TLS Down! - GUI down!

Sep 17, 2020
309
18
23
Hello All,

While I have apparently done this a couple of times before, this time not so lucky.
The SSL certificate expired (Setigo) so I simply upload the new cert, the new cert bundle, and upload it to the server, once that happens under no circumstance does the GUI work.

I try again with the same result, manually starting mgw service and nothing.
Thjen I restore the files in /etc/pmg/ and restart and its working just not liking the outdated version.

The upload function under certificates I thought would do the trick upload API, am I missing something?
The instructions aren't so clear if someone has a step by step that would be appreciated.
If I leave the ssl off of the api and put it only on smtp, I get to install the cert, but it comes back with errors as well.

I also tried this method that I'm not sure why I have in notes, with no success.

cat key.pem nginx_bundle_9cc84a4582c5.crt > /etc/pmg/pmg-api.pem

I also attempted the manual way with the following steps:
openssl req -new -newkey rsa:2048 -nodes -keyout mgw_MyServer_net.pem -out mgw_MyServer_net.csr -subj /CN=mgw.MyServer_net; cat mgw_MyServer_net.csr

Take that CSR, get key

Upload Key and CA Bundle, it takes it correctly but TLS not working, GUI not working.
 
Last edited:
check the journal - while restarting pmgproxy

else to get a working condition again (with a self-signed certificate) make a backup of the files you want to keep (the certificates) and try running:
`pmgconfig apicert --force 1`

I hope this helps!
 
@Stoiko Ivanov Thanks.
Is there a set of step by step instructions to install/update the certificates, the current documentation is not clear for the steps to generate the csr, etc.
I did backup the files and put them back to get past the issue, I will try to grab from the log later, but I don't want to put the new key and crash TLS rejecting messages.
 
Is there a set of step by step instructions to install/update the certificates,
no - at least not more than what's documented in the reference documentation:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#sysadmin_certificate_management (4.6.7)

also there are tons of instructions on the internet on how to get a CSR using openssl, and how to join certificates and chaincerts and keys - e.g.:
https://www.thesslstore.com/knowledgebase/ssl-generate/csr-generation-guide-for-nginx-openssl/
https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm
 
Last edited:
no - at least not more than what's documented in the reference documentation:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#sysadmin_certificate_management (4.6.7)

also there are tons of instructions on the internet on how to get a CSR using openssl, and how to join certificates and chaincerts and keys - e.g.:
https://www.thesslstore.com/knowledgebase/ssl-generate/csr-generation-guide-for-nginx-openssl/
https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm
I used the GUI, gave it the private and the chain, but both TLS and WEB broke.
There is no information on how to generate the CSR so the system itself has the CSR and Private key, but I totally understand how to generate the csr command line, I do this for Centos/WIndows all the time, just not for this platform, which I have done 2 or 3 times OK, but under the 7.x the proceedure changed.
 
So you're saying do it the old way, via command line and then see what happens, get log entries etc?
From what I can tell we then take the private key and the certificate and place them in /etc/pmg/pmg-api.pem
Can I put the same key for tls inside of pmg-tls.pem?

The above is also what I showed that I did, I actually did it 3 different times to make sure I didn't make a mistake.
I will try another time, and will look at the logs as well to share those.

When I mentioned the change I was referring to doing it via command line only vs web.

Thanks!
 
Last edited:
TLS is still down - GUI is UP

Went back to default.
pmgconfig apicert --force 1

Restart PMG:
systemctl restart pmgproxy

Connect to web, it connects to self signed cert.

Then did the steps to get cert and is shown in an instructional way/how to:
openssl req -new -newkey rsa:2048 -nodes -keyout mgw_YourDomainHere_com.pem -out csr_mgw_YourDomainHere_com.pem -subj "/C=YourCountry/ST=YourState/L=YourCity/O=YourCompany/OU=YourDepartment/CN=mgw.YourDomainHere_com"; cat csr_mgw_YourDomainHere_com.pem

Get your cert from provider and apply it to GUI:
cat mgw_YourDomainHere_com.pem mgw_YourDomainHere_com.crt > pmg-api.pem

Restart PMG:
systemctl restart pmgproxy

GUI Works!

Next TLS:
From GUI TLS was already enabled and there was an existing pmg-tls.pem
It didn't work when I tried to test via command line:
openssl s_client -connect mgw.MyServer.net:443 -tls1_2 140392518022464:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110: 140392518022464:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111: connect:errno=111

I then attempted to put the same key for TLS: ( Not sure if this should work )
cat mgw_YourDomainHere_com.pem mgw_YourDomainHere_com.crt > pmg-tls.pem

Restart PMG:
systemctl restart pmgproxy

And the same connection error.

Any suggestions to get tls running again?

Side Note: I did disable TLS, then deleted TLS pem file, restart PMG, then click YES to tls and it did update pmg.conf, but did not generate a self signed pmg-tls.pem as noted in documentation.
 
Last edited:
ok - two issues I see:
openssl s_client -connect mgw.MyServer.net:443 -tls1_2
pmgproxy listens to port 8006 - you try to connect to port 443 ... (why add the -tls1_2 btw?!)
try: `openssl s_client -connect mgw.MyServer.net:8006 -tls1_2`

I then attempted to put the same key for TLS: ( Not sure if this should work )
cat mgw_YourDomainHere_com.pem mgw_YourDomainHere_com.crt > pmg-tls.pem
see: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_keys_and_certificates
pmg-api.pem is for the pmgproxy (and thus the API and GUI)
pmg-tls.pem is for postfix (and thus for SMTP)

I hope this explains it!
 
@Stoiko Ivanov
Thanks for the response!
Yes, I understood the purpose of each of the keys as i have shown above, but if I applied my purchased key in the same method to the pmg-tls.pem as I did to the GUI, I get tls errors, see a sample below:
Code:
Transcript of session follows.

 Out: 220 mgw.MyDomain.com mgw.MyDomain.com
 In:  EHLO o2.email.testboard.com
 Out: 250-mgw.MyDomain.com
 Out: 250-PIPELINING
 Out: 250-SIZE 52428800
 Out: 250-ETRN
 Out: 250-STARTTLS
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250-SMTPUTF8
 Out: 250 CHUNKING
 In:  STARTTLS
 Out: 454 4.7.0 TLS not available due to local problem
 In:  MAIL FROM:<bounces+21630-00c7-Roger=ClientAddress.com@email.flipboard.com>
     BODY=8BITMIME
 Out: 250 2.1.0 Ok
 In:  RCPT TO:<Roger@ClientAddress.com>
 Out: 451 4.3.0 <bounces+21630-00c7-Roger=ClientAddress.com@email.flipboard.com>:
     Temporary lookup failure
 In:  QUIT
 Out: 221 2.0.0 Bye
 
The journal should have some hints after you restart postfix...
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!