[SOLVED] Installing on Debian 7: Error generating initial certificates

Pegasus

Active Member
Aug 29, 2013
60
1
26
California, USA
Hello.

I'm installing Proxmox 3.1 (per the Wiki) and will update to pve-no-subscription later since this is for an open source project build system. I've done this a few times before on other systems with no problem, but this time, initial certificate generation is failing during configuration of pve-cluster:

Code:
Error Loading request extension section v3_req
139677121398440:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:v3_utl.c:326:
139677121398440:error:22097069:X509 V3 routines:DO_EXT_NCONF:invalid extension string:v3_conf.c:139:name=subjectAltName,section=IP:127.0.0.1,DNS:localhost,IP:192.168.1.8,DNS:buildbeast,DNS:buildbeast.mixxx.org,
139677121398440:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=subjectAltName, value=IP:127.0.0.1,DNS:localhost,IP:192.168.1.8,DNS:buildbeast,DNS:buildbeast.mixxx.org,
unable to generate pve certificate request:
command 'openssl req -batch -new -config /tmp/pvesslconf-28938.tmp -key /etc/pve/nodes/buildbeast/pve-ssl.key -out /tmp/pvecertreq-28938.tmp' failed: exit code 1

I tried removing /etc/pve/priv/authkey.key and trying again as another post suggested but I get the same result.

I had initially tried installing with the 'pve-no-subscription' repo added but got this problem then too, so I unmounted /etc/pve, removed all PVE packages and tried again with just the 'pve' repo, hoping it would work correctly.

According to this article I found, it looks like there may be a problem with the subjectAltName handling in openssl, as the errors given at the bottom of that page match what I'm seeing, except that my values aren't blank.

I'm using the correct version though:
Code:
ii  openssl                 1.0.1e-2+deb7u16 amd64            Secure Socket Layer (SSL) binary and related crypto

And here's my /etc/hosts:
Code:
127.0.0.1       localhost
127.0.1.1       buildbeast.mixxx.org
192.168.1.8   buildbeast.mixxx.org   buildbeast

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

What am I doing wrong?
 
Last edited:
BUG! On further investigation, something's wrong with gen_pve_ssl_cert() in /usr/share/perl5/PVE/Cluster.pm: it leaves a trailing comma on the fqdn, causing the syntax error. Take a look:

Code:
RANDFILE = /root/.rnd
extensions = v3_req

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
string_mask = nombstr

[ req_distinguished_name ]
organizationalUnitName = PVE Cluster Node
organizationName = Proxmox Virtual Environment
commonName = buildbeast.mixxx.org,

[ v3_req ]
basicConstraints = CA:FALSE
nsCertType = server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = IP:127.0.0.1,DNS:localhost,IP:192.168.1.8,DNS:buildbeast,DNS:buildbeast.mixxx.org,

Sure enough, removing those commas and manually running the openssl command works.
 
Last edited:
Aaand I'm the problem! I had a comma separating the domains on the 'search' line in /etc/resolv.conf (manpage says to use whitespace) so Proxmox's script was dutifully copying it into the config. <facepalm>

Hopefully this helps others!
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!