PBS: error fetching datastores - fingerprint 'xx' not verified, abort! (500)

[aroundmyroom]

After last update and reboot of PBS proxmox tells on my 3 nodes that I have a finger print issue

When pressing on the PBS datastore, Backups I see
PBS: error fetching datastores - fingerprint 'xxxxxxxxxx' not verified, abort! (500)

Due to this no backups can be made right now
What to do to verify the fingerprint?

The only thing I did before was - update and install my wildcard certificate onto PBS

update ..
just found that in the datacenter I could change the fingerprint what was given when I got the error. replacing this fingerprint and it was solved..

 

[dietmar]

If you change the certificate on the PBS server, you also need to change the configured fingerprint on the pve client.

 

[aroundmyroom]

@dietmar Yeah, that was / is not clear from the message .. I saw the new function to add the certificate, but it gave me no hint that I had to do that Possibly available in the manual but could not find it
but in the end I found out it myself where I could change it.

 

[networ]

I couldn't find it in the web interface so I did it in command line on the VE node (for backup storage named PBSNINA):
pvesm set PBSNINA --fingerprint 47:d0:cc:0d:87...24:25

 

[lazynooblet]

Does that mean if we enable LetsEncrypt we will need to adjust the host nodes each time the certificates are renewed?

 

[kenneth_vkd]

Hi
We are running PBS 1.x in production with a LetsEncrypt cert and I can confirm that each time the cert is renewed, the fingerprint seems to change and backups are not running until we manually update the fingerprint for the storage in the PVE Cluster.
We have a lab-setup where PBS is still running the default self-signed cert and no interruption has been detected there throughout running PBS 1.x and even now with PBS 2.x it works fine

 

[dcsapak]

just to note: if your pbs server has a certificate that is seen as valid by the pve host, there is no need to specify a fingerprint at all in the config. this way you do not need to adapt it everytime
the fingerprint is mainly there to verify 'custom' certificates and for the super-paranoid

 

[proxwolfe]

Just ran into the same issue.

Updating PBS's fingerprint in the client was easy enough (Datacenter > Storage > Edit).

But

just to note: if your pbs server has a certificate that is seen as valid by the pve host, there is no need to specify a fingerprint at all in the config.

My PBS's new certificate is self signed as well. So how do I tell the client (PVE) to trust it?

Thanks!

 

[dcsapak]

My PBS's new certificate is self signed as well. So how do I tell the client (PVE) to trust it?

if it's self-signed, providing the fingerprint is enough for pve, no need to trust it system-wide

 

[Herman]

It would be nice if the tutorial would mention that you should not use the fingerprint when using Let's encrypt certificates.

 

[koolandrew]

Hi, i am running into this same situation all of a sudden. As far as i know, there have been no changes made. However, the solutions above are confusing to me.
The fingerprint that is putting up the error is the same one in each of the nodes under datacenter->storage->name of pmb->edit->general.

I dont see where this is located in the pmb server itself, if i am supposed to add it there.

I really need to restore a corrupted vm, could someone please guide me.

 

[koolandrew]

I have found the command for determining the fingerprint in the proxmox back up server and it is the same as in the nodes, so i am not clear why i am getting this error all of a sudden.

This is the command by the way,

proxmox-backup-manager cert info | grep Fingerprint

 

[scyto]

Hi, i am running into this same situation all of a sudden. As far as i know, there have been no changes made. However, the solutions above are confusing to me.
The fingerprint that is putting up the error is the same one in each of the nodes under datacenter->storage->name of pmb->edit->general.

I dont see where this is located in the pmb server itself, if i am supposed to add it there.

I really need to restore a corrupted vm, could someone please guide me.

as an FYI in the GUI on the PBS server it is dashboard > show fingerprint (blue button in top right)
on my machine this was caused by LE renewing the cert in the last 3 weeks.... which is less than ideal....

 

[lazynooblet]

@scyto see post #7 -- leave the certificate thumbprint blank

 

[cunni]

as an FYI in the GUI on the PBS server it is dashboard > show fingerprint (blue button in top right)
on my machine this was caused by LE renewing the cert in the last 3 weeks.... which is less than ideal....

Thank you!!! This saved me! Wish this had been mentioned earlier

 

[scyto]

@scyto see post #7 -- leave the certificate thumbprint blank

Thanks, just implemented, still have issues - i think because my storage uses the IP address instead of the hostname.... can i just delete and recreate the storage using the same parameters and the hostname instead?

 

[Wasca]

I've tried removing the fingerprint value, however when I try to view the backups I get the following error....

NFS-BACKUP: error fetching datastores - 500 Can't connect to 192.168.16.61:8007 (hostname verification failed) (500)

Any way around this?

 

[CelticWebs]

Sorry to dig up an old post but it covers what I'm looking for.

I just realised a node wasn't backing up. when looking, it state the error about the fingerprint not being verified. Am I going to have to change fingerprint every time the ACME cert is updated?

 

[dietmar]

I just realised a node wasn't backing up. when looking, it state the error about the fingerprint not being verified. Am I going to have to change fingerprint every time the ACME cert is updated?

You do not need a fingerprint if you use ACME, because that generate correctly signed certificates.

 

[johny_mnemonic]

I've tried removing the fingerprint value, however when I try to view the backups I get the following error....

NFS-BACKUP: error fetching datastores - 500 Can't connect to 192.168.16.61:8007 (hostname verification failed) (500)

Any way around this?

Did you find a solution? I just removed the fingerprint to solve the issue with ACME cert changing it and ended up with "hostname verification failed" error like you :-(