pmg-api.pem file changes to old one after a day

Mohammad Azam

New Member
Oct 29, 2020
2
0
1
27
Recently I installed SSL to my two PMG servers, but I noticed the SSL file (pmg-api.pem) changes to old file (old ssl file)in a day and finger print changes to old. Hence cluster stops working. I tried this twice, but next day, all the changes revert back.
Here is what I all I do.
I create a .pem file for new ssl and replace pmg-api.pem file with the new .pem file having same name.
And then I have to updated cluster.conf file with new finger prints. Everything works fine and I can see ssl updated.
But next day, my both server, starts showing old fingerprint and hence cluster stops working, untill I again change cluster.conf

I am not sure what is happening here, It would be helpful if anyone can help me out.
 
please post:

* the output of `pmgcm status`
* the output of `ls -lahtr /etc/pmg` (one question is if the file is a regular file or symlink or else)
* `stat /etc/pmg/pmg-api.pem`
* the contents of /etc/pmg/cluster.conf on both nodes (if you obfuscate keys/ips, please make sure that they can still be compared (i.e. compare if
they are consistent across both clusternodes)

also check the logs for messages from pmgmirror pmgtunnel


I hope this helps!
 
please post:

* the output of `pmgcm status`
* the output of `ls -lahtr /etc/pmg` (one question is if the file is a regular file or symlink or else)
* `stat /etc/pmg/pmg-api.pem`
* the contents of /etc/pmg/cluster.conf on both nodes (if you obfuscate keys/ips, please make sure that they can still be compared (i.e. compare if
they are consistent across both clusternodes)

also check the logs for messages from pmgmirror pmgtunnel


I hope this helps!
Hey @Stoiko Ivanov Thanks


'pmgcms status'

SK
two(3) 122.99.12x.xx node A 7 days 22:35 0.53 65% 9%
one(1) 203.175.17x.xx master A 7 days 22:48 0.11 71% 1 0%


output of 'ls -lahtr /etc/pmg


drwxr-xr-x 2 root root 4.0K Apr 24 2020 dkim
-rw------- 1 root root 1.7K Jul 13 13:35 pmg-authkey.key
-rw-r--r-- 1 root root 451 Jul 13 13:35 pmg-authkey.pub
-rw-r--r-- 1 root root 0 Jul 13 13:35 tls_policy
-rw-r--r-- 1 root root 12K Jul 13 13:35 tls_policy.db
-rw-r----- 1 root www-data 206 Jul 21 17:34 ldap.conf
-rw-r----- 1 root www-data 196 Jul 22 09:55 user.conf
-rw-r--r-- 1 root root 1.6K Aug 24 13:36 domains
-rw-r--r-- 1 root root 12K Aug 24 13:36 domains.db
-rw-r--r-- 1 root root 4.1K Aug 24 13:37 transport
-rw-r--r-- 1 root root 12K Aug 24 13:37 transport.db
drwxr-xr-x 97 root root 4.0K Oct 27 22:11 ..
-rw-r--r-- 1 root root 671 Oct 27 23:16 pmg.conf
-rw-r----- 1 root www-data 1.7K Oct 27 23:28 pmg-csrf.key
drwxr-xr-x 3 root root 4.0K Oct 28 00:18 templates
-rw-r--r-- 1 root root 1.9K Oct 29 15:31 cluster.conf
drwxr-xr-x 4 root root 4.0K Oct 29 15:31 .
-rw------- 1 root root 5.2K Oct 30 11:56 pmg-tls.pem
-rw-r----- 1 root www-data 5.2K Oct 30 11:56 pmg-api.pem


`stat /etc/pmg/pmg-api.pem`

File: /etc/pmg/pmg-api.pem
Size: 5323 Blocks: 16 IO Block: 4096 regular file
Device: fd01h/64769d Inode: 4720725 Links: 1
Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 33/www-data)
Access: 2020-10-30 11:56:48.312835835 +0530
Modify: 2020-10-30 11:56:43.876812147 +0530
Change: 2020-10-30 11:56:43.876812147 +0530
Birth: -



I would like to explain it more.
There is no issue with the cluster.conf

The issue that is coming is, IF I install a SSL on the PMG's, After a day, It revert backs the ssl file to the old one (The file of letsencrypt that I used before)
And once the changes back to the old one, cluster stops working as I already made the fingerprint changes in cluster with the new SSL fingerprint.

in short, IF the content of pmg-api.pem is "ABCDEFG" and I change it to "XYZABCD" after a day, It automatically changes it back to "ABCDEFG"

This is the issue.
 
My guess would be that you still have a cronjob/systemd-timer from your letsencrypt deployment lying around, which causes the certificate to change back ?

I hope this helps!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!