PBS S3 backups fail after DreamHost rotates SSL cert

C

chudak

Renowned Member
Proxmox Subscriber
May 11, 2019
350
25
68
I’m using Proxmox Backup Server with a DreamHost S3 endpoint. Since upgrading to PBS 4 about a week ago, I’ve already hit TLS errors that stop backups. It happened within days.

When it fails, running openssl s_client against the endpoint shows a different SHA256 fingerprint than before. Updating the fingerprint in /etc/proxmox-backup/s3.cfg and reloading PBS fixes it — but only until the next change.

Example error:

POST /api2/json/access/ticket: 400 Bad Request: [client [::ffff:…]]
Plus TLS/HTTP errors in the S3 task logs.

What I’ve noticed:

The endpoint can resolve to multiple IPs, and some of them present different certs.

DreamHost appears to change certs or intermediates more often than expected (possibly load balancer/CDN behavior).

Possible solutions I’m considering:

Make PBS use the system CA store instead of a pinned cert.

If pinning is required, run a cron job to grab the current chain and refresh PBS trust automatically.

Force PBS to reload trust/chain data without manual restarts.

Has anyone else run into this with DreamHost S3? How did you make it stable?
 
Last edited:
I have no experience with your specific issue but it looks like you really want someone to look into it.
There is a separate forum for PBS: https://forum.proxmox.com/forums/proxmox-backup-installation-and-configuration.24/
It's the weekend in Eurpoe; not many volunteers on the forum and virtually no staff.
If you want Proxmox staff members on call then use one of your (paid) support tickets.
I don't think this is a bug. I would expect the fingerprint to be optional. If you want PBS to NOT check the fingerprint then just remove the fingerprint from your configuration, maybe?
If you DO want PBS to check the fingerprint but it changes too often on the other side then you need to ask DreamHost S3 to stop changing it.

EDIT: I think Tuxis had something similar: https://forum.proxmox.com/threads/t...-server-beta-service.76320/page-7#post-434776
 
Last edited:
  • Like
Reactions: chudak
leesteken said:
I have no experience with your specific issue but it looks like you really want someone to look into it.
There is a separate forum for PBS: https://forum.proxmox.com/forums/proxmox-backup-installation-and-configuration.24/
It's the weekend in Eurpoe; not many volunteers on the forum and virtually no staff.
If you want Proxmox staff members on call then use one of your (paid) support tickets.
I don't think this is a bug. I would expect the fingerprint to be optional. If you want PBS to NOT check the fingerprint then just remove the fingerprint from your configuration, maybe?
If you DO want PBS to check the fingerprint but it changes too often on the other side then you need to ask DreamHost S3 to stop changing it.

EDIT: I think Tuxis had something similar: https://forum.proxmox.com/threads/t...-server-beta-service.76320/page-7#post-434776
Click to expand...
Fingerprints are only needed for self signed certicates, for normal certificate you really don't want to use fingerprint, or it'll break each the certificate is changed/refreshed.
 
  • Like
Reactions: Johannes S
spirit said:
Fingerprints are only needed for self signed certicates, for normal certificate you really don't want to use fingerprint, or it'll break each the certificate is changed/refreshed.
Click to expand...
I think I see the problem with or without fingerprints
But it’s possible that I have a mix of backup with both
So testing

Thx
 
Backed up to DreamHost S3 without fingerprints
Restore still failed

error before or during data restore, some or all disks were not completely restored. VM 104 state is NOT cleaned up.
TASK ERROR: command '/usr/bin/pbs-restore --repository root@pam@192.168.90.5:pbs-backups12 vm/104/2025-08-17T20:43:43Z drive-scsi0.img.fidx /dev/VMs/vm-104-disk-0 --verbose --format raw' failed: exit code 255
 
You must log in or register to reply here.
Top Bottom