[SOLVED] PBS certificate validation fails even with updated fingerprint set

[MightySlaytanic]

Hi,
yesterday I’ve updated the certificate on PBS with a new self-signed cert (uploaded a proxy.pem containing the cert and the root ca that signed it, I don’t have an intermediate CA on my lab setup) and my PBS backups on PVE started to fail.
Then I remembered that the fingerprint changed and so I’ve updated it in the definition of PBS storage on my PVE.
I’m sure I’ve set the new fingerprint since I’ve checked it both from gui and from CLI:

# on PBS
root@ProxmoxBackupServer:~# openssl x509 -in /etc/proxmox-backup/proxy.pem -noout -fingerprint -sha256
SHA256 Fingerprint=35:99:8A:E9:AC:DD:2C:A0:92:D5:B0:61:A9:DC:AA:88:03:72:4C:65:70:C4:95:10:74:CF:EB:29:8E:D5:8E:CC

# Check /etc/pve/storage.cfg
pbs: proxmox-backup-server-sata-2TB
        datastore sata-backup-pbs
        server 10.0.0.5
        content backup
        fingerprint 35:99:8a:e9:ac:dd:2c:a0:92:d5:b0:61:a9:dc:aa:88:03:72:4c:65:70:c4:95:10:74:cf:eb:29:8e:d5:8e:cc
        prune-backups keep-all=1
        username root@pam

Backups keep failing.. what can be the cause? I’ve tried to define a new PBS Storage for testing too and the same happens.. any help?

# proxmox-backup-client status --repository "root@pam@10.0.0.5:8007:sata-backup-pbs"
Password for "root@pam": *******
certificate validation failed - context depth != 0
Error: error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1914:

NOTE: i had to upload my root CA to /usr/local/share/ca-certificates/ and run update-ca-certificates to make it work, thus avoiding the need of fingerprint verification. Thanks to @resoli for pointing me at the solution in this thread. BTW does fingerprint check fail due to the full chain being returned?

 

[MightySlaytanic]

I’ve re-uploaded the cert to PBS without including the root CA and fingerprint validation seems ok now. With the full chain returned both OpenSSL and fingerprint validation failed.

 

[Pavel N]

@MightySlaytanic you are absolutely correct, clearly its bug, PBS_FINGERPRINT should always work. If certificate expires or is self signed or using chain. If there is PBS_FINGERPRINT and server has valid trusted cert but different print, client should not connect.

I spent hours tackling with it, its very intuitive. 3 years, still there. Sending my love to proxmox and hoping this gets fixed.

It appears, that it's same problem with PVE connecting to PBS. Saving fingerprint will not work when PBS using certificate chain with CA. CA must be trusted by OS. For debian-like OS I did it this way https://grumpytechie.net/2020/02/25/adding-custom-root-ca-certificates-to-debian/