[SOLVED] Proxmox Mail Gateway 7.1-2 3 node Cluster Fingerprints out of sync

B

bwdavis

Member
Proxmox Subscriber
Mar 5, 2020
26
2
23
Chesterfield, Missouri 63005 USA
www.avmats.com
This problem keeps happening, and I can fix it, but it would be nice if it just didn't happen, or if there were a simple fix like pmgctl force-fingerprint --master_ip xxx.xxx.xxx.xxx from the child nodes. As it is, I have to manually open a text editor on the master node and copy / paste the child nodes fingerprint in there, and it will push out over the pmg tunnel service. Annoying and it keeps happening, I don't know what causes it.
 
bwdavis said:
This problem keeps happening, and I can fix it, but it would be nice if it just didn't happen, or if there were a simple fix like pmgctl force-fingerprint --master_ip xxx.xxx.xxx.xxx from the child nodes. As it is, I have to manually open a text editor on the master node and copy / paste the child nodes fingerprint in there, and it will push out over the pmg tunnel service. Annoying and it keeps happening, I don't know what causes it.
Click to expand...
you can try (and read the manpage) on `pmgcm update-fingerprints` - this causes the masternode to connect to all nodes and gather their fingerprints and update the config file

if this does not resolve your issue - I'd check why the fingerprints keep changing?
 
Stoiko Ivanov said:
you can try (and read the manpage) on `pmgcm update-fingerprints` - this causes the masternode to connect to all nodes and gather their fingerprints and update the config file

if this does not resolve your issue - I'd check why the fingerprints keep changing?
Click to expand...
Thank you for your reply. I don't know how or why, but I forgot that command was available. I typed pmgcm and kept trying to use the pmgcm sync --master_ip 'xxx.xxx.xxx.xxx' I will try the update-fingerprints command next time. We think the fingreprints change when the pmg kernel updates, is that not correct? I will run that on the master node and update the status of it here. Thank you again for taking the time to answer.
Best Regards,
Bruce
 
bwdavis said:
We think the fingreprints change when the pmg kernel updates,
Click to expand...
Not really - at least not by anything provided by PMG

one thing that could happen is that the certificate (and thus the fingerprint) changes at some point, but only gets reread after the reboot (which needs to be done for the new kernel) - but also in that case - nothing from PMG does automatically replace your certificate (short of the ACME renewal - but this also takes care of calling update-fingerprints)

put shortly - try to find out how/when/why the certificate (/etc/pmg/pmg-api.pem) changes on your system

ideas:
* some manually installed acme client (certbot, acme.sh)
* some configuration management system
* some other kind of cronjob or systemd-timer
 
bwdavis said:
We do use certbot to auto-renew ssl certs, but it doesn't change pmg-api.pem.
Click to expand...
* which certificates does it change then? (only the postfix pmg-tls.pem?)
* maybe take a look at the config of certbot - and check the cert with openssl:
`openssl x509 -noout -text -in /etc/pmg/pmg-api.pem`
 
Stoiko Ivanov said:
you can try (and read the manpage) on `pmgcm update-fingerprints` - this causes the masternode to connect to all nodes and gather their fingerprints and update the config file
Click to expand...

I'm seeing the same problem as the OP so I tried the command above, yet:

Code: 
root@proxmox01:/etc/pmg# pmgcm update-fingerprints
500 update fingerprints failed: unable to get remote node fingerprint from 'proxmox03': parsing failed

Any ideas? This is with pmg 8. Thanks!
 
You must log in or register to reply here.
Top Bottom