[SOLVED] SSL: dot at the end of FQDN if installed upon Debian

S

Slamdunk

Active Member
May 29, 2018
6
0
41
Hi, I followed the guide Install Proxmox VE on Debian Stretch using debian-9.4.0-amd64-netinst.iso, and at the end of the guide I got that SSL cert has a DOT at the end of the machine hostname:

Code: 
$ openssl x509 -in /etc/pve/local/pve-ssl.pem -text -noout
Certificate:
    [...]
        Issuer: CN = Proxmox Virtual Environment, OU = 441ef423-c4b3-4349-91b3-1c6fa56044c4, O = PVE Cluster Manager CA
        [...]
        Subject: OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = certtest.mycompany.local.
        [...]
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, DNS:localhost, IP Address:192.168.150.177, DNS:certtest, DNS:certtest.mycompany.local.
        [...]

As you can see, DNS:certtest.mycompany.local. has an ending dot.

Reinstalling with proxmox-ve_5.2-1.iso the DNS is correctly reported without the ending dot.
Code: 
$ openssl x509 -in /etc/pve/local/pve-ssl.pem -text -noout
Certificate:
    [...]
        Issuer: CN = Proxmox Virtual Environment, OU = c6d14615-1381-47cf-9837-8b2268701a72, O = PVE Cluster Manager CA
        [...]
        Subject: OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = certtest.mycompany.local
        [...]
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, DNS:localhost, IP Address:192.168.150.177, DNS:certtest, DNS:certtest.mycompany.local
        [...]

The /etc/hosts file is the same on both the tries:

Code: 
$ cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.150.177 certtest.mycompany.local certtest pvelocalhost

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


Any guess on how to get rid of the ending dot in the FQDN?
 
how does the /etc/resolv.conf and /etc/hostname look in both situations?
 
Hi, thank you for the quick reply.

Indeed the two files differ:

Code: 
### Proxmox on Debian
$ cat /etc/resolv.conf
domain mycompany.local
search mycompany.local.
nameserver 192.168.150.254
$ cat /etc/hostname
certtest

### Native Proxmox
$ cat /etc/resolv.conf
search mycompany.local
nameserver 192.168.150.254
$ cat /etc/hostname
certtest

Fixing the /etc/resolv.conf fixes the issue :)

Note that before submitting this topic, I double checked the issue on two clean installations following the wiki guides, so I think this should be pointed out in the guides too.

If you can point me out how to contribute, I'll be glad to propose a wiki note about this.
 
This is definitely some kind of bug. I just came accross this myself in PVE 7.1-2. What had happened was I needed to change the static IP on one of my proxmox hosts. After doing that I had to manually update the hosts file through the GUI. I think at that point the period/dot got introduced (not by user error).

Following the solution from the posts above fixed my problem as well.
 
You must log in or register to reply here.
Top Bottom