While setting up a remote Proxmox Backup Server (PBS) for synchronization, I faced significant challenges due to SSL validation errors and the target PBS being behind a firewall/proxy with only a private IP. Despite searching extensively, I couldn’t find a comprehensive solution addressing this specific scenario. After successfully resolving the issue, I decided to share my approach to help others facing a similar problem.
Note:
The values (e.g., IP addresses, port numbers, FQDNs) used in this article are for demonstration purposes only. Replace them with the actual values relevant to your infrastructure setup.
Set up port forwarding on the firewall to make PBS-B accessible from the public network. For example:
Verify the forwarding works by running:
curl -k https://203.0.113.10:8443
Ensure the PBS Web UI responds.
To avoid SSL validation errors, map PBS-B’s public IP to a Fully Qualified Domain Name (FQDN). On PBS-A, edit /etc/hosts:
sudo nano /etc/hosts
Add the following line:
203.0.113.10 pbs.private
Use the FQDN (pbs.private) to add PBS-B as a remote in PBS-A.
Alternatively, add the remote using the CLI on PBS-A:
proxmox-backup-manager remote create remote_pbs \
--auth-id backup@pbs \
--host pbs.private \
--port 8443 \
--fingerprint <PBS-B Fingerprint>
After adding PBS-B as a remote, create a sync job to replicate backups.
Alternatively, create the sync job using the CLI on PBS-A:
proxmox-backup-manager sync-job create sync_remote_pbs \
--remote remote_pbs \
--remote-store <remote-datastore-name> \
--store <local-datastore-name> \
--owner backup@pbs \
--schedule daily \
--ns <namespace> \
--remove-vanished false
These steps worked in my environment and resolved my issues. I hope they help you too! If you have any questions or need further assistance, feel free to ask in the comments.
Note:
The values (e.g., IP addresses, port numbers, FQDNs) used in this article are for demonstration purposes only. Replace them with the actual values relevant to your infrastructure setup.
Scenario Overview
- Infrastructure Setup:
- PBS-A: Main PBS located in Datacenter 1. It has a public-facing IP address and acts as the synchronization target.
- PBS-B: A PBS located behind a firewall/proxy in a private network. It has only a private IP address but is accessible externally via port forwarding on the firewall.
- Objective:
Add PBS-B as a remote to PBS-A for backup synchronization. Overcome SSL certificate issues caused by self-signed certificates and connectivity challenges due to PBS-B’s location behind a firewall.
Key Challenges
- Self-Signed Certificate Validation:
PBS-B uses a self-signed certificate, which often leads to SSL validation errors. - Firewall/Proxy Configuration:
PBS-B is accessible only via port forwarding, complicating connectivity and DNS resolution. - Private IP of PBS-B:
PBS-B does not have a public IP, and its private IP is not directly accessible from PBS-A.
Solution Steps
Step 1: Configure Port Forwarding on PBS-B's Firewall
Set up port forwarding on the firewall to make PBS-B accessible from the public network. For example:
- Internal PBS-B Port: 8007
- Public IP: 203.0.113.10
- Public Port: 8443 → Internal PBS-B Port: 8007
Verify the forwarding works by running:
curl -k https://203.0.113.10:8443
Ensure the PBS Web UI responds.
Step 2: Add an Entry to /etc/hosts on PBS-A
To avoid SSL validation errors, map PBS-B’s public IP to a Fully Qualified Domain Name (FQDN). On PBS-A, edit /etc/hosts:
sudo nano /etc/hosts
Add the following line:
203.0.113.10 pbs.private
Step 3: Add PBS-B as a Remote in PBS-A
Use the FQDN (pbs.private) to add PBS-B as a remote in PBS-A.
Web UI Steps:
- Go to Datacenter > Remotes > Add Remote in PBS-A.
- Fill in the following details:
- Remote Name: remote_pbs
- Host: pbs.private
- Port: 8443
- Fingerprint: Obtain PBS-B’s fingerprint by running the following command on PBS-B
roxmox-backup-manager cert info
- Save the configuration.
CLI Steps:
Alternatively, add the remote using the CLI on PBS-A:
proxmox-backup-manager remote create remote_pbs \
--auth-id backup@pbs \
--host pbs.private \
--port 8443 \
--fingerprint <PBS-B Fingerprint>
Step 4: Create a Sync Job in PBS-A
After adding PBS-B as a remote, create a sync job to replicate backups.
Web UI Steps:
- Go to Datacenter > Sync Jobs > Add Sync Job.
- Configure the sync job:
- Local Datastore: Select the datastore on PBS-A.
- Source Remote: remote_pbs
- Source Datastore: Select the datastore on PBS-B.
- Schedule: Configure the sync schedule (e.g., hourly, daily).
- Namespace: If namespaces are used, specify the source namespace.
- Save the job.
CLI Steps:
Alternatively, create the sync job using the CLI on PBS-A:
proxmox-backup-manager sync-job create sync_remote_pbs \
--remote remote_pbs \
--remote-store <remote-datastore-name> \
--store <local-datastore-name> \
--owner backup@pbs \
--schedule daily \
--ns <namespace> \
--remove-vanished false
These steps worked in my environment and resolved my issues. I hope they help you too! If you have any questions or need further assistance, feel free to ask in the comments.