Joining Cluster pve-ssl.pem error

[karlsiu1]

Good days everyone.

I have a question that I tried many times and search over the Internet and got no answer. Well, I have 2 Proxmox machines fresh install. But when I join the cluster it had the pve-ssl.pem not exist error. No matter how I tried it doesn't work, so I try to make each machine join existing cluster which also runs Proxmox 8. It doesn't work too....

I am exhausted from all solutions, can anyone shed some light on me?

Thanks

 

[karlsiu1]

Cluster information
-------------------
Name:             dellvm
Config Version:   9
Transport:        knet
Secure auth:      on

Quorum information
------------------
Date:             Fri Jul 28 04:30:09 2023
Quorum provider:  corosync_votequorum
Nodes:            2
Node ID:          0x00000001
Ring ID:          1.28
Quorate:          Yes

Votequorum information
----------------------
Expected votes:   3
Highest expected: 3
Total votes:      2
Quorum:           2 
Flags:            Quorate

Membership information
----------------------
    Nodeid      Votes Name
0x00000001          1 192.168.60.31 (local)
0x00000002          1 192.168.60.30

 

[karlsiu1]

Cluster information
-------------------
Name:             dellvm
Config Version:   9
Transport:        knet
Secure auth:      on

Quorum information
------------------
Date:             Fri Jul 28 04:33:34 2023
Quorum provider:  corosync_votequorum
Nodes:            1
Node ID:          0x00000003
Ring ID:          3.5
Quorate:          Yes

Votequorum information
----------------------
Expected votes:   1
Highest expected: 1
Total votes:      1
Quorum:           1 
Flags:            Quorate

Membership information
----------------------
    Nodeid      Votes Name
0x00000003          1 192.168.60.15 (local)

 

[ggoller]

Try executing pvecm updatecerts on all the nodes, this will update node certificates (and generate all needed files/directories).

 

[tipex]

@karlsiu1 I have been struggling with the exact same problem for a long time now.

See my thread here: https://forum.proxmox.com/threads/create-cluster-problem-possibly-ssl-related.130309/

I'm kind of at the point where I have run out of options like you. Hopefully someone can help us.

 

[pgk]

Same here. Now i play with this error a week....

 

[dust2k.mf]

Same here. Now i play with this error a week....

Same here, both two new installation on two mini servers and join cluster give this error.. try all options, nothing help, I guess it's kind of bug...but we don't have supporting ticket so nobody care...

 

[clayrisser]

I'm facing the exact same issue. I'm using a Hetzner vSwitch to create a private vLAN for the cluster.

 

[nazari]

For those may have similar issue: After adding new node I got pve-ssl.pem errors in my node directory at /etc/pve/nodes/MyNode/pve-ssl.pem, as I have other nodes just I copy the pve-ssl.pem and pve-ssl.key from my other node /etc/pve/nodes/MyOtherNode/ to /etc/pve/nodes/MyNode/ broken nodes and then MyNode get working properly.

As recomandation of ggoller to Try executing pvecm updatecerts on all the nodes, then I try out manually coping file with hope of maybe it working, in my case it worked.

I'm using verions 8.0.3

Updated:
after fixing & working with MyNode I found out running this command will be useful systemctl restart pveproxy if you can migrate VMs.

 

[musta]

Solution for "SSL Certificate Missing Error ('pve-ssl.pem does not exist') in Proxmox"

After encountering the error '/etc/pve/nodes/your-node/pve-ssl.pem' does not exist! (500) in Proxmox, I found a simple solution that resolved the issue without needing to regenerate the certificates manually.

The error typically occurs when Proxmox fails to locate the SSL certificate (pve-ssl.pem) for one or more nodes, which can prevent access to the web interface.

Instead of manually regenerating the SSL certificates or making complex configuration changes, I resolved the issue with the following steps:

1. Login to each Proxmox node via SSH: On each node, use the terminal to log into the other nodes via SSH. For example:
   bash
   ssh root@<other-node-ip>
2. Repeat the process for all nodes in the cluster: This establishes an SSH trust between the nodes, and the SSL issue should automatically resolve.

Logging into the nodes via SSH forces the nodes to recognize each other and refresh the necessary credentials and certificate relationships. This simple step can often bypass the need for more complex certificate regeneration or proxy reconfiguration.

 

[stevensedory]

Solution for "SSL Certificate Missing Error ('pve-ssl.pem does not exist') in Proxmox"

After encountering the error '/etc/pve/nodes/your-node/pve-ssl.pem' does not exist! (500) in Proxmox, I found a simple solution that resolved the issue without needing to regenerate the certificates manually.

The error typically occurs when Proxmox fails to locate the SSL certificate (pve-ssl.pem) for one or more nodes, which can prevent access to the web interface.

