Unable to set up new custom certificate on 7.2 standalone node

Taledo

Active Member
Nov 20, 2020
78
9
28
54
Hello all,

I'm having issues provisioning our new pve with our own certificates;

Upon installing them via the web interface, the pveproxy service fails with this error :

Code:
pveproxy-ssl.pem: failed to use local certificate chain (cert_file or cert) at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 1924.

I've rolled back to the self-signed version since, but I don't understand why this doesn't work. I've also uploaded the key with the pem files.

Cheers,

Taledo
 
Hi,

it looks there is a problem with the certificate file. Did you make sure it only contains the certificate(s)?
 
Hi,

file tls00-XXXXX.pem
tls00-XXXXX.pem: PEM certificate

It looks like it to me. Would the "tls" in the name be an issue?
 
You could check if openssl can read the certificate:
Code:
openssl x509 -in [cert pem]  -text -noout
 
It does look alright from my end :

Code:
openssl x509 -noout -enddate -in tls00-XXXXX.pem -text
notAfter=Nov 11 14:16:21 2032 GMT
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 104 (0x68)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = FR, ST = Occitanie, L = Toulouse, O = XXXXXXXX, OU = SI, CN = XXXXXXXXX, emailAddress = XXXXXXXXXXXXXXXXX
Validity
Not Before: Nov 14 14:16:21 2022 GMT
Not After : Nov 11 14:16:21 2032 GMT
 
Hey all. We figured it out.

Turns out our CA system got updated, and in the process, the Signature algorithm got switched from SHA256 to SHA1.

Here's a diff between OpenSSL outputs from a good & bad certificate :

Diff:
68,69c68,69
<                 DNS:the domains :)
<     Signature Algorithm: sha256WithRSAEncryption
---
>                 DNS:also the domains :)
>     Signature Algorithm: sha1WithRSAEncryption

Switching back to SHA256 solved the issue. Here's hoping it may help someone else (no idea if sha1 is supposedly supported)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!