Unable to get the SSL certificate working after running ACME

pardub

Member
Oct 7, 2019
23
4
23
Hi,

I followed the process"Example: Sample pvenode invocation for using Let’s Encrypt certificates " below to generate the SSL certificates:

https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_certificate_management

The ACME script ended up properly:
Bash:
All domains validated!

Creating CSR
Checking order status
Order is ready, finalizing order
valid!

Downloading certificate
Setting pveproxy certificate and key
Restarting pveproxy
Task OK

But the "old" self signed certificate is still running on the GUI Proxmox 6.0-7

How canI get the new SSL certificates running?

Thank you
 
Hi,

I have tested it with a new installed Proxmox VE 6.0-2 2 node cluster.
pve-manager: 6.0-4 (running version: 6.0-4/2a719255)

and it works.
is the certificate in /etc/pve/nodes/one/pveproxy-ssl.* correct?
 
Hi,
I don't have the path /etc/pve/nodes/one/pveproxy-ssl but this one :

Bash:
cat /etc/pve/nodes/ns3555555/pveproxy-ssl.pem

And there are 2 certificates in
Bash:
cat /etc/pve/nodes/ns3555555/pveproxy-ssl.pem


and one key in
Bash:
cat /etc/pve/nodes/ns3555555/pveproxy-ssl.key

Thank you
 
I don't have the path /etc/pve/nodes/one/pveproxy-ssl but this one :
"one" is my test node. Forgot to generalize it.
And is the cert correct?
openssl x509 -in /etc/pve/nodes/ns3555555/pveproxy-ssl.pem -text -noout
 
Can I post here the full output of the command openssl x509 -in /etc/pve/nodes/ns3555555/pveproxy-ssl.pem -text -noout or do I need to hide some personal information first in that log?

Thank you
 
There is the output:

Bash:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            fa:23:8b:da:f8:78:20:ba:f3:c3:a2:6b:76:d5:32:1c:48:63
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Fake LE Intermediate X1
        Validity
            Not Before: Oct  9 12:13:34 2019 GMT
            Not After : Jan  7 12:13:34 2020 GMT
        Subject: CN = test.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:b7:ca:26:11:0d:d5:9a:c4:df:86:16:70:e6:ea:
                    b2:5b:8f:5b:14:35:68:66:8b:cb:21:41:0f:8c:50:
                    8e:56:ac:c2:43:d0:7f:f4:12:b0:de:1b:31:7d:d2:
                    50:c1:1e:d7:1b:8b:3b:49:bb:87:70:2b:22:2e:77:
                    ab:fa:4e:75:de:b1:8e:b6:99:fc:e8:1a:11:3f:bf:
                    87:af:b2:db:97:f0:8e:eb:da:e6:d8:c1:b5:31:c9:
                    df:e1:c8:22:6e:cf:f0:8a:4b:a1:f1:e4:dd:35:88:
                    17:23:08:4c:80:18:27:20:d6:87:ce:dd:16:a3:21:
                    e8:fa:1d:02:de:3e:aa:0c:94:ab:ce:1c:94:90:a5:
                    cf:ec:42:e5:47:f8:6e:2a:2e:fe:4d:df:22:2e:9e:
                    ef:e5:06:d0:f2:6d:95:96:a9:02:06:92:b6:ae:62:
                    81:4f:7c:89:6c:a1:16:a0:fb:1f:71:d6:05:87:ee:
                    f4:33:24:dd:94:3d:ab:02:27:9f:be:fa:25:8e:e3:
                    8d:fe:e0:98:3b:10:a7:5e:72:dd:ff:65:4e:3e:96:
                    2f:41:db:c9:94:2b:5e:68:22:65:99:2e:e0:7e:4e:
                    b9:ca:98:f9:e9:0d:2f:9f:69:8b:f0:1e:c0:17:5a:
                    32:f0:04:53:3e:eb:6f:72:37:d4:46:41:cc:15:b3:
                    cb:38:1e:f7:18:cd:36:9c:6c:e0:b7:a3:4f:a8:12:
                    e3:4b:20:5d:8e:32:c6:8c:8c:4f:a6:f2:5d:36:dd:
                    dd:88:5d:b0:7d:eb:3c:51:da:a2:f4:08:b8:45:5b:
                    f9:79:cb:96:2c:4c:bd:bb:41:87:41:5e:7b:6e:e4:
                    7b:3f:c9:13:be:82:fe:9b:82:e6:85:d3:6c:91:db:
                    57:00:a0:a3:69:8b:3a:2c:0d:01:c0:09:50:4d:3a:
                    1f:f2:62:d1:7a:7c:dd:84:f0:9d:33:37:02:17:0e:
                    22:4f:9f:87:d0:c2:9e:ae:21:59:b3:17:9f:fe:10:
                    10:fb:97:8f:66:42:51:27:36:f5:52:f1:44:b3:ee:
                    30:eb:0a:49:0d:c5:f6:0b:1f:07:a8:a6:9e:94:f9:
                    
