I just tried to integrate a new (so I am a noob wrt ProxMox) ProxMox server into my existing private PKI. So I wanted by web sessions to use a cert I provided.
To create the certificate:
- I created a new 3072 bit key and exported it in PEM
- I created a certificate signed by an intermediate certification authority certificate. I could not find any specification of the details of the certificate format online - so guessing somewhat:
- I exported this as PEM.
- I combined this with the PEM format of the Intermediate certificates as per this post (i.e.
- I have PBS installed on a NAS so I backed everything up.
- I then used the ProxMox GUI "MachineName -> System -> Certificates -> Upload Custom Certificate" and loaded the PEM of the key and the bundle PEM of the certs
- The OS told me to reload the interface and now nothing - no interface - so i messed up the certificate in some way
SSH and direct connection still work, but there appear to be no backup copies of the original file in /etc/pve/nodes/machinename so no easy fix.
The problem seems (from journalctl -u pveproxy) to be the key file " /etc/pve/local/pveproxy-ssl.key: failed to load local private key (key_file or key) at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 2037"
The question is how to recover?
- Can I force the machine to regenerate certificates that work? (Deleting the current set?)
- Can I find the old ones and overwrite (where might backups be)?
- Is there a way to get the details of the originals from the PBS backup from the command line?
The later question will be - where to get the specification of the certificates, or maybe how to generate a CSR from ProxMox?
Many thanks for help!
Regards,
Paul McGinnie
To create the certificate:
- I created a new 3072 bit key and exported it in PEM
- I created a certificate signed by an intermediate certification authority certificate. I could not find any specification of the details of the certificate format online - so guessing somewhat:
Code:
X509v3 Basic Constraints critical: CA:FALSE
X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name: DNS:proxmox, DNS:proxmox.mydomain.local, DNS:machinename, DNS:machinename.mydomain.local
X509v3 CRL Distribution Points: URI:http://www.publiclocation.com/crl/crl_web.der
Netscape Cert Type: SSL Server- I exported this as PEM.
- I combined this with the PEM format of the Intermediate certificates as per this post (i.e.
cat ca.pem inter.pem proxmox.pem > bundle.pem)- I have PBS installed on a NAS so I backed everything up.
- I then used the ProxMox GUI "MachineName -> System -> Certificates -> Upload Custom Certificate" and loaded the PEM of the key and the bundle PEM of the certs
- The OS told me to reload the interface and now nothing - no interface - so i messed up the certificate in some way
SSH and direct connection still work, but there appear to be no backup copies of the original file in /etc/pve/nodes/machinename so no easy fix.
The problem seems (from journalctl -u pveproxy) to be the key file " /etc/pve/local/pveproxy-ssl.key: failed to load local private key (key_file or key) at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 2037"
The question is how to recover?
- Can I force the machine to regenerate certificates that work? (Deleting the current set?)
- Can I find the old ones and overwrite (where might backups be)?
- Is there a way to get the details of the originals from the PBS backup from the command line?
The later question will be - where to get the specification of the certificates, or maybe how to generate a CSR from ProxMox?
Many thanks for help!
Regards,
Paul McGinnie