SPICE connection issue after cert issue

D

dowdle

New Member
Dec 19, 2020
10
2
3
60
Bozeman, Montana
www.montanalinux.org
Greetings,

I have a cluster with a few nodes. One of the nodes was accessible to the outside world so I decided to give Let's Encrypt a try within the PVE web interface... and successfully got it working with a LE cert my browsers liked. Then when it came time to renew I discovered that the powers-that-be had blocked outside access... and I had trouble renewing the cert... and just switched back to a self-signed one. I was inexperienced with such surgery and for a day or so had trouble accessing a node or two. Finally got that all sorted out... but an undesired side-effect remains:

While I can successfully login to all of the nodes and access them from the web interface, a few of them refuse to allow me to connect to my VMs with the SPICE protocol. Well, it is the spice client I'm running doesn't seem to like the cert the downloaded connection file provides. I've made sure the systems are all using NTP and the issue isn't caused by a timing/cert lifecycle issue.

I spent a while combing through the documentation and the forums, and while I've found a few issues/fixes for SPICE connection issues, none of them seemed to match up with the issue I'm having. Anyone have a clue on how to fix it?

I did investigate remote-viewer to see if maybe it'd have a flag to ignore the issue and just connect anyway... but there isn't much documentation related to the issue that I've been able to find.

HELP!

In the mean time, I can use noVNC but on some systems it takes a bit of mouse manipulation before I get a reasonable pointer... and I really miss SPICE.

TYL,
Scott Dowdle, Bozeman, Montana, USA
 
I run the following command on all of my nodes:
$ openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/local/pve-ssl.pem

They all return errors except for one node that is "OK". The OK node works. How do I fix the broken ones?
 
I found one forum post (https://forum.proxmox.com/threads/lets-encrypt-on-a-multi-node-cluster.65356/) where a user had one working node and all of the others weren't... and Fabian said to run "pvecm updatecerts" on the node that was working. The user didn't actually try that an restored previous certs to fix it. My question is... is my working node the cause of the others failing... and will running "pvecm updatecerts" on the working node... make the others start working?

It would be nice to get a short explanation as to what that is doing and what the problem is and how it fixes it... if it isn't too complicated to write out. Thanks in advance.
 
dowdle said:
I found one forum post (https://forum.proxmox.com/threads/lets-encrypt-on-a-multi-node-cluster.65356/) where a user had one working node and all of the others weren't... and Fabian said to run "pvecm updatecerts" on the node that was working. The user didn't actually try that an restored previous certs to fix it. My question is... is my working node the cause of the others failing... and will running "pvecm updatecerts" on the working node... make the others start working?

It would be nice to get a short explanation as to what that is doing and what the problem is and how it fixes it... if it isn't too complicated to write out. Thanks in advance.
Click to expand...
Well, I tried that... first on the working node... no change... then on multiple broken nodes... and no change. The working one is still working and the non-working ones are still not working. :(
 
dowdle said:
Well, I tried that... first on the working node... no change... then on multiple broken nodes... and no change. The working one is still working and the non-working ones are still not working. :(
Click to expand...
ARGH. Now I can't connect to half of my nodes with the web interface because of cert errors. That's what I dislike, trying to improve something and only making it worse.
 
Ok, restored all of the files back to what they were before I tried this fix... and at least I'm back to my previous state of breakage... with the web interface working for all nodes. Back to the drawing board.
dowdle said:
ARGH. Now I can't connect to half of my nodes with the web interface because of cert errors. That's what I dislike, trying to improve something and only making it worse.
Click to expand...
Ok, restored all of the files back to what they were before I tried this fix... and at least I'm back to my previous state of breakage... with the web interface working for all nodes. Back to the drawing board.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back