[TUTORIAL] How to Resolve SSL and Connectivity Issues When Adding a Remote Proxmox Backup Server (PBS) for Synchronization Behind a Firewall/Proxy Using a Self-S

iparaskev

Member
Jan 19, 2021
3
1
8
46
While setting up a remote Proxmox Backup Server (PBS) for synchronization, I faced significant challenges due to SSL validation errors and the target PBS being behind a firewall/proxy with only a private IP. Despite searching extensively, I couldn’t find a comprehensive solution addressing this specific scenario. After successfully resolving the issue, I decided to share my approach to help others facing a similar problem.
Note:
The values (e.g., IP addresses, port numbers, FQDNs) used in this article are for demonstration purposes only. Replace them with the actual values relevant to your infrastructure setup.


Scenario Overview


  • Infrastructure Setup:
    • PBS-A: Main PBS located in Datacenter 1. It has a public-facing IP address and acts as the synchronization target.
    • PBS-B: A PBS located behind a firewall/proxy in a private network. It has only a private IP address but is accessible externally via port forwarding on the firewall.
  • Objective:
    Add PBS-B as a remote to PBS-A for backup synchronization. Overcome SSL certificate issues caused by self-signed certificates and connectivity challenges due to PBS-B’s location behind a firewall.



Key Challenges


  1. Self-Signed Certificate Validation:
    PBS-B uses a self-signed certificate, which often leads to SSL validation errors.
  2. Firewall/Proxy Configuration:
    PBS-B is accessible only via port forwarding, complicating connectivity and DNS resolution.
  3. Private IP of PBS-B:
    PBS-B does not have a public IP, and its private IP is not directly accessible from PBS-A.



Solution Steps


Step 1: Configure Port Forwarding on PBS-B's Firewall


Set up port forwarding on the firewall to make PBS-B accessible from the public network. For example:


  • Internal PBS-B Port: 8007
  • Public IP: 203.0.113.10
  • Public Port: 8443 → Internal PBS-B Port: 8007

Verify the forwarding works by running:

curl -k https://203.0.113.10:8443


Ensure the PBS Web UI responds.




Step 2: Add an Entry to /etc/hosts on PBS-A


To avoid SSL validation errors, map PBS-B’s public IP to a Fully Qualified Domain Name (FQDN). On PBS-A, edit /etc/hosts:

sudo nano /etc/hosts


Add the following line:

203.0.113.10 pbs.private




Step 3: Add PBS-B as a Remote in PBS-A


Use the FQDN (pbs.private) to add PBS-B as a remote in PBS-A.


Web UI Steps:


  1. Go to Datacenter > Remotes > Add Remote in PBS-A.
  2. Fill in the following details:
    • Remote Name: remote_pbs
    • Host: pbs.private
    • Port: 8443
    • Fingerprint: Obtain PBS-B’s fingerprint by running the following command on PBS-B:proxmox-backup-manager cert info
  3. Save the configuration.

CLI Steps:


Alternatively, add the remote using the CLI on PBS-A:

proxmox-backup-manager remote create remote_pbs \
--auth-id backup@pbs \
--host pbs.private \
--port 8443 \
--fingerprint <PBS-B Fingerprint>




Step 4: Create a Sync Job in PBS-A


After adding PBS-B as a remote, create a sync job to replicate backups.


Web UI Steps:


  1. Go to Datacenter > Sync Jobs > Add Sync Job.
  2. Configure the sync job:
    • Local Datastore: Select the datastore on PBS-A.
    • Source Remote: remote_pbs
    • Source Datastore: Select the datastore on PBS-B.
    • Schedule: Configure the sync schedule (e.g., hourly, daily).
    • Namespace: If namespaces are used, specify the source namespace.
  3. Save the job.

CLI Steps:


Alternatively, create the sync job using the CLI on PBS-A:

proxmox-backup-manager sync-job create sync_remote_pbs \
--remote remote_pbs \
--remote-store <remote-datastore-name> \
--store <local-datastore-name> \
--owner backup@pbs \
--schedule daily \
--ns <namespace> \
--remove-vanished false


These steps worked in my environment and resolved my issues. I hope they help you too! If you have any questions or need further assistance, feel free to ask in the comments.