[SOLVED] pveproxy fails to load local certificate chain after upgrade to pve 6

Serverhamster · Jul 17, 2019

I was using a self-signed certificate (using FreeIPA) with pve5 without any issues. This needs a key and a certificate:

/etc/pve/local/pveproxy-ssl.key
/etc/pve/local/pveproxy-ssl.pem

After the upgrade, the connection times out when trying to connect to the web interface when these 2 files are present.
pveproxy.service is running but shows these errors in the log:

Code:

/etc/pve/local/pveproxy-ssl.pem: failed to use local certificate chain (cert_file or cert) at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 1688.

The errors asks for a certificate chain, and I only have the certificate. Is pve6 expecting something more?

Alwin · Jul 18, 2019

Could you post the content of the pem file (if not you can also PM me)? Be aware the content holds the public key and the IPs. So I can check if anything is in there that isn't accepted anymore.

Serverhamster · Jul 18, 2019

No problem. It's a local server anyway.

Alwin · Jul 18, 2019

Please regenerate your certificate with a key that has at least 2048 bit.

The default security level for TLS connections has also been increased from level 1 to level 2. This moves from the 80 bit security level to the 112 bit security level and will require 2048 bit or larger RSA and DHE keys, 224 bit or larger ECC keys, and SHA-2.

https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#openssl-defaults

Serverhamster · Jul 18, 2019

And that's why reading changelogs is important

. Well found. Thanks! I replaced the 1024 bit key with a 2048 one and it works now.

cosmos · Sep 5, 2019

On the same boat, updating a 3.x-updated-to-5.x installation and the same error message pops up. Unfortunately, there was no mention of this in https://pve.proxmox.com/wiki/Upgrade_from_5.x_to_6.0

Alwin said:
Please regenerate your certificate with a key that has at least 2048 bit.

Would you be kind enough to instruct how to do this?

EDIT: The following did it:

Code:

pvecm updatecerts --force

t.lamprecht · Sep 5, 2019

cosmos said:
On the same boat, updating a 3.x-updated-to-5.x installation and the same error message pops up. Unfortunately, there was no mention of this in https://pve.proxmox.com/wiki/Upgrade_from_5.x_to_6.0

we check it with out pve5to6 script, which you should use always to check the most basic things before doing the 5.4 to 6.0 upgrade. Note that upgrades which skip major versions (e.g., 4.X to 6.X directly) are not supported nor tested.

cosmos · Sep 5, 2019

t.lamprecht said:
we check it with out pve5to6 script, which you should use always to check the most basic things before doing the 5.4 to 6.0 upgrade. Note that upgrades which skip major versions (e.g., 4.X to 6.X directly) are not supported nor tested.

That's a bit strange because I ran pve5to6 and did not report any issue like that at all. Even at the end of the procedure, it only produced a single warning stating that I should reboot the system for the changes to take effect.

t.lamprecht · Sep 5, 2019

Did you upgraded to latest pve-manager on 5.4 before upgrading? As the check ( https://git.proxmox.com/?p=pve-manager.git;a=commitdiff;h=95c1fa51adf1f82aa929a49d423a933aa6525252 ) is available since 5.4-12 release over a month ago to all repos, that one should have catched any problematic certificate issue like those affected by Buster higher security standards.

cosmos · Sep 5, 2019

Yes, I did (always try to follow upgrade instructions as carefully as I can, studying especially the "known issues" section), just before making the switch to 6. But I did not reboot, after doing an apt-get dist-upgrade on 5.4... Perhaps that was why the issue appeared to be after upgrading to 6?

t.lamprecht · Sep 5, 2019

I highlighted the "Issues to be aware of for buster" more in the known issues section, to make people better aware that (almost) all of them normally affect PVE users too: https://pve.proxmox.com/wiki/Upgrade_from_5.x_to_6.0#Known_upgrade_issues

cosmos said:
But I did not reboot, after doing an apt-get dist-upgrade on 5.4... Perhaps that was why the issue appeared to be after upgrading to 6?

Hmm, if a new kernel was installed it could make sense, but it should normally not be required - at least if a reboot was made not to far in the past to have a current kernel running at all.

David Herselman · Sep 25, 2019

Was upgrading a stand alone PVE 5 to 6 today and ran in to this...

To fix:

Code:

rm -f /etc/pve/pve-root-ca.pem /etc/pve/priv/pve-root-ca.* /etc/pve/local/pve-ssl.*;
pvecm updatecerts -f;

mmccarn · May 1, 2020

Thanks David; your commands fixed my stand-alone server after upgrading from 5.4 to 6.1.

Once I got the web ui back, I could see that my windows VMs had not booted due to the same certificate error - double-clicking the failed VM Start tasks showed this error:

Code:

kvm: warning: Spice: reds.c:2943:reds_init_ssl: Could not load certificates from /etc/pve/local/pve-ssl.pem
kvm: warning: Spice: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
kvm: failed to initialize spice server
TASK ERROR: start failed: QEMU exited with code 1

The problem had already been fixed by the certificate update - I had no trouble starting the failed VMs.

Search

Search

[SOLVED] pveproxy fails to load local certificate chain after upgrade to pve 6

Serverhamster

Active Member

Alwin

Proxmox Retired Staff

Serverhamster

Active Member

Alwin

Proxmox Retired Staff

Serverhamster

Active Member

cosmos

Renowned Member

t.lamprecht

Proxmox Staff Member

cosmos

Renowned Member

t.lamprecht

Proxmox Staff Member

cosmos

Renowned Member

t.lamprecht

Proxmox Staff Member

David Herselman

Renowned Member

mmccarn

Active Member