Use EC cert for web interface

monkfish

Active Member
Dec 13, 2015
15
2
43
Hello,
Can I ask if its possible to use an EC cert rather than RSA for the web interface?
The private key contains BEGIN and END EC PARAMETERS directives which the web interface rejects, so

Code:
-----BEGIN EC PARAMETERS-----
<parameters redacted>
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
<key redacted>
-----END EC PRIVATE KEY-----

Manually overwriting /etc/pve/pveproxy-ssl.key and /etc/pve/pveproxy-ssl.pem fails to work - upon restarting pveproxy nothing is served to the browser.
Can anybody advise what I might be doing wrong or whether EC certs arent in fact supported?
Grateful for any assistance to get this operational

monk

Other info:
Code:
pveversion -v
proxmox-ve: 6.1-2 (running kernel: 5.3.13-1-pve)
pve-manager: 6.1-5 (running version: 6.1-5/9bf06119)
pve-kernel-5.3: 6.1-1
pve-kernel-helper: 6.1-1
pve-kernel-5.3.13-1-pve: 5.3.13-1
pve-kernel-5.3.10-1-pve: 5.3.10-1
ceph-fuse: 12.2.11+dfsg1-2.1+b1
corosync: 3.0.2-pve4
criu: 3.11-3
glusterfs-client: 5.5-3
ifupdown: 0.8.35+pve1
ksm-control-daemon: 1.3-1
libjs-extjs: 6.0.1-10
libknet1: 1.13-pve1
libpve-access-control: 6.0-5
libpve-apiclient-perl: 3.0-2
libpve-common-perl: 6.0-9
libpve-guest-common-perl: 3.0-3
libpve-http-server-perl: 3.0-3
libpve-storage-perl: 6.1-3
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve3
lxc-pve: 3.2.1-1
lxcfs: 3.0.3-pve60
novnc-pve: 1.1.0-1
openvswitch-switch: 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.1-1
pve-cluster: 6.1-2
pve-container: 3.0-15
pve-docs: 6.1-3
pve-edk2-firmware: 2.20191127-1
pve-firewall: 4.0-9
pve-firmware: 3.0-4
pve-ha-manager: 3.0-8
pve-i18n: 2.0-3
pve-qemu-kvm: 4.1.1-2
pve-xtermjs: 3.13.2-1
qemu-server: 6.1-4
smartmontools: 7.0-pve2
spiceterm: 3.1-1
vncterm: 1.6-1
zfsutils-linux: 0.8.2-pve2

Edit: correct filenames used.
 
Last edited:
Hello Proxmox gurus can I give this one a bump for consideration please.
Am I doing something wrong trying to use an EC-based certifcate or can we only use RSA at this moment in time.
Grateful for thoughts

Kindest regards
monk
 
uploading via the GUI/API fails (please file a bug at https://bugzilla.proxmox.com). manually copying the key and cert to /etc/pve/local/pveproxy-ssl.key/.pem works just fine though (used prime256v1 and ecDSA). could you provide details about your configuration?
 
Hi Fabian, thank you for your reply
Same as you - prime256v1 with ecDSA however pleased to report now working, may have been spurious line space or similar particularly when constructing .pem file.

uploading via the GUI/API fails (please file a bug ...)
Will do thanks for confirming it fails.

manually copying the key and cert to /etc/pve/local/pveproxy-ssl.key/.pem works just fine though

So I went back through manual copy steps, with .key and .pem files accordingly. Ensured all entries in the chain were present- ordered cert first then intermediate then issuer. Checked for spurious line breaks or extra characters. Finally checked file permissions weren't insane (not sure if pveproxy makes any validation on file perms).
Happy to report interface starts correctly so absolutely must have been a typo my side, stupidly across all three nodes! Fully operational with brand spanking new modern EC cert.

Grateful for your reply and I'll file that bug report on GUI

Kindest regards

monk
 
  • Like
Reactions: fabian

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!