How to setup ssl for pbs?

chudak

Active Member
May 11, 2019
302
14
38
I get a ssl certificate error on login to a newly installed pbs backup server.

Added a new DDNS name on dynu.net added this to pve acme setup and can order both certificates for pve (which works fine via https) and new for pbs.

I don’t know how to setup it on actual pbs server.

Any clues are appreciated!

Thx
 
I replaced the files proxy.pem and proxy.key in /etc/proxmox-backup and then restarted the backup service. That did the trick for me, don't know if there is a "clean" way to do this.
 
  • Like
Reactions: KB19
Oh, I run my own PKI with self signed certificates. That's nothing Proxmox takes care of.
But even with a public certificate authority you should have your key and the cert file from the CA. If you acquire them automatically you should be able to find them in the file system.
 
Please correct me if I am wrong. But the CA is the fingerprint right? How do I import this into my web browser so that the certificate error message is gone?
 
CA is short for certificate authority. A lot if people use Let's Encrypt, for example.
If you only want the error message to be gone, just define a security exception in your browser. The traffic will still be encrypted even if it's the certificate that came with PBS.
If you want to use a signed certificate you have to obtain one.
I understood that you already did this via PVE? So you already have a certificate for the domain name that your PBS uses? Then you can probably copy the certificate and key from PVE to your PBS.
 
Last edited:
Yes in PVE it is easy. But this is my first PBS ISO Installation. And i was not able to export the CA, because i did not find an file for my browser. There is only this Base64 coded fingerprint, i don't know how i can convert it. I had a lot of tests with openssl, but without success.
 
I'm not sure if I understand what you are trying to achieve. Your browser tells you that the certificate is signed by an unknown CA. You can then define the exception and everything is fine.
If you want a valid certificate you have to obtain one and put it in /etc/proxmox-backup. At least I don't know of any other way.
 
@fireon the PBS certificate has no separate CA (PVE only has that because it's clustered), it's a single self-signed certificate.
 
Ok, so the sign is in the certficate? If yes it is not importable in the webbrowser.
 

Attachments

  • Zertifikat.jpg
    Zertifikat.jpg
    57.7 KB · Views: 26
For What it's worth:
Next to my "main" cluster ( 3 hosts) sits My "backup server" ( repurposed QNAP TS-853A ).
ON backup server "bare metal" is installed PVE ( stand alone, not part of the cluster) together with PBS.

PVE is configured using Letsencrypt SSL certificates.

I have a weekly cron doing this to syncrhonize the letsencrypt certificates
Bash:
#!/bin/bash
cp /etc/pve/nodes/lorath-adm/pveproxy-ssl.pem /etc/proxmox-backup/proxy.pem
cp /etc/pve/nodes/lorath-adm/pveproxy-ssl.key /etc/proxmox-backup/proxy.key
chown backup:backup /etc/proxmox-backup/proxy.pem
chown backup:backup /etc/proxmox-backup/proxy.pem
systemctl restart proxmox-backup.service
 
  • Like
Reactions: KB19 and fireon
For What it's worth:
Next to my "main" cluster ( 3 hosts) sits My "backup server" ( repurposed QNAP TS-853A ).
ON backup server "bare metal" is installed PVE ( stand alone, not part of the cluster) together with PBS.

PVE is configured using Letsencrypt SSL certificates.

I have a weekly cron doing this to syncrhonize the letsencrypt certificates
Bash:
#!/bin/bash
cp /etc/pve/nodes/lorath-adm/pveproxy-ssl.pem /etc/proxmox-backup/proxy.pem
cp /etc/pve/nodes/lorath-adm/pveproxy-ssl.key /etc/proxmox-backup/proxy.key
chown backup:backup /etc/proxmox-backup/proxy.pem
chown backup:backup /etc/proxmox-backup/proxy.pem
systemctl restart proxmox-backup.service

That is more useful, thx @Etienne Charlier

In my case pbs is on a different bare-metal nuc, so I will need to use `scp`

Will try!
 
For What it's worth:
Next to my "main" cluster ( 3 hosts) sits My "backup server" ( repurposed QNAP TS-853A ).
ON backup server "bare metal" is installed PVE ( stand alone, not part of the cluster) together with PBS.

PVE is configured using Letsencrypt SSL certificates.

I have a weekly cron doing this to syncrhonize the letsencrypt certificates
Bash:
#!/bin/bash
cp /etc/pve/nodes/lorath-adm/pveproxy-ssl.pem /etc/proxmox-backup/proxy.pem
cp /etc/pve/nodes/lorath-adm/pveproxy-ssl.key /etc/proxmox-backup/proxy.key
chown backup:backup /etc/proxmox-backup/proxy.pem
chown backup:backup /etc/proxmox-backup/proxy.pem
systemctl restart proxmox-backup.service
Hi!
The script might need to be adjusted slightly.
Change the second line like this
Code:
chown backup:backup /etc/proxmox-backup/proxy.pem
to
Code:
chown backup:backup /etc/proxmox-backup/proxy.key

I noticed that the fingerprint of the PBS changed when updating certificates. This solution is not the best as the fingerprint needs to be updated manually at PVE side.
Was it an issue for you and how do you tackle it?
 
Last edited:
  • Like
Reactions: chudak
Hi!
The script might need to be adjusted slightly.
Change the second line like this
Code:
chown backup:backup /etc/proxmox-backup/proxy.pem
to
Code:
chown backup:backup /etc/proxmox-backup/proxy.key

I noticed that the fingerprint of the PBS changed when updating certificates. This solution is not the best as the fingerprint needs to be updated manually at PVE side.
Was it an issue for you and how do you tackle it?

Yes I saw the typo and thx!

Still wonder why this is not integrated into pbs ?!
 
  • Like
Reactions: hki

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!