Hi,
yesterday I’ve updated the certificate on PBS with a new self-signed cert (uploaded a proxy.pem containing the cert and the root ca that signed it, I don’t have an intermediate CA on my lab setup) and my PBS backups on PVE started to fail.
Then I remembered that the fingerprint changed and so I’ve updated it in the definition of PBS storage on my PVE.
I’m sure I’ve set the new fingerprint since I’ve checked it both from gui and from CLI:
Backups keep failing.. what can be the cause? I’ve tried to define a new PBS Storage for testing too and the same happens.. any help?
NOTE: i had to upload my root CA to /usr/local/share/ca-certificates/ and run update-ca-certificates to make it work, thus avoiding the need of fingerprint verification. Thanks to @resoli for pointing me at the solution in this thread. BTW does fingerprint check fail due to the full chain being returned?
yesterday I’ve updated the certificate on PBS with a new self-signed cert (uploaded a proxy.pem containing the cert and the root ca that signed it, I don’t have an intermediate CA on my lab setup) and my PBS backups on PVE started to fail.
Then I remembered that the fingerprint changed and so I’ve updated it in the definition of PBS storage on my PVE.
I’m sure I’ve set the new fingerprint since I’ve checked it both from gui and from CLI:
Bash:
# on PBS
root@ProxmoxBackupServer:~# openssl x509 -in /etc/proxmox-backup/proxy.pem -noout -fingerprint -sha256
SHA256 Fingerprint=35:99:8A:E9:AC:DD:2C:A0:92:D5:B0:61:A9:DC:AA:88:03:72:4C:65:70:C4:95:10:74:CF:EB:29:8E:D5:8E:CC
# Check /etc/pve/storage.cfg
pbs: proxmox-backup-server-sata-2TB
datastore sata-backup-pbs
server 10.0.0.5
content backup
fingerprint 35:99:8a:e9:ac:dd:2c:a0:92:d5:b0:61:a9:dc:aa:88:03:72:4c:65:70:c4:95:10:74:cf:eb:29:8e:d5:8e:cc
prune-backups keep-all=1
username root@pamBackups keep failing.. what can be the cause? I’ve tried to define a new PBS Storage for testing too and the same happens.. any help?
Bash:
# proxmox-backup-client status --repository "root@pam@10.0.0.5:8007:sata-backup-pbs"
Password for "root@pam": *******
certificate validation failed - context depth != 0
Error: error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1914:NOTE: i had to upload my root CA to /usr/local/share/ca-certificates/ and run update-ca-certificates to make it work, thus avoiding the need of fingerprint verification. Thanks to @resoli for pointing me at the solution in this thread. BTW does fingerprint check fail due to the full chain being returned?
Last edited: