Web GUI not working after messing with SSL certs


Renowned Member
May 12, 2014
Portland, Oregon, United States
i was messing around and uploaded my SSL certs, and then restarted the pveproxy like it said to do..

PVE Version
pve-manager/5.3-5/97ae681d (running kernel: 4.15.18-9-pve)

and now the webGUI is just refusing connection..

ss -tlpn

LISTEN    0           128                 *         users:(("pveproxy worker",pid=29542,fd=6),("pveproxy worker",pid=29541,fd=6),("pveproxy worker",pid=29540,fd=6),("pveproxy",pid=29539,fd=6))
LISTEN    0           128                 *         users:(("sshd",pid=1854,fd=5))
LISTEN    0           128                  *         users:(("rpcbind",pid=1195,fd=8))
LISTEN    0           128                 *         users:(("pvedaemon worke",pid=25086,fd=6),("pvedaemon worke",pid=24577,fd=6),("pvedaemon worke",pid=23049,fd=6),("pvedaemon",pid=2263,fd=6))
LISTEN    0           128                   *         users:(("sshd",pid=1854,fd=3))
LISTEN    0           128                 *         users:(("spiceproxy work",pid=12297,fd=6),("spiceproxy",pid=2347,fd=6))
LISTEN    0           100                 *         users:(("master",pid=2171,fd=13))
LISTEN    0           128                        [::]:6342                   [::]:*         users:(("sshd",pid=1854,fd=6))
LISTEN    0           128                        [::]:111                    [::]:*         users:(("rpcbind",pid=1195,fd=11))
LISTEN    0           128                        [::]:22                     [::]:*         users:(("sshd",pid=1854,fd=4))
LISTEN    0           100                       [::1]:25                     [::]:*         users:(("master",pid=2171,fd=14))

i have tried this:

Revert to default configuration
If you have used the previous HowTo and replaced any of the certificate or key files generated by PVE, you need to revert to the default state before proceeding.

Delete or move the following files:

  • /etc/pve/pve-root-ca.pem
  • /etc/pve/priv/pve-root-ca.key
  • /etc/pve/nodes/<node>/pve-ssl.pem
  • /etc/pve/nodes/<node>/pve-ssl.key
The latter two need to be repeated for all nodes if you have a cluster.

Afterwards, run the following command on each node of the cluster to re-generate the certificates and keys:
pvecm updatecerts -f

and nothing has worked......
dont want to restart host machine as i dont want to get locked out.. but will try that as a last option if needed. all VM's are running, and working fine, and i have SSH access as well still.

pveproxy is running error free..
root@loki:~# service pveproxy status
● pveproxy.service - PVE API Proxy Server
   Loaded: loaded (/lib/systemd/system/pveproxy.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-01-27 02:42:32 PST; 18min ago
  Process: 29512 ExecStop=/usr/bin/pveproxy stop (code=exited, status=0/SUCCESS)
  Process: 26173 ExecReload=/usr/bin/pveproxy restart (code=exited, status=0/SUCCESS)
  Process: 29516 ExecStart=/usr/bin/pveproxy start (code=exited, status=0/SUCCESS)
 Main PID: 29539 (pveproxy)
    Tasks: 4 (limit: 4915)
   Memory: 120.8M
      CPU: 848ms
   CGroup: /system.slice/pveproxy.service
           ├─29539 pveproxy
           ├─29540 pveproxy worker
           ├─29541 pveproxy worker
           └─29542 pveproxy worker

Jan 27 02:42:32 loki systemd[1]: Starting PVE API Proxy Server...
Jan 27 02:42:32 loki pveproxy[29516]: Using '/etc/pve/local/pveproxy-ssl.pem' as certificate for the web interface.
Jan 27 02:42:32 loki pveproxy[29539]: starting server
Jan 27 02:42:32 loki pveproxy[29539]: starting 3 worker(s)
Jan 27 02:42:32 loki pveproxy[29539]: worker 29540 started
Jan 27 02:42:32 loki pveproxy[29539]: worker 29541 started
Jan 27 02:42:32 loki pveproxy[29539]: worker 29542 started
Jan 27 02:42:32 loki systemd[1]: Started PVE API Proxy Server.

any help would be awesome.
Last edited:
* Check the logs while you're trying to connect (let `journalctl -f` run in parallel, as well as `tail -f /var/log/pveproxy/*log`)
* Connection refused could also be due to a REJECT rule (or a firewall in between) - check `iptables -nvL`
* just to be sure - you're connecting to `https://pve.node.name:8006`


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!