Web GUI not available after uploading certs

[Artanis]

Hey guys,

Yesterday I have installed a brand new Proxmox VE (5.3) on a small HP server.
I configured the local firewall to enable remote access for me remotely. Everything went well until this morning..I wanted to upload a LE certificate. The GUI told me that the proxy will restart now, please reload a GUI..I did and since then the web GUI is inaccessible at https://<ip-address>:8006

I've found this link https://pve.proxmox.com/wiki/HTTPS_..._5.0_and_5.1)#Revert_to_default_configuration

and I followed the steps under "Revert to default configuration", restarted the pveproxy service but no luck, I still see the "Secure Connection Failed" message in Firefox. I even rebooted the entire server but still...

pveproxy.service is running and is listening on port 8006:

root@pve:~# netstat -tulpn | grep 8006
tcp        0      0 0.0.0.0:8006            0.0.0.0:*               LISTEN      3021/pveproxy

SSH ofcourse works perfectly, only the web GUI is unreachable. What now?

(The server itself is ~60 miles away from me so if it's really necessary I can go there but I would appreciate if you guys could tell me how to solve it through SSH)

 

[oguz]

and I followed the steps under "Revert to default configuration", restarted the pveproxy service but no luck, I still see the "Secure Connection Failed" message in Firefox. I even rebooted the entire server but still...

After following the steps on the link you sent, a new certificate will be generated, thus you need to accept the security warning and add it as an exception.

How did you upload your LE certificate exactly?

 

[Artanis]

After following the steps on the link you sent, a new certificate will be generated, thus you need to accept the security warning and add it as an exception.

How did you upload your LE certificate exactly?

Yeah, I know I have to accept the security warning but I don't get this warning anymore...

I uploaded the cert under the 'Certificates' menu entry and entered the privatekey and chain files contents into the 2 input fields as I remember..
I admit, it was a mistake but I still don't understand why it fails to connect after resetting the certs on the server manually.

 

[oguz]

I uploaded the cert under the 'Certificates' menu entry and entered the privatekey and chain files contents into the 2 input fields as I remember..

For Let's Encrypt, use the ACME section on the same page.

If you're having trouble using the GUI still, you can do it over SSH as well. Following link has instructions:
https://pve.proxmox.com/wiki/Certificate_Management

 

[Artanis]

For Let's Encrypt, use the ACME section on the same page.

If you're having trouble using the GUI still, you can do it over SSH as well. Following link has instructions:
https://pve.proxmox.com/wiki/Certificate_Management

Well..in the meantime I realized that I won't need to access the pve gui via hostname, publiciport would be perfect. The entire infrastructure is behind one single budget router (I hate customers like these..whatever..) Is there any way to fix it without a total reinstall? There are already some VMs installed on the host..

 

[oguz]

Is there any way to fix it without a total reinstall? There are already some VMs installed on the host..

Fix what exactly? After running

pvecm updatecerts -f

the server will generate a new self-signed certificate, and it should work after accepting the security exception. That's how you accessed the server for the first time as well, isn't it?

 

[Artanis]

Fix what exactly? After running

pvecm updatecerts -f

the server will generate a new self-signed certificate, and it should work after accepting the security exception. That's how you accessed the server for the first time as well, isn't it?

Yes, that's how I accessed the server for first time and after issuing the command above I expected that it would happen again.
After issuing the command above I see the following message in firefox, even on other PC's in other networks so it's probably not a cache problem or something like that.


The connection to <ip_address>:8006 was interrupted while the page was loading.

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

 

[oguz]

Try the following commands and post the outputs please. They might help diagnose your issue.

curl -k https://{IP}:8006
openssl s_client -connect {IP}:8006 -showcerts

 

[Artanis]

Try the following commands and post the outputs please. They might help diagnose your issue.

curl -k https://{IP}:8006
openssl s_client -connect {IP}:8006 -showcerts

[root@proxy01 ~]# curl -k https://192.168.1.163:8006
curl: (35) Encountered end of file

[root@proxy01 ~]# openssl s_client -connect 192.168.1.163:8006 -showcerts
CONNECTED(00000003)
140674883745680:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1550747987
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

 

[Artanis]

[SOLVED]

Got in the car, went to the server and reinstalled it from scratch. Thanks for your time and effort!

Lesson learned.

 

[bobzer]

hi,
i got the same problem
i did pvecm updatecerts -f that didn't fixe the problem

# openssl s_client -connect 192.10.20.200:8006 -showcerts                                                                                                                                                     
CONNECTED(00000003)                                                                                                                                                                                                                 
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1565682166
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

hope you can help me

 

[Artanis]

hi,
i got the same problem
i did pvecm updatecerts -f that didn't fixe the problem

# openssl s_client -connect 192.10.20.200:8006 -showcerts                                                                                                                                                    
CONNECTED(00000003)                                                                                                                                                                                                                
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1565682166
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

hope you can help me

As you can see in my previous post I was not able to solve the problem so I just re-installed the server as it was brand new and had nothing to lose.
I stopped f.cking around with pve cert management and since then we can reach pve thorugh an external nginx proxy. I'm pretty sure it's possible to fix it but I was in a hurry.

 

[bobzer]

i understand but mine isn't brand new and i would avoid reinstall everythings
also i'm on proxmox 6.0 so up to date
that's me sadly this kind of problem is not fix this is so weird

 

[bobzer]

if it can help that's strange isn't it ?

$ curl -k https://192.10.20.200:8006
curl: (35) Unknown SSL protocol error in connection to 192.10.20.200:8006

i tried : https://pve.proxmox.com/wiki/HTTPS_..._5.0_and_5.1)#Revert_to_default_configuration

but it didn't works

so I delete pveproxy-ssl.*
regenerate the certificate with:
pvecm updatecerts -f
the restart and it finally works

 

[bensode]

https://pve.proxmox.com/wiki/HTTPS_..._5.0_and_5.1)#Revert_to_default_configuration

but it didn't works

so I delete pveproxy-ssl.*
regenerate the certificate with:
pvecm updatecerts -f
the restart and it finally works

That wiki should be updated to reflect that at least for v6.0.5. I ran into the same issue that the wiki suggests to only remove pve-ssl.pem and pve-ssl.key but removing the pveproxy-ssl.* files did the trick!

 

[tom]

That wiki should be updated to reflect that at least for v6.0.5

This wiki is outdated and the link to the current version is already on the top of the page.

 

[bensode]

This wiki is outdated and the link to the current version is already on the top of the page.

Wow ... I totally glossed over that! The new method is much simpler thanks!

 

[furfix]

if it can help that's strange isn't it ?

$ curl -k https://192.10.20.200:8006
curl: (35) Unknown SSL protocol error in connection to 192.10.20.200:8006

i tried : https://pve.proxmox.com/wiki/HTTPS_..._5.0_and_5.1)#Revert_to_default_configuration

but it didn't works

so I delete pveproxy-ssl.*
regenerate the certificate with:
pvecm updatecerts -f
the restart and it finally works

I log in, just to say thanks. My heart skipped a bit for a second after not being able to get access to the GUI anymore. Your help did the trick. Thanks!