those names should include:
https://github.com/proxmox/pve-clus...a11b0f864f5b9dc/src/PVE/Cluster/Setup.pm#L459

Spoiler: Setup.pm

    my $names = "IP:127.0.0.1,IP:::1,DNS:localhost";

    my $rc = PVE::INotify::read_file('resolvconf');

    $names .= ",IP:$ip";

    $names .= ",DNS:$nodename";

    my $fqdn = $nodename;
    if ($rc && $rc->{search}) {
    $fqdn .= ".$rc->{search}";
    $names .= ",DNS:$fqdn";
    }

So in terms of IPs we are limited to:

https://github.com/proxmox/pve-clus...a11b0f864f5b9dc/src/PVE/Cluster/Setup.pm#L817

Spoiler: Setup.pm

    my $nodename = PVE::INotify::nodename();
    my $local_ip_address = PVE::Cluster::remote_node_ip($nodename);

    $p->("(re)generate node files");
    $p->("generate new node certificate") if $force_new_cert;
    gen_pve_node_files($nodename, $local_ip_address, $force_new_cert);

So the IPs should have been fed from:
https://github.com/proxmox/pve-clus...f24c05a11b0f864f5b9dc/src/PVE/Cluster.pm#L795

Spoiler: Cluster.pm

# this is also used to get the IP of the local node
sub remote_node_ip {
    my ($nodename, $noerr) = @_;

    my $nodelist = $clinfo->{nodelist};
    if ($nodelist && $nodelist->{$nodename}) {
    if (my $ip = $nodelist->{$nodename}->{ip}) {
        return $ip if !wantarray;
        my $family = $nodelist->{$nodename}->{address_family};
        if (!$family) {
        $nodelist->{$nodename}->{address_family} =
            $family =
            PVE::Tools::get_host_address_family($ip);
        }
        return wantarray ? ($ip, $family) : $ip;
    }
    }

    # fallback: try to get IP by other means
    return PVE::Network::get_ip_from_hostname($nodename, $noerr);
}

It never asks for more than a single IP there, so I would call it a bug and get it filed.

 

[janfi67]

Technically speaking, you’re right. My question was not really answered.

I was too lazy to get deep in the code, but my guess was that only one IP@ was taken into account during the certificategeneration.
I tried to put both IPv4 and IPv6 addresses in /etc/hosts and only one was used. For pro usages, with a cluster it may be cumbersome. Thanks for signaling the bug.

But my needs are more than fulfilled with this workaround.
My unique pve is on a small home network and I wanted to access easily from this network to the GUI (by typing the IPv4@) and from Internet (if needed) thanks to its public IPv6@ (well... a favorite in my browser).

Now, the acces is even easier from my LAN thanks to the machine name. It will be in IPv6 (browser choice) but I don’t care.

That’s why I decided to put the thread as solved.

 

[esi_y]

Filed (for future reference): https://bugzilla.proxmox.com/show_bug.cgi?id=5120

 

[esi_y]

Technically speaking, you’re right. My question was not really answered.

I was too lazy to get deep in the code, but my guess was that only one IP@ was taken into account during the certificategeneration.
I tried to put both IPv4 and IPv6 addresses in /etc/hosts and only one was used. For pro usages, with a cluster it may be cumbersome. Thanks for signaling the bug.

No worries, I took the liberty of filing it now and it's just a coincidence I was fishing around the same code looking for something when I spotted your post.

I see the issue being non-support of multiple IPs (does not matter v4 & v6, any combo), then it's no use importing the CA* to have any real sense of authenticated conns.

*BTW You may want to change your title, it's not really self-signed cert, it's PVE-generated CA that signed it.

But my needs are more than fulfilled with this workaround.
My unique pve is on a small home network and I wanted to access easily from this network to the GUI (by typing the IPv4@) and from Internet (if needed) thanks to its public IPv6@ (well... a favorite in my browser).

I would recommend putting this all behind some reverse proxy because the way security is done in PVE ... well, it assumes secure environment (achieved by means outside of PVE's scope) to put it mildly.

Now, the acces is even easier from my LAN thanks to the machine name. It will be in IPv6 (browser choice) but I don’t care.

I just realised - you cannot even access it over IPv4 now? It only LISTENS on single IP?

EDIT: I noticed now the "browser choice" - how about having separate names resolving to v4 and v6 only if you wish so?