pmg-api.pem file changes to old one after a day

[Mohammad Azam]

Recently I installed SSL to my two PMG servers, but I noticed the SSL file (pmg-api.pem) changes to old file (old ssl file)in a day and finger print changes to old. Hence cluster stops working. I tried this twice, but next day, all the changes revert back.
Here is what I all I do.
I create a .pem file for new ssl and replace pmg-api.pem file with the new .pem file having same name.
And then I have to updated cluster.conf file with new finger prints. Everything works fine and I can see ssl updated.
But next day, my both server, starts showing old fingerprint and hence cluster stops working, untill I again change cluster.conf

I am not sure what is happening here, It would be helpful if anyone can help me out.

 

[Stoiko Ivanov]

please post:

* the output of `pmgcm status`
* the output of `ls -lahtr /etc/pmg` (one question is if the file is a regular file or symlink or else)
* `stat /etc/pmg/pmg-api.pem`
* the contents of /etc/pmg/cluster.conf on both nodes (if you obfuscate keys/ips, please make sure that they can still be compared (i.e. compare if
they are consistent across both clusternodes)

also check the logs for messages from pmgmirror pmgtunnel


I hope this helps!

 

[Mohammad Azam]

please post:

* the output of `pmgcm status`
* the output of `ls -lahtr /etc/pmg` (one question is if the file is a regular file or symlink or else)
* `stat /etc/pmg/pmg-api.pem`
* the contents of /etc/pmg/cluster.conf on both nodes (if you obfuscate keys/ips, please make sure that they can still be compared (i.e. compare if
they are consistent across both clusternodes)

also check the logs for messages from pmgmirror pmgtunnel


I hope this helps!

Hey @Stoiko Ivanov Thanks


'pmgcms status'

SK
two(3) 122.99.12x.xx node A 7 days 22:35 0.53 65% 9%
one(1) 203.175.17x.xx master A 7 days 22:48 0.11 71% 1 0%

output of 'ls -lahtr /etc/pmg


drwxr-xr-x 2 root root 4.0K Apr 24 2020 dkim
-rw------- 1 root root 1.7K Jul 13 13:35 pmg-authkey.key
-rw-r--r-- 1 root root 451 Jul 13 13:35 pmg-authkey.pub
-rw-r--r-- 1 root root 0 Jul 13 13:35 tls_policy
-rw-r--r-- 1 root root 12K Jul 13 13:35 tls_policy.db
-rw-r----- 1 root www-data 206 Jul 21 17:34 ldap.conf
-rw-r----- 1 root www-data 196 Jul 22 09:55 user.conf
-rw-r--r-- 1 root root 1.6K Aug 24 13:36 domains
-rw-r--r-- 1 root root 12K Aug 24 13:36 domains.db
-rw-r--r-- 1 root root 4.1K Aug 24 13:37 transport
-rw-r--r-- 1 root root 12K Aug 24 13:37 transport.db
drwxr-xr-x 97 root root 4.0K Oct 27 22:11 ..
-rw-r--r-- 1 root root 671 Oct 27 23:16 pmg.conf
-rw-r----- 1 root www-data 1.7K Oct 27 23:28 pmg-csrf.key
drwxr-xr-x 3 root root 4.0K Oct 28 00:18 templates
-rw-r--r-- 1 root root 1.9K Oct 29 15:31 cluster.conf
drwxr-xr-x 4 root root 4.0K Oct 29 15:31 .
-rw------- 1 root root 5.2K Oct 30 11:56 pmg-tls.pem
-rw-r----- 1 root www-data 5.2K Oct 30 11:56 pmg-api.pem

`stat /etc/pmg/pmg-api.pem`

File: /etc/pmg/pmg-api.pem
Size: 5323 Blocks: 16 IO Block: 4096 regular file
Device: fd01h/64769d Inode: 4720725 Links: 1
Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 33/www-data)
Access: 2020-10-30 11:56:48.312835835 +0530
Modify: 2020-10-30 11:56:43.876812147 +0530
Change: 2020-10-30 11:56:43.876812147 +0530
Birth: -


I would like to explain it more.
There is no issue with the cluster.conf

The issue that is coming is, IF I install a SSL on the PMG's, After a day, It revert backs the ssl file to the old one (The file of letsencrypt that I used before)
And once the changes back to the old one, cluster stops working as I already made the fingerprint changes in cluster with the new SSL fingerprint.

in short, IF the content of pmg-api.pem is "ABCDEFG" and I change it to "XYZABCD" after a day, It automatically changes it back to "ABCDEFG"

This is the issue.

 

[Stoiko Ivanov]

My guess would be that you still have a cronjob/systemd-timer from your letsencrypt deployment lying around, which causes the certificate to change back ?

I hope this helps!