PVE cert renewal failure

[antubis]

Hi,

I have a highly productive PVE cluster (3 nodes) with ceph storage running. Unfortunatly I've accidentally overwritten the pve-ssl.pem and pve-ssl.key (instead of using the -pveproxy files) with our custom certs on installation. Now the custom certs are expiring and of course the pve service can't renew them.

I found the thread https://forum.proxmox.com/threads/solved-pve-certificate-expires-in-more-than-2-years.79152/ with a similar issue and the pvecm updatecerts -f command to recreate the certs with the cluster internal ca.

My question is now... can I just do this in a productively running multi-node cluster with ceph storage without running into problems or even data loss or is there maybe a recommended procedure (stopping/restarting services in an order, etc.)?

Thanks for any help
antubis

 

[bkry]

Hi,
This is a rather old thread, you may have already found the answer and probably knows more now, but here I am sharing what I know about this topic.

can I just do this in a productively running multi-node cluster with ceph storage without running into problems or even data loss or is there maybe a recommended procedure

In general it safe, as it doesn’t affect running VMs. However, since it may impact the web UI, you might consider to perform it outside of business hours as a precaution.
If your certificate expires, it’s essentially no different from a self-signed certificate. You will need to explicitly trust it in order to continue using the GUI. The cluster should continue to work properly.

Hope this helps, and I would appreciate it if you could enrich it with your experience from this case.

[0] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_certificate_management

 

[antubis]

Thank you for your answer. We already managed to do the updatecerts task successfully. Now our own certs are properly named pveproxy-ssl and the pve-ssl files are managed internally as they should be.

 

[bkry]

Alright, Thank you for the updates.