Unable to set up new custom certificate on 7.2 standalone node

[Taledo]

Hello all,

I'm having issues provisioning our new pve with our own certificates;

Upon installing them via the web interface, the pveproxy service fails with this error :

pveproxy-ssl.pem: failed to use local certificate chain (cert_file or cert) at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 1924.

I've rolled back to the self-signed version since, but I don't understand why this doesn't work. I've also uploaded the key with the pem files.

Cheers,

Taledo

 

[shrdlicka]

Hi,

it looks there is a problem with the certificate file. Did you make sure it only contains the certificate(s)?

 

[Taledo]

Hi,

file tls00-XXXXX.pem
tls00-XXXXX.pem: PEM certificate

It looks like it to me. Would the "tls" in the name be an issue?

 

[shrdlicka]

You could check if openssl can read the certificate:

openssl x509 -in [cert pem]  -text -noout

 

[Taledo]

It does look alright from my end :

openssl x509 -noout -enddate -in tls00-XXXXX.pem -text
notAfter=Nov 11 14:16:21 2032 GMT
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 104 (0x68)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = FR, ST = Occitanie, L = Toulouse, O = XXXXXXXX, OU = SI, CN = XXXXXXXXX, emailAddress = XXXXXXXXXXXXXXXXX
Validity
Not Before: Nov 14 14:16:21 2022 GMT
Not After : Nov 11 14:16:21 2032 GMT

 

[Taledo]

Hey all. We figured it out.

Turns out our CA system got updated, and in the process, the Signature algorithm got switched from SHA256 to SHA1.

Here's a diff between OpenSSL outputs from a good & bad certificate :

68,69c68,69
<                 DNS:the domains :)
<     Signature Algorithm: sha256WithRSAEncryption
---
>                 DNS:also the domains :)
>     Signature Algorithm: sha1WithRSAEncryption

Switching back to SHA256 solved the issue. Here's hoping it may help someone else (no idea if sha1 is supposedly supported)