[SOLVED] pveproxy fails to load local certificate chain after upgrade to pve 6

Serverhamster

Active Member
Nov 5, 2017
25
4
43
44
I was using a self-signed certificate (using FreeIPA) with pve5 without any issues. This needs a key and a certificate:
  • /etc/pve/local/pveproxy-ssl.key
  • /etc/pve/local/pveproxy-ssl.pem
After the upgrade, the connection times out when trying to connect to the web interface when these 2 files are present.
pveproxy.service is running but shows these errors in the log:
Code:
/etc/pve/local/pveproxy-ssl.pem: failed to use local certificate chain (cert_file or cert) at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 1688.
The errors asks for a certificate chain, and I only have the certificate. Is pve6 expecting something more?
 
Could you post the content of the pem file (if not you can also PM me)? Be aware the content holds the public key and the IPs. So I can check if anything is in there that isn't accepted anymore.
 
No problem. It's a local server anyway.
-----BEGIN CERTIFICATE-----
MIIDpzCCAo+gAwIBAgIBCzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtJUEEu
TFZJTi5CRTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MDMw
NTE0MDYyNFoXDTIxMDMwNTE0MDYyNFowMTEUMBIGA1UECgwLSVBBLkxWSU4uQkUx
GTAXBgNVBAMMEGFycmFraXMuYWx2aW4uYmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBANFsNnDFoYKkH6YYzVzXGsIeCn7dy+qlazGIy3oAucfP9fiz62T9UOJB
r/QLf+PAf5t65bOjJRNP9NhFYUCwiLtHACR5iM7qf0MFTUBahOv09WTLmgCeNuP8
DRprO1utMt0Ju5Nm8ZKuYcOiifXD6aD5856nz2Wj3mVo0i01zv/pAgMBAAGjggFH
MIIBQzAfBgNVHSMEGDAWgBSQXABnr6n1hoJyg4z+Y6j1MDvXRDA9BggrBgEFBQcB
AQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6Ly9pcGEtY2EuaXBhLmx2aW4uYmUvY2Ev
b2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMHYGA1UdHwRvMG0wa6AzoDGGL2h0dHA6Ly9pcGEtY2EuaXBhLmx2aW4uYmUv
aXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwG
A1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBTEm+lMXfEevQk7
mMAsvS49dMfRkDAbBgNVHREEFDASghBhcnJha2lzLmFsdmluLmJlMA0GCSqGSIb3
DQEBCwUAA4IBAQB0Wfoep0/5LvTMlhJqA+534mWNwRFdUDBT0EVGD1d8vj9ZZ4oZ
EvAn0lOk7PcNllId4UgD6FJBjyVV+dbpYbE16Bwtgi3rMOQwmlQvLozxTmQLZ+to
nt31VCIkNb9zighWpDste/ha/NzQj47V8bIzUjphIGtTPwwVDqDhPc2S5jBJ5Yq4
JHFnYsotQqzMQjlNikm87Epox6DeG3laK+Ub1M8hn6BHnKT5xhNvdKjBrxI4P+4w
2MOV1iIu5oJ6T2sCF25iWJ/49ITJRHj9rI0sFqf4HECmglwYCce5CgG1NRC1YgwB
DUpem3ap2ALeTr+llyEErTetpFuDHB/5CUBG
-----END CERTIFICATE-----
 
  • Like
Reactions: Serverhamster
And that's why reading changelogs is important :). Well found. Thanks! I replaced the 1024 bit key with a 2048 one and it works now.
 
  • Like
Reactions: Alwin
On the same boat, updating a 3.x-updated-to-5.x installation and the same error message pops up. Unfortunately, there was no mention of this in https://pve.proxmox.com/wiki/Upgrade_from_5.x_to_6.0

Please regenerate your certificate with a key that has at least 2048 bit.

Would you be kind enough to instruct how to do this?

EDIT: The following did it:
Code:
pvecm updatecerts --force
 
  • Like
Reactions: grin and jbennet
On the same boat, updating a 3.x-updated-to-5.x installation and the same error message pops up. Unfortunately, there was no mention of this in https://pve.proxmox.com/wiki/Upgrade_from_5.x_to_6.0

we check it with out pve5to6 script, which you should use always to check the most basic things before doing the 5.4 to 6.0 upgrade. Note that upgrades which skip major versions (e.g., 4.X to 6.X directly) are not supported nor tested.
 
we check it with out pve5to6 script, which you should use always to check the most basic things before doing the 5.4 to 6.0 upgrade. Note that upgrades which skip major versions (e.g., 4.X to 6.X directly) are not supported nor tested.
That's a bit strange because I ran pve5to6 and did not report any issue like that at all. Even at the end of the procedure, it only produced a single warning stating that I should reboot the system for the changes to take effect.
 
Yes, I did (always try to follow upgrade instructions as carefully as I can, studying especially the "known issues" section), just before making the switch to 6. But I did not reboot, after doing an apt-get dist-upgrade on 5.4... Perhaps that was why the issue appeared to be after upgrading to 6?
 
I highlighted the "Issues to be aware of for buster" more in the known issues section, to make people better aware that (almost) all of them normally affect PVE users too: https://pve.proxmox.com/wiki/Upgrade_from_5.x_to_6.0#Known_upgrade_issues

But I did not reboot, after doing an apt-get dist-upgrade on 5.4... Perhaps that was why the issue appeared to be after upgrading to 6?

Hmm, if a new kernel was installed it could make sense, but it should normally not be required - at least if a reboot was made not to far in the past to have a current kernel running at all.
 
Thanks David; your commands fixed my stand-alone server after upgrading from 5.4 to 6.1.

Once I got the web ui back, I could see that my windows VMs had not booted due to the same certificate error - double-clicking the failed VM Start tasks showed this error:

Code:
kvm: warning: Spice: reds.c:2943:reds_init_ssl: Could not load certificates from /etc/pve/local/pve-ssl.pem
kvm: warning: Spice: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
kvm: failed to initialize spice server
TASK ERROR: start failed: QEMU exited with code 1

The problem had already been fixed by the certificate update - I had no trouble starting the failed VMs.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!