Hi,
I have a pretty stable system.
My PBS instance never gave me a problem until my certs got renewed.
I have noticed this later that on my proxmox cluster, I have lost connection with PBS.
Inspecting further, my new certs used the new LE CA YE1 and it appears this is not trusted by Proxmox.
checking /etc/ssl/certs
I only see
ISRG_Root_X1.pem
ISRG_Root_X2.pem
ISRG_Root_YR and ISRG_Root_YE are missing from the trust store.
Based on this page
https://letsencrypt.org/2025/11/24/gen-y-hierarchy
as a workaround adding the missing corresponding root cert to the fullchain then uploading the cert like that should fix this issue, however, at most this will be a temporary solution since LE does not provide the root by default in the fullchain. (I am not using the built-in proxmox certificate script due to rate limiting issues, I am just copying them over when they get renewed.)
Any other way to fix this or is there any plan for these additional root CAs to be included in the system store trust?
I have a pretty stable system.
My PBS instance never gave me a problem until my certs got renewed.
I have noticed this later that on my proxmox cluster, I have lost connection with PBS.
Inspecting further, my new certs used the new LE CA YE1 and it appears this is not trusted by Proxmox.
checking /etc/ssl/certs
I only see
ISRG_Root_X1.pem
ISRG_Root_X2.pem
ISRG_Root_YR and ISRG_Root_YE are missing from the trust store.
Based on this page
https://letsencrypt.org/2025/11/24/gen-y-hierarchy
as a workaround adding the missing corresponding root cert to the fullchain then uploading the cert like that should fix this issue, however, at most this will be a temporary solution since LE does not provide the root by default in the fullchain. (I am not using the built-in proxmox certificate script due to rate limiting issues, I am just copying them over when they get renewed.)
Any other way to fix this or is there any plan for these additional root CAs to be included in the system store trust?