Uploading certificates signed by a personal CA

[MightySlaytanic]

Hi,
I've tried to upload a certificate+key pair signed by my own self-signed CA and as soon as I upload it I loose the connection to the management interface. I've tried to upload also a certificate with the server cert + CA cert and nothing changed. Is there any particular setting/option that I have to enable in the certificate in order to make it work?
I've deleted them by hand from the CLI and reverted to the original ones. I'm running proxmox 7.2.

 

[Preston L. Bannister]

Just ran into the same problem. Could reset back to the default using the directions from:
https://forum.proxmox.com/threads/try-to-install-ssl-certificat-then-no-access-to-web-gui.82955/

But have not (yet) figured out what is going wrong, or how to make this work.

At the very least, we could use better diagnostics.

 

[MightySlaytanic]

Just ran into the same problem. Could reset back to the default using the directions from:
https://forum.proxmox.com/threads/try-to-install-ssl-certificat-then-no-access-to-web-gui.82955/

But have not (yet) figured out what is going wrong, or how to make this work.

At the very least, we could use better diagnostics.

Hi @Preston L. Bannister, I've finally enabled my own self-signed certificate on PVE, I had to disable some v3 extensions in openssl.conf since the one I was using (left in the file with but commented) were not working (ERR_SSL_KEY_USAGE_INCOMPATIBLE was shown by Google Chrome).

Here is what I did.

DISCLAIMER: this is a home-lab installation, take it into account before following my steps

1) Prepare openssl.conf for pve.mynetwork

[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = IT
ST = Trentino Alto Adige
L = Trento
O = Mynetwork
OU = Network
CN = pve.mynetwork

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = pve.mynetwork
DNS.2 = pve
IP.1 = 10.0.0.4

[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
#keyUsage=keyEncipherment,dataEncipherment
#extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names

2) Create CSR, CRT and KEY for pve.mynetwork

# Generate self-signed CA
openssl genrsa -out mynetwork-ca.key 2048
openssl req -x509 -new -nodes -key mynetwork-ca.key -subj "/CN=mynetwork-ca" -days 10000 -out mynetwork-ca.crt

# Generate pbs certificate signed by our CA
openssl genrsa -out pve.mynetwork.key 2048
openssl req -new -key pve.mynetwork.key -config openssl.conf -out pve.mynetwork.csr
openssl x509 -req -in pve.mynetwork.csr -CA mynetwork-ca.crt -CAkey mynetwork-ca.key -CAcreateserial -days 10000 -extensions v3_ext -extfile openssl.conf -sha256 -out pve.mynetwork.crt
openssl x509 -in pve.mynetwork.crt -noout -text

3) Upload certificates

• Backup pve-ssl.key and pve-ssl.pem in /etc/pve/local
• Replace the content of pve-ssl.key with pve.mynetwork.key
• Replace the content of pve-ssl.crt with pve.mynetwork.crt
• Restart pve proxy: systemctl restart pveproxy

4) Add mynetwork-ca.crt to the trusted root authorities of MacOS on my MacBook Pro


I did the same on PBS replacing proxy.key and proxy.pem in /etc/proxmox-backup and restarting the GUI with systemctl restart proxmox-backup-proxy.service. Remember to update PBS fingerprint on PVE Storage configuration entry related to PBS.

 

[MightySlaytanic]

@Preston L. Bannister I’ve updated step 3): there is no need to upload the cert+root-ca cert as pve-ssl.crt so I’ve simply uploaded the cert. For PVE it was not an issue BTW, but it was an issue on PBS because returning the full chain made the fingerprint validation fail and as a workaround I previously had to install the mynetwork-CA.crt file in /usr/local/share/ca-certificates/ and run update-ca-certificate on PVE to make OpenSSL validation of PBS certificate work without needing the fingerprint validation (otherwise both OpenSSL and fingerprint validation failed).