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                20:AC:F8:BB:B5:CF:A3:5C:AB:67:74:CF:B5:8E:4B:32:32:71:2B:B4
            X509v3 Authority Key Identifier:
                keyid:C0:CC:03:46:B9:58:20:CC:5C:72:70:F3:E1:2E:CB:20:A6:F5:68:3A

            Authority Information Access:
                OCSP - URI:http://ocsp.stg-int-x1.letsencrypt.org
                CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:test.example.com
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
 
This looks good.
But this is a stating cert, so you get a warning if you open the browser.
You can try to reboot the pveproxy.service and test again.
 
Sorry, I don't understand the meaning of stating cert.

I did a "systemctl restart pveproxy" but I still have the alert on the GUI mentioning the connection is not secure.
 
Sorry, I don't understand the meaning of stating cert.
You can use for test purpose the let's encrypt staging server.
These certificates will not be shown as trusted certificates, because of they only for testing.

If you look at View Account
you see at Directory this link "https://acme-staging-v02.api.letsencrypt.org/directory"
This is not for productivity.
you have to delete your account and create a new no staging one.

for this remove this file
/etc/pve/priv/acme/default
 
I deleted the /etc/pve/priv/acme/default as per request but I received the following error message by entering the command
venode acme account info default

Bash:
root@ns355555:~# pvenode acme account info default
400 Parameter verification failed.
name: ACME account config file 'default' does not exist.
pvenode acme account info [<name>] [FORMAT_OPTIONS]
 
skip this and keep going with the next step.

Code:
pvenode acme account register default <mail@example.invalid>
 
There is the output
Bash:
pvenode acme account register default txxxxxxxx@gmail.com
Directory endpoints:
0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
2) Custom
Enter selection:
0

Attempting to fetch Terms of Service from 'https://acme-v02.api.letsencrypt.org/directory'..
Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Do you agree to the above terms? [y|N]y

Attempting to register account with 'https://acme-v02.api.letsencrypt.org/directory'..
Generating ACME account key..
Registering ACME account..
Registration successful, account URL: 'https://acme-v02.api.letsencrypt.org/acme/acct/69314976'
Task OK

I then did a "systemctl restart pveproxy" but the certificates on the GUI are still shown as not trusted.
 
Please read the doku
 
This is exactly what I did but it doesn't work as expected,hence I contact the community .

Can you be more explicit in your approach to help regarding the information I provided?

Thank you
 
Last edited:
I did again the steps you provided me and that are in the documentation and the issue is still there: The certificates are still not shown as trusted in the browser...

Bash:
root@ns300000:~# pvenode acme account deactivate default
Renaming account file from '/etc/pve/priv/acme/default' to '/etc/pve/priv/acme/_deactivated_default_1'
Task OK
root@ns300000:~# cd /etc/pve/priv/acme/
total 2.0K
-rw------- 1 root www-data 4.5K Oct 14 09:04 _deactivated_default_0
-rw------- 1 root www-data 4.5K Oct 15 07:12 _deactivated_default_1
root@ns300000:/etc/pve/priv/acme# rm _deactivated_default_0 _deactivated_default_1
rm: remove regular file '_deactivated_default_0'? y
rm: remove regular file '_deactivated_default_1'? y
root@ns300000:/etc/pve/priv/acme# ll
total 0
root@ns300000:/etc/pve/priv/acme# pvenode acme account register default test8888@gmail.com
Directory endpoints:
0) Let's Encrypt V2 (https://acme-v02.api.letsencrypt.org/directory)
1) Let's Encrypt V2 Staging (https://acme-staging-v02.api.letsencrypt.org/directory)
2) Custom
Enter selection:
0

Attempting to fetch Terms of Service from 'https://acme-v02.api.letsencrypt.org/directory'..
Terms of Service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Do you agree to the above terms? [y|N]y

Attempting to register account with 'https://acme-v02.api.letsencrypt.org/directory'..
Generating ACME account key..
Registering ACME account..
Registration successful, account URL: 'https://acme-v02.api.letsencrypt.org/acme/acct/69423589'
Task OK
root@ns300000:/etc/pve/priv/acme# systemctl restart pveproxy

root@ns300000:/etc/pve/priv/acme#
 
You just create an account.
You have also requested the certificate.

see the section Getting trusted certificates via ACME of the doku

you miss the command

pvenode acme cert order
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!