SOLVED: PVE certificate expires in more than 2 years

jazzl0ver

Renowned Member
Mar 6, 2013
69
1
73
Hi,

For some reason PVE tries to update my custom certificate and predictably fails with truncating the cert file which leads to inaccessible web interface:
Code:
# pveversion
pve-manager/6.2-15/48bd51b6 (running kernel: 5.4.65-1-pve)

# systemctl status pve-daily-update.service
...
Nov 17 03:14:33 vm-box-4 pveupdate[27847]: PVE certificate expires in more than 2 years, renewing to reduce certificate life-span for client comp
Nov 17 03:14:33 vm-box-4 pveupdate[27847]: Signature ok
Nov 17 03:14:33 vm-box-4 pveupdate[27847]: subject=OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = vm-box-4.domain.com
Nov 17 03:14:33 vm-box-4 pveupdate[27847]: Getting CA Private Key
Nov 17 03:14:33 vm-box-4 pveupdate[27847]: CA certificate and CA private key do not match
Nov 17 03:14:33 vm-box-4 pveupdate[27847]: 140696531917696:error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters
Nov 17 03:14:33 vm-box-4 pveupdate[27847]: 140696531917696:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:..
Nov 17 03:14:33 vm-box-4 pveupdate[27847]: Checking/Renewing SSL certificate failed: unable to generate pve ssl certificate:
                                           command 'faketime yesterday openssl x509 -req -in /tmp/pvecertreq-27847.tmp -days 730 -out /etc/pve/no
Nov 17 03:14:33 vm-box-4 systemd[1]: pve-daily-update.service: Succeeded.

root@vm-box-4:# ls -la /etc/pve/local/pve-ssl.pem
-rw-r----- 1 root www-data 0 Nov 13 03:14 /etc/pve/local/pve-ssl.pem

As a workaround I've commented out line #113 in /usr/bin/pveupdate:
Code:
$renew->("expires in more than 2 years, renewing to reduce certificate life-span for client compatibility...");

Is there a better solution to keep my certs alone?
 
I'm sorry, it's not clear for me what you're asking about.

1605631567918.png

do i need to delete existing custom certificates and upload them again?
 
do i need to delete existing custom certificates and upload them again?
you should never overwrite the pve-root-ca.pem and pve-ssl.pem (they are definitely not generated by pve)

i'd do a 'pvecm updatecerts -f' and then use the web ui to upload your custom certificates
 
Thank you very much! I've deleted pve-root-ca and pve-ssl files and regenerated certs with the command you provided.
 
More or less in the same boat. Old and rusty Proxmox, installed it 2011, kept up-to-date.
Now forced to do a IP-rearrangement in my home-environment.
Noticed: expired pve-root-ca and pve-ssl files.
With above help and https://codingpackets.com/blog/proxmox-certificate-error-fix-after-node-replacement/ got the expiry date fixed.
But the old IP-adress is still there?

2022-09-10_13-47.png

Anybody any clue as were to fix this?

-- edit --

Found it myself:
2022-09-10_14-15.png

After that:
Bash:
cd /root

mkdir oldkeys

mv /etc/pve/pve-root-ca.pem oldkeys
mv /etc/pve/priv/pve-root-ca.key oldkeys
mv /etc/pve/nodes/proxmox/pve-ssl.pem oldkeys
mv /etc/pve/nodes/proxmox/pve-ssl.key oldkeys
mv /etc/pve/authkey.pub oldkeys
mv /etc/pve/priv/authkey.key oldkeys
mv /etc/pve/priv/authorized_keys oldkeys

pvecm updatecerts -f

systemctl restart pvedaemon pveproxy

All good!

--edit2--

PS: Don´t do this from the webconsole. Login with PuTTY or ssh.
 
Last edited:
  • Like
Reactions: flamozzle

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!