Proxmox complains when importing Step-CA root certificate bundle chain

A

aarcane

Renowned Member
Jul 28, 2015
35
3
73
So I set up a step-ca ACME certificate authority to get proxmox and other things valid internal certificates so I can manage trust using internal domain names. This shouldn't be too much of a stretch. Here's the thing, I can't upload the Root CA to proxmox to be able to register.

When I go to Machine-Name->System->Certificates and click "Upload Custom Certificate" I can browse for my certificate chain, as seen below, and everything else other than proxmox can parse it, but Proxmox says "key: invalid format - not a valid PEM-formatted string."

Code: 
pvenode acme account register seasonal aarcane@aarcane.org --directory https://ca-vii.aarcane.info/acme/acme/directory

Attempting to fetch Terms of Service from 'https://ca-vii.aarcane.info/acme/acme/directory'..
Error: GET to https://ca-vii.aarcane.info/acme/acme/directory
Can't connect to ca-vii.aarcane.info:443 (certificate verify failed)

SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at /usr/share/perl5/LWP/Protocol/http.pm line 50.


Code: 
aarcane@ca-vii:~ $ file chain.crt
chain.crt: PEM certificate
aarcane@ca-vii:~ $ cat chain.crt
-----BEGIN CERTIFICATE-----
MIIBiDCCAS+gAwIBAgIQRukFeOjNxjA504jl92cMRDAKBggqhkjOPQQDAjAjMSEw
HwYDVQQDExhTY2hsYWN0YUNlcnQtVklJIFJvb3QgQ0EwHhcNMjEwMjA5MDcyMjM2
WhcNMzEwMjA5MDcyMjM2WjAjMSEwHwYDVQQDExhTY2hsYWN0YUNlcnQtVklJIFJv
b3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQYXzxjK87wpXcxaYk4MBB7
6NVdQ6YQQKhMwJrax49g6N7nUsfbAc65tBjcyP1xdOuzjRVEEbw7hfLYKsQfvL4O
o0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4E
FgQUk6eHcBUZppzGcl/iURNt1Lrt06wwCgYIKoZIzj0EAwIDRwAwRAIgVVMXzjHy
/Mj/8IMX9wFeHHbHhhV7LNKz5VT1ZXMH3oACIFPlEGFqPxi5qQ0TE0ZPWje/b/KV
mzk6xHwLN8r1aaW/
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIBtDCCAVmgAwIBAgIRALMf5Y8659tfsueFR0T7iKUwCgYIKoZIzj0EAwIwIzEh
MB8GA1UEAxMYU2NobGFjdGFDZXJ0LVZJSSBSb290IENBMB4XDTIxMDIwOTA3MjIz
NloXDTMxMDIwOTA3MjIzNlowKzEpMCcGA1UEAxMgU2NobGFjdGFDZXJ0LVZJSSBJ
bnRlcm1lZGlhdGUgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASKDEqpvwwY
CQ1fRXq6MVPNxuNadVpIjCe6j+6kUHwvuqinAOoZpEKRCVD84a4JUmKDbUNpBolJ
YKWUeZ7gksNRo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIB
ADAdBgNVHQ4EFgQUeoNt7LOG4nNf2y4Xs+BmnUc96/swHwYDVR0jBBgwFoAUk6eH
cBUZppzGcl/iURNt1Lrt06wwCgYIKoZIzj0EAwIDSQAwRgIhAKqDu8kH36vxnk+E
BN9b72LIuASZhY5nFKOaz1CrpialAiEAt7Ljokz+trsmcy73Yb3fSy7OQMGLRcFe
WowC2UPFpWs=
-----END CERTIFICATE-----

Edited to add the pvenode acme output
 

Attachments

Last edited:
if you want PVE to trust that CA, you need to put it into the system's trust store. see man update-ca-certificates for how to do that on Debian base systems such as PVE - the "local" dir is where sysadmin provided CAs go.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom