PBS: error fetching datastores - fingerprint 'xx' not verified, abort! (500)

[jcn]

Did you find a solution? I just removed the fingerprint to solve the issue with ACME cert changing it and ended up with "hostname verification failed" error like you :-(

When using an ACME certificate, it's necessary to use the domain name associated with the certificate rather than the IP address of the PBS server.

Due to Proxmox frequently querying the DNS server (where attempts to resolve my PBS server's name constituted approximately 70% of my network's DNS requests) I opted to revert to a self-signed certificate.
This was done by removing my Let's Encrypt certificate and configuring the fingerprint of the self-signed certificate in Proxmox Storage.

 

[luckman212]

I use Tailscale to generate valid TLS certs so I can connect with HTTPS + DNS name without warning from anywhere in my tailnet.

So, the PBS server has a valid CA trusted cert, thus I removed the fingerprint from my storage config /etc/pve/storage.cfg

Now, I get the 500 Can't connect to 192.168.20.55:8007 (hostname verification failed) error.

I could change the server line from the IP to the tailscale hostname, but then PVE would try to connect to my storage via the Tailscale network which I definitely DON'T want! What is the recommended solution here? Seems like we need a hostname or certname field in storage.cfg ??

edit: for now I "solved" this by:

• adding 192.168.20.55 pbs.foo.ts.net to /etc/hosts (have to do this separately on all nodes)
• updated the server line in /etc/pve/storage.cfg to point to pbs.foo.ts.net

But this is clunky at best... hope a better solution comes at some point.

 

[SteveITS]

The hostname used needs to match the server’s certificate. A hosts file entry would override DNS. A fingerprint allows a self signed certificate to be considered valid.