Hello All
I have recently become more involved in a Proxmox cluster setup that has been running for a few years.
Today I made sure the both servers have the latest updates installed for version 4.4. (I've not looked into 5 yet)
When I restart the Proxmox servers I ran into a problem with one of the VMs not starting.
Below is the message in the log for starting the VM.
I asked a member of staff if this is something we have come across before and they informed me of a workaround we have used before:
The work around is as follows:
From what I understand the workaround just sets the Proxmox SSL certificates to the original self signed certificates. This allows the VM to be started because the VM was created when the self signed certificate were in use. The problem comes from us installing our own certificate at a later date so we can browse to the web GUI with no errors.
Going forward I would like to just use our own certificates rather than using this work around.
Version below for reference:
Is it possible for me to update the VM to be able to start with the new certificate?
Thanks for any input.
Steve
I have recently become more involved in a Proxmox cluster setup that has been running for a few years.
Today I made sure the both servers have the latest updates installed for version 4.4. (I've not looked into 5 yet)
When I restart the Proxmox servers I ran into a problem with one of the VMs not starting.
Below is the message in the log for starting the VM.
Code:
kvm: -vnc unix:/var/run/qemu-server/1025.vnc,x509,password: Failed to start VNC server: Our own certificate /etc/pve/local/pve-ssl.pem failed validation against /etc/pve/pve-root-ca.pem: The certificate hasn't got a known issuer
TASK ERROR: start failed: command '/usr/bin/kvm -id 1025 -chardev 'socket,id=qmp,path=/var/run/qemu-server/1025.qmp,server,nowait' -mon 'chardev=qmp,mode=control' -pidfile /var/run/qemu-server/1025.pid -daemonize -smbios 'type=1,uuid=43cea79f-c425-4563-9061-86b653970eb9' -name SRVSYSHULL -smp '4,sockets=2,cores=2,maxcpus=4' -nodefaults -boot 'menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg' -vga std -vnc unix:/var/run/qemu-server/1025.vnc,x509,password -no-hpet -cpu 'kvm64,+lahf_lm,+sep,+kvm_pv_unhalt,+kvm_pv_eoi,hv_spinlocks=0x1fff,hv_vapic,hv_time,hv_reset,hv_vpindex,hv_runtime,hv_relaxed,enforce' -m 8192 -k en-gb -device 'pci-bridge,id=pci.1,chassis_nr=1,bus=pci.0,addr=0x1e' -device 'pci-bridge,id=pci.2,chassis_nr=2,bus=pci.0,addr=0x1f' -device 'piix3-usb-uhci,id=uhci,bus=pci.0,addr=0x1.0x2' -device 'usb-tablet,id=tablet,bus=uhci.0,port=1' -device 'virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3' -iscsi 'initiator-name=iqn.1993-08.org.debian:01:3dfc71ccea58' -drive 'if=none,id=drive-ide2,media=cdrom,aio=threads' -device 'ide-cd,bus=ide.1,unit=0,drive=drive-ide2,id=ide2,bootindex=200' -drive 'file=/var/lib/vz/images/1025/vm-1025-disk-1.qcow2,if=none,id=drive-virtio0,cache=writeback,format=qcow2,aio=threads,detect-zeroes=on' -device 'virtio-blk-pci,drive=drive-virtio0,id=virtio0,bus=pci.0,addr=0xa,bootindex=100' -netdev 'type=tap,id=net0,ifname=tap1025i0,script=/var/lib/qemu-server/pve-bridge,downscript=/var/lib/qemu-server/pve-bridgedown,vhost=on' -device 'virtio-net-pci,mac=62:35:39:36:39:38,netdev=net0,bus=pci.0,addr=0x12,id=net0,bootindex=300' -rtc 'driftfix=slew,base=localtime' -global 'kvm-pit.lost_tick_policy=discard'' failed: exit code 1I asked a member of staff if this is something we have come across before and they informed me of a workaround we have used before:
The work around is as follows:
Code:
cd /etc/pve/nodes/proxhq02
sudo cp pve-ssl.key.original pve-ssl.key
sudo cp pve-ssl.pem.original pve-ssl.pem
sudo service pveproxy restart
sudo qm start 9046
sudo cp pve-ssl.key.new pve-ssl.key
sudo cp pve-ssl.pem.new pve-ssl.pem
sudo service pveproxy restartFrom what I understand the workaround just sets the Proxmox SSL certificates to the original self signed certificates. This allows the VM to be started because the VM was created when the self signed certificate were in use. The problem comes from us installing our own certificate at a later date so we can browse to the web GUI with no errors.
Going forward I would like to just use our own certificates rather than using this work around.
Version below for reference:
Code:
proxmox-ve: 4.4-92 (running kernel: 4.4.67-1-pve)
pve-manager: 4.4-15 (running version: 4.4-15/7599e35a)
pve-kernel-4.4.35-1-pve: 4.4.35-77
pve-kernel-4.2.6-1-pve: 4.2.6-36
pve-kernel-4.4.21-1-pve: 4.4.21-71
pve-kernel-4.4.67-1-pve: 4.4.67-92
pve-kernel-4.4.40-1-pve: 4.4.40-82
lvm2: 2.02.116-pve3
corosync-pve: 2.4.2-2~pve4+1
libqb0: 1.0.1-1
pve-cluster: 4.0-52
qemu-server: 4.0-110
pve-firmware: 1.1-11
libpve-common-perl: 4.0-95
libpve-access-control: 4.0-23
libpve-storage-perl: 4.0-76
pve-libspice-server1: 0.12.8-2
vncterm: 1.3-2
pve-docs: 4.4-4
pve-qemu-kvm: 2.7.1-4
pve-container: 1.0-101
pve-firewall: 2.0-33
pve-ha-manager: 1.0-41
ksm-control-daemon: 1.2-1
glusterfs-client: 3.5.2-2+deb8u3
lxc-pve: 2.0.7-4
lxcfs: 2.0.6-pve1
criu: 1.6.0-1
novnc-pve: 0.5-9
smartmontools: 6.5+svn4324-1~pve80
zfsutils: 0.6.5.9-pve15~bpo80Is it possible for me to update the VM to be able to start with the new certificate?
Thanks for any input.
Steve
