Proxmox is not accepting self-signed cert anymore

[Imad Daou]

Dear Proxmox,

If I install valid certificate, my spice console stops working and it gives me an error when I try to console in, and If I revert back to self-signed certificate, I can't login to the system anymore. It's catch 22.

How to tell ProxMox to accept self-signed certs again? Or, if that is not possible, how to to let Spice console work with Valid certificate?

Please help. Thank you!

Here is the Firefox/Waterfox Security Issue if I try to use self-signed cert.

Did Not Connect: Potential Security Issue

Waterfox detected a potential security threat and did not continue to imad-pve.imaddaou.com because this website requires a secure connection.

What can you do about it?

imad-pve.imaddaou.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Waterfox can only connect to it securely. You can’t add an exception to visit this site.

The issue is most likely with the website, and there is nothing you can do to resolve it.

If you are on a corporate network or using anti-virus software, you can reach out to the support teams for assistance. You can also notify the website’s administrator about the problem.



Learn more…

 

[dcsapak]

seems you have configured hsts ? here is a thread how you might remove that again from firefox: https://support.mozilla.org/en-US/questions/919498

how do you change the certificate? did you see the docs? https://pve.proxmox.com/wiki/Certificate_Management

 

[Imad Daou]

@dcsapak Thank you! I have restoed the self-signed cert and was able to use it following your link, but I had to use waterfox private window. Now my Spice client is working! :0) Any idea how to fix the Spice Client since it's NOT working with valid certificate. isn't that strange, it should be the way around.

 

[dcsapak]

the Spice Client since it's NOT working with valid certificate.

are you sure you set the correct certificate? check the link i posted (you should not replace the existing certificate)

 

[Imad Daou]

Dear @dcsapak thank you so much, I nailed it :0) For some reason I found the steps in the link and admin pdf file were very confusing for me. So I put the steps together as show below for others to use as well. Thank you again, you guys rock!

# How to add valid certificate to ProxMox Web Interface

#
# Method 1: Create cert using ACME/Let'sEncrypt
#

# Certificate will be renewed automatically every three months

# Requirements
Port 80 of the node needs to be reachable from the internet.

Or, DNS Validation through CNAME Alias

# A special alias mode can be used to handle the validation on a different domain/DNS server, in case your primary/real DNS does not support provisioning via an API. Manually set up a permanent CNAME record for _acme-challenge.domain1.example pointing to _acme-challenge.domain2.example and set the alias property in the Proxmox VE node configuration file to domain2.example to allow the DNS server of domain2.example to validate all challenges for domain1.example.

# If you are running nginx as proxy stop to finish the process
systemctl stop nginx

# Create ACME account
pvenode acme account register <node> admin@example.com

# Next, head to the GUI under each Node > Certificates > ACME > Order Certificates Now
# You should see the progress as follows

Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/121903827/9396015656

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/12744192055'
<node>.example.com is already validated!

All domains validated!

Creating CSR
Checking order status
Order is ready, finalizing order
valid!

Downloading certificate
Setting pveproxy certificate and key
Restarting pveproxy
TASK OK

# Wait few seconds and the GUI will load with new certificate

# If you use nginx like me as proxy on port 443, update it with the new cert path
...
ssl_certificate /etc/pve/nodes/<node>/pveproxy-ssl.pem;
ssl_certificate_key /etc/pve/nodes/<node>/pveproxy-ssl.key;
...

# Restart nginx
systemctl start nginx

#
# Method 2: Create certs using business SSl Provider
#

# Certs should be renewed manually and updated

# If you want free cert check sslforfree.com to create or renew your cert. Free cert need renew every 3 months
Source: https://eskwelaonline.com/how-to-fix-did-not-connect-potential-security-issue-on-your-site/

# Or you might have a wild certificate, either or will works

# Once you download the certs, prepare them as follows:

# Create cert dir
mkdir ~/Debian/certs/

# Rename key file
cat ~/Downloads/<node>.example.com/private.key > Debian/certs/private-key.pem

# Combine crt and bundle in pem file
cat ~/Downloads/<node>.example.com/certificate.crt ~/Downloads/<node>.example.com/ca_bundle.crt > Debian/certs/fullchain.pem

# Update ProxMox cert using command line
\cp /home/imad/Downloads/<node>.example.com/fullchain.pem /etc/pve/nodes/<node>/pveproxy-ssl.pem
\cp /home/imad/Downloads/<node>.example.com/private-key.pem /etc/pve/nodes/<node>/pveproxy-ssl.key

# You can use GUI as well Node > Certificates > ACME > Upload custom certificate

# Restart pveproxy
systemctl restart pveproxy

# Verify
journalctl -b -u pveproxy.service
...
Apr 30 11:15:26 <node> pveproxy[4218]: Using '/etc/pve/local/pveproxy-ssl.pem' as certificate for the web interface.
...

# if needed. Restart the services and update certs
systemctl restart pve-cluster && systemctl restart pvedaemon && systemctl restart pvestatd && systemctl restart pveproxy   
pvecm updatecerts

#
# Re-generate self-singed certs if needed
#

# Remove current certs
rm -f /etc/pve/nodes/<node>/pve-ssl.pem
rm -f /etc/pve/pve-root-ca.pem
rm -f /etc/pve/priv/pve-root-ca.key
rm -f /etc/pve/pve-www.key
rm -f /etc/pve/local/pve-ssl.key
rm -f /etc/pve/local/pve-ssl.pem
rm -f /etc/pve/nodes/<node>/pveproxy-ssl.pem
rm -f /etc/pve/nodes/<node>/pveproxy-ssl.key

# Regenerate self-signed cert
pvecm updatecerts -f

# Restart proxy
systemctl restart pveproxy