SSL Installation Problem

[rjbick]

I built a new server (pve-manager/4.4-1/eb2d6f1e (running kernel: 4.4.35-1-pve)) for a cluster I'm about to create and wanted to incorporate our SSL Certificate into the web manager. I followed https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer) to the letter. After pveproxy restart I could no longer access the host website. I can find no errors why this is occuring. If I remove the pveproxy-ssl.pem and pveproxy-ssl.key and restart pveproxy it works again. I use this ssl set in multiple places (wildcard, thawte signed cert) and it works fine. Any ideas where to start looking for errors or maybe a solution would be excellent.

 

[fabian]

are you sure those files are in PEM format? could you post the output of "journalctl -u pveproxy -b"?

 

[rjbick]

journalctl -b -u pveproxy.service
-- Logs begin at Mon 2016-12-19 15:49:36 EST, end at Mon 2016-12-19 16:43:46 EST. --
Dec 19 15:49:49 btchost2 systemd[1]: Starting PVE API Proxy Server...
Dec 19 15:49:50 btchost2 pveproxy[2452]: Using '/etc/pve/local/pveproxy-ssl.pem' as certificate for the web interface.
Dec 19 15:49:50 btchost2 pveproxy[2467]: starting server
Dec 19 15:49:50 btchost2 pveproxy[2467]: starting 3 worker(s)
Dec 19 15:49:50 btchost2 pveproxy[2467]: worker 2468 started
Dec 19 15:49:50 btchost2 pveproxy[2467]: worker 2469 started
Dec 19 15:49:50 btchost2 pveproxy[2467]: worker 2470 started
Dec 19 15:49:50 btchost2 systemd[1]: Started PVE API Proxy Server.
Dec 19 16:43:43 btchost2 systemd[1]: Stopping PVE API Proxy Server...
Dec 19 16:43:44 btchost2 pveproxy[2467]: received signal TERM
Dec 19 16:43:44 btchost2 pveproxy[2467]: server closing
Dec 19 16:43:44 btchost2 pveproxy[2468]: worker exit
Dec 19 16:43:44 btchost2 pveproxy[2470]: worker exit
Dec 19 16:43:44 btchost2 pveproxy[2469]: worker exit
Dec 19 16:43:44 btchost2 pveproxy[2467]: worker 2468 finished
Dec 19 16:43:44 btchost2 pveproxy[2467]: worker 2469 finished
Dec 19 16:43:44 btchost2 pveproxy[2467]: worker 2470 finished
Dec 19 16:43:44 btchost2 pveproxy[2467]: server stopped
Dec 19 16:43:45 btchost2 systemd[1]: Starting PVE API Proxy Server...
Dec 19 16:43:46 btchost2 pveproxy[16976]: Using '/etc/pve/local/pveproxy-ssl.pem' as certificate for the web interface.
Dec 19 16:43:46 btchost2 pveproxy[16981]: starting server
Dec 19 16:43:46 btchost2 pveproxy[16981]: starting 3 worker(s)
Dec 19 16:43:46 btchost2 pveproxy[16981]: worker 16982 started
Dec 19 16:43:46 btchost2 pveproxy[16981]: worker 16983 started
Dec 19 16:43:46 btchost2 systemd[1]: Started PVE API Proxy Server.
Dec 19 16:43:46 btchost2 pveproxy[16981]: worker 16984 started

 

[fabian]

what does "openssl x509 -in /etc/pve/local/pveproxy-ssl.pem -noout -subject -issuer" output?

 

[rjbick]

subject= /C=US/ST=Ohio/L=Toledo/O=Internet Payment Exchange, Inc/OU=Systems/CN=*.ipayx.net
issuer= /C=US/O=thawte, Inc./CN=thawte SSL CA - G2

 

[fabian]

what does "curl -k -v 'https://NODEIP:8006'" output? (replace NODEIP with your node's IP address )

 

[LnxBil]

I built a new server (pve-manager/4.4-1/eb2d6f1e (running kernel: 4.4.35-1-pve)) for a cluster I'm about to create and wanted to incorporate our SSL Certificate into the web manager. I followed https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer) to the letter. After pveproxy restart I could no longer access the host website. I can find no errors why this is occuring. If I remove the pveproxy-ssl.pem and pveproxy-ssl.key and restart pveproxy it works again. I use this ssl set in multiple places (wildcard, thawte signed cert) and it works fine. Any ideas where to start looking for errors or maybe a solution would be excellent.

Try to open the webpage inside a private browser session. Some browsers do not work well with changed certificates without restart. I always get 'empty response' errors on Chrome after changing certificates.

 

[rjbick]

Ok, I upgraded to 4.4-5 and it seems to work ok now.