[SOLVED] pveproxy fails to load local certificate chain after upgrade to pve 6

Serverhamster

New Member
Nov 5, 2017
12
1
3
38
I was using a self-signed certificate (using FreeIPA) with pve5 without any issues. This needs a key and a certificate:
  • /etc/pve/local/pveproxy-ssl.key
  • /etc/pve/local/pveproxy-ssl.pem
After the upgrade, the connection times out when trying to connect to the web interface when these 2 files are present.
pveproxy.service is running but shows these errors in the log:
Code:
/etc/pve/local/pveproxy-ssl.pem: failed to use local certificate chain (cert_file or cert) at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 1688.
The errors asks for a certificate chain, and I only have the certificate. Is pve6 expecting something more?
 

Alwin

Proxmox Staff Member
Staff member
Aug 1, 2017
2,816
247
63
Could you post the content of the pem file (if not you can also PM me)? Be aware the content holds the public key and the IPs. So I can check if anything is in there that isn't accepted anymore.
 

Serverhamster

New Member
Nov 5, 2017
12
1
3
38
No problem. It's a local server anyway.
-----BEGIN CERTIFICATE-----
MIIDpzCCAo+gAwIBAgIBCzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtJUEEu
TFZJTi5CRTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MDMw
NTE0MDYyNFoXDTIxMDMwNTE0MDYyNFowMTEUMBIGA1UECgwLSVBBLkxWSU4uQkUx
GTAXBgNVBAMMEGFycmFraXMuYWx2aW4uYmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBANFsNnDFoYKkH6YYzVzXGsIeCn7dy+qlazGIy3oAucfP9fiz62T9UOJB
r/QLf+PAf5t65bOjJRNP9NhFYUCwiLtHACR5iM7qf0MFTUBahOv09WTLmgCeNuP8
DRprO1utMt0Ju5Nm8ZKuYcOiifXD6aD5856nz2Wj3mVo0i01zv/pAgMBAAGjggFH
MIIBQzAfBgNVHSMEGDAWgBSQXABnr6n1hoJyg4z+Y6j1MDvXRDA9BggrBgEFBQcB
AQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6Ly9pcGEtY2EuaXBhLmx2aW4uYmUvY2Ev
b2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMHYGA1UdHwRvMG0wa6AzoDGGL2h0dHA6Ly9pcGEtY2EuaXBhLmx2aW4uYmUv
aXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwG
A1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBTEm+lMXfEevQk7
mMAsvS49dMfRkDAbBgNVHREEFDASghBhcnJha2lzLmFsdmluLmJlMA0GCSqGSIb3
DQEBCwUAA4IBAQB0Wfoep0/5LvTMlhJqA+534mWNwRFdUDBT0EVGD1d8vj9ZZ4oZ
EvAn0lOk7PcNllId4UgD6FJBjyVV+dbpYbE16Bwtgi3rMOQwmlQvLozxTmQLZ+to
nt31VCIkNb9zighWpDste/ha/NzQj47V8bIzUjphIGtTPwwVDqDhPc2S5jBJ5Yq4
JHFnYsotQqzMQjlNikm87Epox6DeG3laK+Ub1M8hn6BHnKT5xhNvdKjBrxI4P+4w
2MOV1iIu5oJ6T2sCF25iWJ/49ITJRHj9rI0sFqf4HECmglwYCce5CgG1NRC1YgwB
DUpem3ap2ALeTr+llyEErTetpFuDHB/5CUBG
-----END CERTIFICATE-----
 

Alwin

Proxmox Staff Member
Staff member
Aug 1, 2017
2,816
247
63
  • Like
Reactions: Serverhamster

Serverhamster

New Member
Nov 5, 2017
12
1
3
38
And that's why reading changelogs is important :). Well found. Thanks! I replaced the 1024 bit key with a 2048 one and it works now.
 
  • Like
Reactions: Alwin

t.lamprecht

Proxmox Staff Member
Staff member
Jul 28, 2015
1,500
213
63
South Tyrol/Italy
On the same boat, updating a 3.x-updated-to-5.x installation and the same error message pops up. Unfortunately, there was no mention of this in https://pve.proxmox.com/wiki/Upgrade_from_5.x_to_6.0
we check it with out pve5to6 script, which you should use always to check the most basic things before doing the 5.4 to 6.0 upgrade. Note that upgrades which skip major versions (e.g., 4.X to 6.X directly) are not supported nor tested.
 

cosmos

Member
Apr 1, 2013
85
1
8
we check it with out pve5to6 script, which you should use always to check the most basic things before doing the 5.4 to 6.0 upgrade. Note that upgrades which skip major versions (e.g., 4.X to 6.X directly) are not supported nor tested.
That's a bit strange because I ran pve5to6 and did not report any issue like that at all. Even at the end of the procedure, it only produced a single warning stating that I should reboot the system for the changes to take effect.
 

t.lamprecht

Proxmox Staff Member
Staff member
Jul 28, 2015
1,500
213
63
South Tyrol/Italy

cosmos

Member
Apr 1, 2013
85
1
8
Yes, I did (always try to follow upgrade instructions as carefully as I can, studying especially the "known issues" section), just before making the switch to 6. But I did not reboot, after doing an apt-get dist-upgrade on 5.4... Perhaps that was why the issue appeared to be after upgrading to 6?
 

t.lamprecht

Proxmox Staff Member
Staff member
Jul 28, 2015
1,500
213
63
South Tyrol/Italy
I highlighted the "Issues to be aware of for buster" more in the known issues section, to make people better aware that (almost) all of them normally affect PVE users too: https://pve.proxmox.com/wiki/Upgrade_from_5.x_to_6.0#Known_upgrade_issues

But I did not reboot, after doing an apt-get dist-upgrade on 5.4... Perhaps that was why the issue appeared to be after upgrading to 6?
Hmm, if a new kernel was installed it could make sense, but it should normally not be required - at least if a reboot was made not to far in the past to have a current kernel running at all.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!