proxmox-backup-client certificate check

L

lazynooblet

Member
Jan 23, 2021
21
7
8
proxmox-backup-client is refusing to connect to our PBS due to certificate mismatch:

WARNING: certificate fingerprint does not match expected fingerprint!
expected: 3f:41:a9:17:7c:49:10:4d:fc:85:3b:b4:8a:96:c3:2c:24:61:b1:22:4a:9c:63:86:7f:c9:18:54:71:41:c8:9e
certificate validation failed - Certificate fingerprint was not confirmed.
Error: error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1913:
Click to expand...

I am assuming this is because we are using LetsEncrypt and the certificate has been updated.

If I delete ~/.config/proxmox-backup/fingerprints I can connect again but have to interact with the process to approve the new thumbprint.

Is there an option/config to ignore certificate thumbprint?
 
Last edited:
hi,

if you're running the backup client from PVE, also check your /etc/pve/storage.cfg file to make sure the fingerprint there matches as well.

lazynooblet said:
I can connect again but have to interact with the process to approve the new thumbprint.
Click to expand...
should only be one time.
lazynooblet said:
Is there an option/config to ignore certificate thumbprint?
Click to expand...
no... that would undermine the ability to verify the server's authenticity and make you vulnerable to man in the middle attacks (for example a spoofed backup server taking your backups instead of the real one). EDIT: this is only true if the certificate is ignored completely (which isn't possible).

for certificates trusted by the system store you can avoid fingerprint pinning if you just delete the fingerprints file you mentioned, afterwards it shouldn't be necessary to reapprove the new fingerprint (provided the certificate is trusted by the client system)
 
Last edited:
oguz said:
hi,

if you're running the backup client from PVE, also check your /etc/pve/storage.cfg file to make sure the fingerprint there matches as well.


should only be one time.

no... that would undermine the ability to verify the server's authenticity and make you vulnerable to man in the middle attacks (for example a spoofed backup server taking your backups instead of the real one). EDIT: this is only true if the certificate is ignored completely (which isn't possible).

for certificates trusted by the system store you can avoid fingerprint pinning if you just delete the fingerprints file you mentioned, afterwards it shouldn't be necessary to reapprove the new fingerprint (provided the certificate is trusted by the client system)
Click to expand...

Thanks Oguz. 3 months later I had the same issue after deleting the fingerprints file. However, just in case anyone else has this issue, it was using proxmox-backup-client connecting to "localhost" when I should of been matching the SAN of the certificate.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom