Use custom certs for the VE WebGUI

svilen

New Member
Nov 24, 2020
5
1
3
38
Hello,

I'm trying to get my environment to use custom certs for the VE GUI, but I can not get it to work.
I follow the instructions, but I get the following error:

veproxy[16723]: /etc/pve/local/pveproxy-ssl.pem: failed to use local certificate chain (cert_file or cert) at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 1727.

The certificate is signed by my own CA.
I alredy tried adding the CA cert using update-ca-certificates, but it brings nothing.

What am I missing?
 
is the file in the correct format (PEM, certificates up to but excluding your CA's root certificate)? did you put the matching key into the pveproxy-ssl.key file ?
 
Yes and yes.
The certificate is signed directly from my custom CA, so no intermediate certificates.
The private key is also set.

What bothers me is the message, that the certificate chain could not be loaded.

I already used update-ca-certificates to add my custom CA cert. But I'm a Windows guy, so am not sure if this is enough.
 
Last edited:
can you compare the file content with that of the self-signed certificate in /etc/pve/local/pve-ssl.pem ? e.g., is the header/footer line identical? does openssl x509 -in /etc/pve/local/pveproxy-ssl.pem -noout -text work?
 
Everything looks fine.
Even the hashes of the pveproxy-ssl.key and pveproxy-ssl.pem are identical.
Is it even supported to have certificates signed by a private CA?
 
hold on - what hashes? the only thing a certificate and the corresponding private RSA key share is the (public!) modulus and exponent

and yes, this is supported and in no way different than using one by a public CA.. something is wrong with your files ;)
 
I meant modulus :)

I've attached both files - it's a home lab environment, so it does not really matter, if anyone sees them.
 

Attachments

my guess is that openssl does not like that the certificate is signed with MD5 instead of a more recent signature/hash algorithm.. (it also does not contain any of the usual web server usage extensions, or a proper CN / SAN for web server usage, but I think that should just cause it to fail at the client/browser end)
 
my guess is that openssl does not like that the certificate is signed with MD5 instead of a more recent signature/hash algorithm.. (it also does not contain any of the usual web server usage extensions, or a proper CN / SAN for web server usage, but I think that should just cause it to fail at the client/browser end)
Thank you! My custom CA was signing everything mit MD5... I change it to SHA256 and it's working now..
 
  • Like
Reactions: fabian

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!