Web GUI not available after uploading certs

Artanis

Member
Feb 21, 2019
7
0
6
Hey guys,

Yesterday I have installed a brand new Proxmox VE (5.3) on a small HP server.
I configured the local firewall to enable remote access for me remotely. Everything went well until this morning..I wanted to upload a LE certificate. The GUI told me that the proxy will restart now, please reload a GUI..I did and since then the web GUI is inaccessible at https://<ip-address>:8006

I've found this link https://pve.proxmox.com/wiki/HTTPS_..._5.0_and_5.1)#Revert_to_default_configuration

and I followed the steps under "Revert to default configuration", restarted the pveproxy service but no luck, I still see the "Secure Connection Failed" message in Firefox. I even rebooted the entire server but still...

pveproxy.service is running and is listening on port 8006:

Code:
root@pve:~# netstat -tulpn | grep 8006
tcp        0      0 0.0.0.0:8006            0.0.0.0:*               LISTEN      3021/pveproxy


SSH ofcourse works perfectly, only the web GUI is unreachable. What now?

(The server itself is ~60 miles away from me so if it's really necessary I can go there but I would appreciate if you guys could tell me how to solve it through SSH)
 
and I followed the steps under "Revert to default configuration", restarted the pveproxy service but no luck, I still see the "Secure Connection Failed" message in Firefox. I even rebooted the entire server but still...

After following the steps on the link you sent, a new certificate will be generated, thus you need to accept the security warning and add it as an exception.

How did you upload your LE certificate exactly?
 
After following the steps on the link you sent, a new certificate will be generated, thus you need to accept the security warning and add it as an exception.

How did you upload your LE certificate exactly?

Yeah, I know I have to accept the security warning but I don't get this warning anymore...

I uploaded the cert under the 'Certificates' menu entry and entered the privatekey and chain files contents into the 2 input fields as I remember..
I admit, it was a mistake but I still don't understand why it fails to connect after resetting the certs on the server manually.
 
For Let's Encrypt, use the ACME section on the same page.

If you're having trouble using the GUI still, you can do it over SSH as well. Following link has instructions:
https://pve.proxmox.com/wiki/Certificate_Management

Well..in the meantime I realized that I won't need to access the pve gui via hostname, publicip:port would be perfect. The entire infrastructure is behind one single budget router (I hate customers like these..whatever..) Is there any way to fix it without a total reinstall? There are already some VMs installed on the host..
 
Is there any way to fix it without a total reinstall? There are already some VMs installed on the host..

Fix what exactly? After running
Code:
pvecm updatecerts -f
the server will generate a new self-signed certificate, and it should work after accepting the security exception. That's how you accessed the server for the first time as well, isn't it?
 
Fix what exactly? After running
Code:
pvecm updatecerts -f
the server will generate a new self-signed certificate, and it should work after accepting the security exception. That's how you accessed the server for the first time as well, isn't it?

Yes, that's how I accessed the server for first time and after issuing the command above I expected that it would happen again.
After issuing the command above I see the following message in firefox, even on other PC's in other networks so it's probably not a cache problem or something like that.


The connection to <ip_address>:8006 was interrupted while the page was loading.

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
 
Try the following commands and post the outputs please. They might help diagnose your issue.

Code:
curl -k https://{IP}:8006
openssl s_client -connect {IP}:8006 -showcerts
 
Try the following commands and post the outputs please. They might help diagnose your issue.

Code:
curl -k https://{IP}:8006
openssl s_client -connect {IP}:8006 -showcerts

Code:
[root@proxy01 ~]# curl -k https://192.168.1.163:8006
curl: (35) Encountered end of file

[root@proxy01 ~]# openssl s_client -connect 192.168.1.163:8006 -showcerts
CONNECTED(00000003)
140674883745680:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1550747987
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
 
[SOLVED]

Got in the car, went to the server and reinstalled it from scratch. Thanks for your time and effort!

Lesson learned. :D
 
hi,
i got the same problem
i did pvecm updatecerts -f that didn't fixe the problem

Code:
# openssl s_client -connect 192.10.20.200:8006 -showcerts                                                                                                                                                     
CONNECTED(00000003)                                                                                                                                                                                                                 
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1565682166
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

hope you can help me
 
hi,
i got the same problem
i did pvecm updatecerts -f that didn't fixe the problem

Code:
# openssl s_client -connect 192.10.20.200:8006 -showcerts                                                                                                                                                    
CONNECTED(00000003)                                                                                                                                                                                                                
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1565682166
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

hope you can help me

As you can see in my previous post I was not able to solve the problem so I just re-installed the server as it was brand new and had nothing to lose.
I stopped f.cking around with pve cert management and since then we can reach pve thorugh an external nginx proxy. I'm pretty sure it's possible to fix it but I was in a hurry.
 
i understand but mine isn't brand new and i would avoid reinstall everythings
also i'm on proxmox 6.0 so up to date
that's me sadly this kind of problem is not fix this is so weird
 
Last edited:
  • Like
Reactions: boilami and bensode
That wiki should be updated to reflect that at least for v6.0.5

This wiki is outdated and the link to the current version is already on the top of the page.
 
  • Like
Reactions: bensode
if it can help that's strange isn't it ?
Code:
$ curl -k https://192.10.20.200:8006
curl: (35) Unknown SSL protocol error in connection to 192.10.20.200:8006

i tried : https://pve.proxmox.com/wiki/HTTPS_..._5.0_and_5.1)#Revert_to_default_configuration

but it didn't works

so I delete pveproxy-ssl.*
regenerate the certificate with:
pvecm updatecerts -f
the restart and it finally works
I log in, just to say thanks. My heart skipped a bit for a second after not being able to get access to the GUI anymore. Your help did the trick. Thanks!
 
  • Like
Reactions: bobzer

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!