[SOLVED] PBS 500 Error when scanning data stores

killerherts

Member
Apr 12, 2020
14
2
8
34
I am using caddy to reverse proxy to my lan from my VPS in order to create a offsite backup using remote sync.
I use wireguard to connect my vps to my home hence to avoid exposing my ip directly.

I set up acme certs on proxmox backup server so that it had a real cert. But when i go to sync my datastore i get a 500 ssl error connecting to my tld.
1695954432731.png
 
I am using caddy to reverse proxy to my lan from my VPS in order to create a offsite backup using remote sync.
I use wireguard to connect my vps to my home hence to avoid exposing my ip directly.

I set up acme certs on proxmox backup server so that it had a real cert. But when i go to sync my datastore i get a 500 ssl error connecting to my tld.
View attachment 55948
Hi,
if you use a reverse proxy, the reverse proxy needs to transparently pass the TLS traffic to the host, seems like you terminate your TLS connection on the reverse proxy and not the PBS host.

If you use Wireguard as VPN solution, then I don't see why you should need the reverse proxy to begin with, the whole point of the VPN is to create a virtual private network, so you should be able to connect to the host directly.
 
Hi,
if you use a reverse proxy, the reverse proxy needs to transparently pass the TLS traffic to the host, seems like you terminate your TLS connection on the reverse proxy and not the PBS host.

If you use Wireguard as VPN solution, then I don't see why you should need the reverse proxy to begin with, the whole point of the VPN is to create a virtual private network, so you should be able to connect to the host directly.
So I am not connecting my sites with wireguard as the sites don't have the ability to control their own ports. But I agree that approach makes a lot more sense.

In case anyone finds this the issue turned out to be exactly what was purposed. Caddy is a layer 7 http server so it doesn't have the ability to pass on the tls termination to pbs. They do have a app that will allow you 2 do layer 4 passing but I have not got there.

My remote sites are using cloudflared I order to expose themselves without the ability to port manage.


Thanks again for leading me in the right direction back to the drawing board. I'm starting to think just using rsync and traditional proxmox built-in backup system is going to be far easier than this approach.
 
Hi,
if you use a reverse proxy, the reverse proxy needs to transparently pass the TLS traffic to the host, seems like you terminate your TLS connection on the reverse proxy and not the PBS host.

If you use Wireguard as VPN solution, then I don't see why you should need the reverse proxy to begin with, the whole point of the VPN is to create a virtual private network, so you should be able to connect to the host directly.
I connected the networks using tailscale when i do my dataset scan now i get a tcp deadline has passed error.
i am open to any other clever ideas for dealing with instances that are behind cgnat and port forwarding isn't an option
 
I connected the networks using tailscale when i do my dataset scan now i get a tcp deadline has passed error.
i am open to any other clever ideas for dealing with instances that are behind cgnat and port forwarding isn't an option
Please make sure you also set the correct fingerprint in the remote configuration in case you are using a self signed certificate. That also might lead to the ssl error shown in you initial post.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!