PSA: Fingerprints will change after switching to ACME Certificates

jasonsansone

Active Member
May 17, 2021
162
40
33
Oklahoma City, OK
www.sansonehowell.com
This is relatively obvious and intuitive, but just a community reminder:

If you take advantage of the new ACME letsencrypt certificates in PBS 2.0 (thank you Proxmox Devs!), your SHA fingerprint will change. You must update the fingerprint for any backup or sync jobs configured on other PBS hosts or Proxmox nodes. It is quick and easy, but forgetting to do so will result in failed backups or syncs.

This isn't listed as a "Known Issue" in the release notes because it isn't a bug or an issue. This is behaving exactly like it is supposed to. Just wanted to throw out the mental reminder in case anyone updates their certs. Don't forget to update fingerprint as well.
 
Last edited:
Thanks for bringing this up - hopefully it helps others

just one small addition: If you have a valid LE certificate (or any certificate which is trusted by your PVE/PMG/PBS nodes) you can also delete the fingerprint in the storage/remote definition.
(This also saves you the hassle to update the fingerprints on every certificate renewal)

I hope this helps!
 
@Stoiko Ivanov
thank you for this information, can you please share details how to do this ?

I have cluster of three PMX servers which is connected with one PBS server with LE certificate but when SSL renew I loose connectivity. How can I sort that ?

Thank you.
 
thank you for this information, can you please share details how to do this ?
a) make a backup of /etc/pve/storage.cfg!
b) edit it in a editor (on the command line) on one node (it is in the cluster-filesystem thus only editing on one node is needed) - delete the fingerprint line and save it

pbs: pbs01
datastore mydatastore
server pbs01.domain.example
content backup
encryption-key 1
fingerprint 9f:XXXX:23 <- delete this line
prune-backups keep-last=255
username user@pbs

I hope this helps!
 
Hello.
I try the solution. When i remove the fingerprint PVE say that it cant connect to PBS because he cant verify the hostname.(error 500). when i connect to the PBS i use the PBS internal IP not the hostname.
 
Hello.
I try the solution. When i remove the fingerprint PVE say that it cant connect to PBS because he cant verify the hostname.(error 500). when i connect to the PBS i use the PBS internal IP not the hostname.

I just ran into the same issue. You need to use the hostname that's used for Let's Encrypt.
 
^^Ran into this myself ( finger print change). To deal with the fqdn instead of the pbe ip, create a dns entry in your dns resolver.

ie. pbe.domain.com > {internal ip of pbe server}

pbe.domain.com > 192.168.1.250

Lets encrypt should continue to work as it's likely using dns validation with cert assigned to pbe.domain.com. On the internal network this will resolve to 192.168.1.250. Externally it won't resolve to anything (or shouldn't). In pbe you can get rid of the pbs finger print as the fqdn now has a valid cert. Hope this makes sense.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!