SSL installation on Proxmox 6.3

[BeDazzler]

Hi All,

I am struggling to get an SSL cert installed and working properly on a Proxmox 6.3 server.

I am following the instructions at:
https://www.ssldragon.com/blog/install-an-ssl-certificate-on-proxmox/

The CA is DigiCert. I create the CSR and key files without password, then upload the CSR with DigiCert who then returns a PEM file with all the certificates except root.

Then when I attempt to import into /etc/pvs/nodes/xxx/pveproxy-ssl.pem and /etc/pvs/nodes/xxx/pveproxy-ssl.key the front end web server stops serving content.

A journal check of pveproxy.service shows services recycled and are waiting.

I can also see there is a listener on TCP8006.

No response in browser using name or IP address on TCP8006.

If I remove the pveproxy-ssl PEM and Key files and recycle services, everything works again.

I've also tried copying the primary cert + DigiCertCA into a PEM file and uploading via web interface, which also does not work.

Is there a magic trick to getting this working ?

Many thanks

BeDazzler.

 

[Stoiko Ivanov]

* hm - anything in the journal from `pveproxy`? (`journalctl -u pveproxy`)
* did you restart `pveproxy` after adding/changing the files? (if not restart it and then check the journal)
* what's the output of `curl -vk https://node.ip.address:8006` (run this from a laptop or some other machine not in/on the PVE cluster)

I hope this helps!

for completeness sake here's a link to the reference documentation on the topic:
https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#sysadmin_certificate_management

 

[BeDazzler]

Hi Stoiko,

Thank you for the reply.

Output of journal shows all OK

May 28 18:44:02 xxxx-pve04 systemd[1]: pveproxy.service: Succeeded.
May 28 18:44:02 xxxx-pve04 systemd[1]: Stopped PVE API Proxy Server.
May 28 18:44:02 xxxx-pve04 systemd[1]: Starting PVE API Proxy Server...
May 28 18:44:03 xxxx-pve04 pveproxy[22574]: Using '/etc/pve/local/pveproxy-ssl.pem' as cert
May 28 18:44:03 xxxx-pve04 pveproxy[22585]: starting server
May 28 18:44:03 xxxx-pve04 pveproxy[22585]: starting 3 worker(s)
May 28 18:44:03 xxxx-pve04 pveproxy[22585]: worker 22586 started
May 28 18:44:03 xxxx-pve04 pveproxy[22585]: worker 22587 started
May 28 18:44:03 xxxx-pve04 pveproxy[22585]: worker 22588 started
May 28 18:44:03 xxxx-pve04 systemd[1]: Started PVE API Proxy Server.

..

Yes, I restart both these:
# proxy
systemctl restart pveproxy

# pve daemon
service pvedaemon restart

..

curl output from another Linux machine is:

curl -vk https://10.10.20.14:8006
* About to connect() to 10.10.20.14 port 8006 (#0)
* Trying 10.10.20.14...
* Connected to 10.10.20.14 (10.10.20.14) port 8006 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection 0
curl: (35) Encountered end of file

..

I have also followed the instructions at https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#sysadmin_certificate_management and tried uploading the certs via browser, however the web server dies straight after accepting the certs and restarting services.

I then tried to recycle via command line and the web services still won't show the admin portal.

NOTE: I am using a real certificate from DigiCert as my Promox server is on a private network not reachable from the outside, so I can't use lets encrypt.

Even a hint of where to look would be very helpful.

Many thanks

BeDazzler.

 

[BeDazzler]

Has nobody else encountered this issue ?

Are there any known issues using external CAs and methods other than ACME/LE with Proxmox ?

 

[BeDazzler]

Answering my own question to help others with the same issue.

I could not get Proxmox to work with the DigiCert RapidSSL cert, no matter what we tried.

I cancelled it, ordered another cert and installed - now working.

Proxmox 6.3 didn't know or see there was an issue with the cert, it just stopped serving content via GUI. Nothing in the logs.

BeDazzler.

 

[Stoiko Ivanov]

I cancelled it, ordered another cert and installed - now working.

hm - this sounds odd - the only thing I could imagine is that they either did not provide the certificate correctly, or that it used some hashing algorithms which are not used by the openssl library in buster

In any case - glad you found a workaround!

 

[BeDazzler]

I was hoping for a little more help from you.

I am relatively new to Promox, however I am comfortable with Linux/UNIX. A simple point in the right direction would have helped me find the answer sooner rather than silence.

 

[Stoiko Ivanov]

While I think that our community is really quite fast and active in responding (and we here also try our best to respond here in a timely fashion)
we cannot guarantee a particular response time.

As for that particular case - Sadly I did not see the issue from the provided logs and outputs - sorry to not have been of more help

 

[BeDazzler]

Stoiko, that's fine, I don't expect you to instantly come up with all the answers. Yes the community has been good, I have also contributed back to help others because I know it's a valuable resource.

 

[Joi Owen]

We use DigiCert for our public-facing certs, but all of our proxmox are internal only, and are using certs internally signed by our windows CA (because reasons...) DigiCert has used a variety of intermediate signing certs for their commercial certificates, and I've had them signed (more than once) by a new CA cert that was not present in the openssl CA collection. Thus, the apps on the host refused to use the cert because openssl couldn't validate it due to lack of the signing cert in the trusted CA collection.

I've had to do the same for Digicert as I have done for our internal CA... copy the CA's public signing cert into /usr/share/ca-certificates/ with a .crt extension, then run dpkg-reconfigure ca-certificates, select the new cert to be imported, and go. This updates the library of trusted CA certs in /etc/ssl/certs and will solve the problem for good (or until the signing cert itself expires.)