SOLVED: PVE certificate expires in more than 2 years

[jazzl0ver]

Hi,

For some reason PVE tries to update my custom certificate and predictably fails with truncating the cert file which leads to inaccessible web interface:

# pveversion
pve-manager/6.2-15/48bd51b6 (running kernel: 5.4.65-1-pve)

# systemctl status pve-daily-update.service
...
Nov 17 03:14:33 vm-box-4 pveupdate[27847]: PVE certificate expires in more than 2 years, renewing to reduce certificate life-span for client comp
Nov 17 03:14:33 vm-box-4 pveupdate[27847]: Signature ok
Nov 17 03:14:33 vm-box-4 pveupdate[27847]: subject=OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = vm-box-4.domain.com
Nov 17 03:14:33 vm-box-4 pveupdate[27847]: Getting CA Private Key
Nov 17 03:14:33 vm-box-4 pveupdate[27847]: CA certificate and CA private key do not match
Nov 17 03:14:33 vm-box-4 pveupdate[27847]: 140696531917696:error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters
Nov 17 03:14:33 vm-box-4 pveupdate[27847]: 140696531917696:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:..
Nov 17 03:14:33 vm-box-4 pveupdate[27847]: Checking/Renewing SSL certificate failed: unable to generate pve ssl certificate:
                                           command 'faketime yesterday openssl x509 -req -in /tmp/pvecertreq-27847.tmp -days 730 -out /etc/pve/no
Nov 17 03:14:33 vm-box-4 systemd[1]: pve-daily-update.service: Succeeded.

root@vm-box-4:# ls -la /etc/pve/local/pve-ssl.pem
-rw-r----- 1 root www-data 0 Nov 13 03:14 /etc/pve/local/pve-ssl.pem

As a workaround I've commented out line #113 in /usr/bin/pveupdate:

$renew->("expires in more than 2 years, renewing to reduce certificate life-span for client compatibility...");

Is there a better solution to keep my certs alone?

 

[dcsapak]

what certificate did you overwrite ?
if you want custom gui certificates, please use pveproxy-ssl.pem/key (see also https://pve.proxmox.com/wiki/Certificate_Management)

 

[jazzl0ver]

I'm sorry, it's not clear for me what you're asking about.



do i need to delete existing custom certificates and upload them again?

 

[dcsapak]

do i need to delete existing custom certificates and upload them again?

you should never overwrite the pve-root-ca.pem and pve-ssl.pem (they are definitely not generated by pve)

i'd do a 'pvecm updatecerts -f' and then use the web ui to upload your custom certificates

 

[jazzl0ver]

Thank you very much! I've deleted pve-root-ca and pve-ssl files and regenerated certs with the command you provided.

 

[elmarconi]

More or less in the same boat. Old and rusty Proxmox, installed it 2011, kept up-to-date.
Now forced to do a IP-rearrangement in my home-environment.
Noticed: expired pve-root-ca and pve-ssl files.
With above help and https://codingpackets.com/blog/proxmox-certificate-error-fix-after-node-replacement/ got the expiry date fixed.
But the old IP-adress is still there?



Anybody any clue as were to fix this?

-- edit --

Found it myself:


After that:

cd /root

mkdir oldkeys

mv /etc/pve/pve-root-ca.pem oldkeys
mv /etc/pve/priv/pve-root-ca.key oldkeys
mv /etc/pve/nodes/proxmox/pve-ssl.pem oldkeys
mv /etc/pve/nodes/proxmox/pve-ssl.key oldkeys
mv /etc/pve/authkey.pub oldkeys
mv /etc/pve/priv/authkey.key oldkeys
mv /etc/pve/priv/authorized_keys oldkeys

pvecm updatecerts -f

systemctl restart pvedaemon pveproxy

All good!

--edit2--

PS: Don´t do this from the webconsole. Login with PuTTY or ssh.