New install pve 8.2 on Debian 12 certificate blocks GUI

[lifeboy]

I have done fresh install on a Debian 12 cloud host and all went well I thought, except that port 8006 is not responding. (I followed the documentation here)

I the logs I find this:

Jun 04 17:52:23 pmx1 pveproxy[12734]: /etc/pve/local/pve-ssl.pem: failed to use local certificate chain (cert_file or cert) at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 2025.

repeated at regular intervals.

So from various posts I gathered that I have to do pvecm updatecerts --force but this gives me the following error.

# pvecm updatecerts --force
(re)generate node files
generate new node certificate
Error checking request extension section v3_req
40D748CD677F0000:error:11000076:X509 V3 routines:a2i_GENERAL_NAME:bad ip address:../crypto/x509/v3_san.c:556:value=fe80::f816:3eff:fe5a:e24a%ens3
40D748CD677F0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:../crypto/x509/v3_conf.c:48:section=v3_req, name=subjectAltName, value=IP:127.0.0.1,IP:::1,DNS:localhost,IP:fe80::f816:3eff:fe5a:e24a%ens3,DNS:pmx1,DNS:pmx1..
unable to generate pve certificate request:
command 'openssl req -batch -new -config /tmp/pvesslconf-10477.tmp -key /etc/pve/nodes/pmx1/pve-ssl.key -out /tmp/pvecertreq-10477.tmp' failed: exit code 1

I have a valid ip address and the internet connection works.

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether fa:16:3e:5a:e2:4a brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 154.65.99.47/20 metric 100 brd 154.65.111.255 scope global dynamic ens3
       valid_lft 38595sec preferred_lft 38595sec
    inet6 2c0f:fce8:4000:4000:0:1:0:320/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe5a:e24a/64 scope link
       valid_lft forever preferred_lft forever

This is temporary server, but I'm looking toward something like this in production at some stage. How do I figure out what the problem is?

 

[gfngfn256]

What does your cat /etc/hosts show

 

[lifeboy]

# cat /etc/hosts
127.0.0.1    localhost
::1        localhost ip6-localhost ip6-loopback
ff02::1        ip6-allnodes
ff02::2        ip6-allrouters

 

[gfngfn256]

Well it appears your missing your IP address & hostname which should appear on the second line as in docs.

 

[lifeboy]

This host gets a dynamic ip address as per the cloud provider's settings. Do I have to have the address set in the hosts file?

inet 154.65.99.47/20 metric 100 brd 154.65.111.255 scope global dynamic ens3

 

[gfngfn256]

This host gets a dynamic ip address

I noticed that before from your IP a output. I still imagine the /etc/hosts must contain an IP address & hostname. The IP to (local) domain name still needs to be resolved.

 

[lifeboy]

# cat /etc/hosts
127.0.0.1    localhost
154.65.99.47    pmx1
::1        localhost ip6-localhost ip6-loopback
ff02::1        ip6-allnodes
ff02::2        ip6-allrouters

# pvecm updatecerts --force
(re)generate node files
generate new node certificate
merge authorized SSH keys
creating directory '/etc/pve/firewall' for observed files
creating directory '/etc/pve/ha' for observed files
creating directory '/etc/pve/mapping' for observed files
creating directory '/etc/pve/priv/acme' for observed files
creating directory '/etc/pve/sdn' for observed files

It's seem you're quite correct on the hosts file issue!

 

[gfngfn256]

1. If that address is really dynamic & can change, you may have to think what steps to take.

2. Your entry (that you added) isn't complete. Take a look at the link I posted.
It probably/maybe should read:

154.65.99.47 pmx1.local pmx1

This will depend on your PVE installation. But you get the idea.