Instead of manually regenerating the SSL certificates or making complex configuration changes, I resolved the issue with the following steps:

1. Login to each Proxmox node via SSH: On each node, use the terminal to log into the other nodes via SSH. For example:
   bash
   ssh root@<other-node-ip>
2. Repeat the process for all nodes in the cluster: This establishes an SSH trust between the nodes, and the SSL issue should automatically resolve.

Logging into the nodes via SSH forces the nodes to recognize each other and refresh the necessary credentials and certificate relationships. This simple step can often bypass the need for more complex certificate regeneration or proxy reconfiguration.

This seemed to do the trick for me as well. Thank you for sharing!

 

[esi_y]

Which version are you running this on? Because PVE now uses own "pinned" certificates for SSH and none of this has anything to do with SSL. However, this is the third time I have seen issues with SSL certs. For joining node alone, I used to suggest using SSH to do the join itself:

https://forum.proxmox.com/threads/re-adding-host-to-cluster.156303/#post-715101

And as the Proxmox culture has it, no one investigates this.

 

[enthousiast]

Good days everyone.

I have a question that I tried many times and search over the Internet and got no answer. Well, I have 2 Proxmox machines fresh install. But when I join the cluster it had the pve-ssl.pem not exist error. No matter how I tried it doesn't work, so I try to make each machine join existing cluster which also runs Proxmox 8. It doesn't work too....

I am exhausted from all solutions, can anyone shed some light on me?

Thanks

In my case I just had to refresh the browser.

 

[backpulver]

Have the same problem and i didnt found any solution.

i tried:
- connection via ssh
- updatecerts --force
- manually copy the certs
- restart services
- checked kernel version (Linux 6.8.12-8-pve (2025-01-24T12:32Z))
- reinstall new node, pvecm delnode node and rejoin same issue

the joined node still have /etc/pve/local and no nodes folger, no filesystem for cluster


any ideas or solutions? i need this cluster functions (at the moment i only have 3 of 7 nodes in my cluster...

Config Version:   19
Transport:        knet
Secure auth:      on

Quorum information
------------------
Date:             Thu Feb 27 16:56:45 2025
Quorum provider:  corosync_votequorum
Nodes:            3
Node ID:          0x00000002
Ring ID:          1.5793
Quorate:          Yes

Votequorum information
----------------------
Expected votes:   3
Highest expected: 3
Total votes:      3
Quorum:           2 
Flags:            Quorate

Membership information
----------------------
    Nodeid      Votes Name
0x00000001          1 10.0.0.11
0x00000002          1 10.0.0.12 (local)
0x00000003          1 10.2.1.11

 

[virgil246]

# Resolving Proxmox Cross-Subnet Cluster Configuration Issues

## Problem Summary
1. When adding nodes across different subnets to a Proxmox cluster, encountered the error message "pve-ssl.pem not exist"
2. Attempted to resolve by establishing SSH trust between nodes as recommended:

ssh root@<other-node-ip>

However, this approach failed to resolve the issue
3. Investigated corosync communication which was showing packet rejection messages

## Solution - Corosync Configuration
The key to resolving cross-subnet clustering was properly configuring corosync to support communication between different network segments by modifying

/etc/corosync/corosync.conf

:

logging {
  debug: off
  to_syslog: yes
}

nodelist {
  node {
    name: pve
    nodeid: 1
    quorum_votes: 1
    ring0_addr: 192.168.88.10
  }
  node {
    name: pve2
    nodeid: 2
    quorum_votes: 1
    ring0_addr: 192.168.1.11
  }
}

quorum {
  provider: corosync_votequorum
}

totem {
  cluster_name: Home
  config_version: 3
  transport: knet          # Critical for cross-subnet support
  ip_version: ipv4-6
  secauth: on
  version: 2
}

## Critical Changes
1. **Added `transport: knet`** - Kronosnet transport layer is essential for cross-subnet communication
2. **Removed incomplete interface configuration** - Let knet handle network interfaces automatically
3. **Updated config_version** - Ensured configuration was recognized as updated

## Result
After implementing these changes, the cluster successfully established communication across different subnets, and the nodes were able to join the cluster properly.

## Key Insight
When building Proxmox clusters across different subnets, the default corosync configuration is insufficient. The kronosnet (knet) transport layer must be explicitly configured to handle the routing between different network segments.


translate by Claude
Hopes these will help !

 

[labrouss]

I had the same issue while joining a node, (initialy failed due to hostname not found in DNS). I only had to start the corosync on the newly added server and then they synched.

 

[aliis.jh]

Somewhat ridiculously, I simply had to refresh the page/browser.

After initiating the "Join Cluster" action in WebUI, the connection appears to fail, but I believe the SSL certs must just change based on the cluster maybe... when I refreshed, I had to accept a new self-signed certificate on the WebUI page for the joining node.

I initially didn't want to refresh and risk breaking the join action, so this is why I searched for taking any action. Also, FYI, I also had to refresh the page on the initial cluster node (where I first created the cluster), but I did not need to accept a new self-signed certificate there.