Restore Self-Signed SSL and CA for node

[alterman1994]

Hey guys

https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#sysadmin_certs_api_gui

I, unfortunately, disrespected this warning several month ago while tried to configured Let's Encrypt SSL on primary node of my cluster (4 nodes)

Do not replace or manually modify the automatically generated node certificate files in /etc/pve/local/pve-ssl.pem and /etc/pve/local/pve-ssl.key or the cluster CA files in /etc/pve/pve-root-ca.pem and /etc/pve/priv/pve-root-ca.key.

I stupidly used this guide: https://blog.hostonnet.com/install-letsencrypt-ssl-proxmox

So right now, all my nodes in cluster doesn't have correct CA (replaced using Let's Encrypt one)

I already find the way how to add LE certificate using GUI:


But I lost all my SANs (like you have in fresh Proxmox setup on the screenshot below) especially pve1, IP address and etc. for verifying API connections.



Is it possible to restore/regenerate original Proxmox pve-root-ca.pem as well as pve-ssl.pem? Does pvecm updatecerts -f work like this or it just renews existing SSL?

Appreciate any advice here!

 

[alterman1994]

Actually, the reason why I bumping this because I cannot add new node by using:

root@pve5:/etc/pve# pvecm add 192.168.200.241
Please enter superuser (root) password for '192.168.200.241': *******************
Establishing API connection with host '192.168.200.241'
500 Can't connect to 192.168.200.241:8006 (hostname verification failed)

or using pve1 (the node I originally used for cluster creation):

root@pve5:/etc/pve# pvecm add pve1
Please enter superuser (root) password for 'pve1': *******************
Establishing API connection with host 'pve1'
500 Can't connect to pve1:8006 (hostname verification failed)

 

[fabian]

you need to provide the full hostname if using a LE certificate.

to regenerate the self-signed certificate, delete the following files:

• /etc/pve/pve-root-ca.pem
• /etc/pve/priv/pve-root-ca.key
• /etc/pve/nodes/<node>/pve-ssl.pem
• /etc/pve/nodes/<node>/pve-ssl.key

The latter two need to be repeated for all nodes if you have a cluster.

Afterwards, run the following command on each node of the cluster to re-generate the certificates and keys:

pvecm updatecerts -f

 

[alterman1994]

@fabian thank you, all worked like a charm

 

[opsotree]

you need to provide the full hostname if using a LE certificate.

to regenerate the self-signed certificate, delete the following files:

• /etc/pve/pve-root-ca.pem
• /etc/pve/priv/pve-root-ca.key
• /etc/pve/nodes/<node>/pve-ssl.pem
• /etc/pve/nodes/<node>/pve-ssl.key

The latter two need to be repeated for all nodes if you have a cluster.

Afterwards, run the following command on each node of the cluster to re-generate the certificates and keys:

pvecm updatecerts -f

Thank..

 

[schubec]

Thanks for forum post, which saved me, because Proxmox Web Gui became unavailable after I uploaded a (wildcard) certificate.

I had to delete the 4 files mentioned above AND also two more files:

• /etc/pve/nodes/<node>/pveproxy-ssl.key
• /etc/pve/nodes/<node>/pveproxy-ssl.pem

Then I did a

systemctl restart pveproxy

and finally the web gui was available again!

 

[ciscog]

Thanks for forum post, which saved me, because Proxmox Web Gui became unavailable after I uploaded a (wildcard) certificate.

I had to delete the 4 files mentioned above AND also two more files:

• /etc/pve/nodes/<node>/pveproxy-ssl.key
• /etc/pve/nodes/<node>/pveproxy-ssl.pem

Then I did a

systemctl restart pveproxy

and finally the web gui was available again!

I ran into the same issue and tried the above, but I'm still unable to access the web gui :/ Is there anything I can try?

Thanks for the help!

 

[fabian]

any error in the logs?

 

[pgk]

i have the same issue, there is no any error

 

[fabian]

what does "pvenode cert info" say?