Where does this fingerprint come from?

S

simpsonetti

Well-Known Member
Sep 29, 2018
130
5
58
51
Hi, 2 cluster: one dev, one prod. I've a lxc on dev that i want to migrate to prod cluster.
I did this several times. But i think not this year.
So i send my command:
qm remote-migrate 118 186 'apitoken=PVEAPIToken=user@AD8234979235795a63,host=172.16.21.34,fingerprint=right-FPasin/etc/pve/nodes/node/pve-ssl.pem' --target-bridge vmbr0 --target-storage LUN5_2 --online
and i get this:
fingerprint 'AD:5E:A2:70:DE:7F:83:04:6C:97:D3:35:F0:50:0F:F7:5D:E7:B6:64:38:83:37:62:08:07:87:DB:AE:0A:97:CB' not verified, abort!
Thats strage, because i checked this and this FP is on none of our nodes, so where does it come from? The target 172.16.21.34 has the right FP.

**in addition: is there a place where scripts from the community for pve are stored ?

Regards.
 
simpsonetti said:
qm remote-migrate 118 186 'apitoken=PVEAPIToken=user@AD8234979235795a63,host=172.16.21.34,fingerprint=right-FPasin/etc/pve/nodes/node/pve-ssl.pem' --target-bridge vmbr0 --target-storage LUN5_2 --online
Click to expand...


I realize you are (probably) redacting stuff here, but just for the sake of clarity:

simpsonetti said:
user@AD8234979235795a63
Click to expand...
This target-endpoint must actually contain an exclamation mark, between the <user@realm> & token=<secret>, as shown in the man qm remote-migrate:
Code: 
<target-endpoint>: apitoken=<PVEAPIToken=user@realm!token=SECRET> ,host=<ADDRESS> [,fingerprint=<FINGERPRINT>] [,port=<PORT>]
Yours has neither an exclamation mark, or a token=

As I've said, you probably redacted stuff, but for the sake of clarity, you could/should have done it something like this:
Code: 
qm remote-migrate 118 186 'apitoken=PVEAPIToken=user@realm!token=AD8234979235795a63,host=172.16.21.34,fingerprint=right-FPasin/etc/pve/nodes/node/pve-ssl.pem' --target-bridge vmbr0 --target-storage LUN5_2 --online

Now on to your issue:

AFAIK, the response the command gave is the correct FP that should be used.

Please realize that the FP in /etc/pve/nodes/node/pve-ssl.pem is encoded. So to extract that FP, on the target host, you would probably use:
Code: 
openssl x509 -fingerprint -sha256 -noout -in /etc/pve/nodes/<your_node_name>/pve-ssl.pem

To test if this FP is correct, try the migration with the FP the command outputted.

Alternatively, if you just want to test without actual migration, send the command again with that outputted FP but with the incorrect token.
So maybe:
Code: 
qm remote-migrate 118 186 'apitoken=PVEAPIToken=user@realm!token=bogus_incorrect_token,host=172.16.21.34,fingerprint=outputted_fp_from_above_command' --target-bridge vmbr0 --target-storage LUN5_2 --online
If it responds with:
Code: 
401 no such token 'token' for user 'root@pam'
You've got the correct FP.

Good luck.
 
gfngfn256 said:
I realize you are (probably) redacting stuff here, but just for the sake of clarity:


This target-endpoint must actually contain an exclamation mark, between the <user@realm> & token=<secret>, as shown in the man qm remote-migrate:
Code: 
<target-endpoint>: apitoken=<PVEAPIToken=user@realm!token=SECRET> ,host=<ADDRESS> [,fingerprint=<FINGERPRINT>] [,port=<PORT>]
Yours has neither an exclamation mark, or a token=

As I've said, you probably redacted stuff, but for the sake of clarity, you could/should have done it something like this:
Code: 
qm remote-migrate 118 186 'apitoken=PVEAPIToken=user@realm!token=AD8234979235795a63,host=172.16.21.34,fingerprint=right-FPasin/etc/pve/nodes/node/pve-ssl.pem' --target-bridge vmbr0 --target-storage LUN5_2 --online

Now on to your issue:

AFAIK, the response the command gave is the correct FP that should be used.

Please realize that the FP in /etc/pve/nodes/node/pve-ssl.pem is encoded. So to extract that FP, on the target host, you would probably use:
Code: 
openssl x509 -fingerprint -sha256 -noout -in /etc/pve/nodes/<your_node_name>/pve-ssl.pem

To test if this FP is correct, try the migration with the FP the command outputted.

Alternatively, if you just want to test without actual migration, send the command again with that outputted FP but with the incorrect token.
So maybe:
Code: 
qm remote-migrate 118 186 'apitoken=PVEAPIToken=user@realm!token=bogus_incorrect_token,host=172.16.21.34,fingerprint=outputted_fp_from_above_command' --target-bridge vmbr0 --target-storage LUN5_2 --online
If it responds with:
Code: 
401 no such token 'token' for user 'root@pam'
You've got the correct FP.

Good luck.
Click to expand...
Hi, yes i know, i've changed here some values in my command. for reading every pve-ssl.pem i've a script for reading this encoded FPs on verynode of my cluster. And all of the FPs aren't the one that would shown to me when i try to connect. It isn't the toek that is wrong, it's the FP.
Regards
 
simpsonetti said:
It isn't the toek that is wrong, it's the FP.
Click to expand...
You probably mean "token".
Please read my response again & you will see that I never said the token was wrong.

I gave you a way of checking - if the FP the machine is giving you (output by your command) is the right one.

Something is probably getting lost in translation.

simpsonetti said:
i've a script for reading this encoded FPs
Click to expand...
You may be using the wrong encoder. Care to share that script?

The easiest way to check that FP on the node itself is with:
Code: 
pvenode cert info

#then in the section under this line, you should see the correct FP:
______________________________________
|filename       │        pve-ssl.pem
|---------------|---------------------
|fingerprint    |        XX:YY:ZZ:AA:BB.....
 
gfngfn256 said:
Using ~/.bash* ?
I would not do that on PVE. I don't know if this is linked to your issue, but see my post here. If you follow to the other linked post, you will see more than a few problems with that.
Click to expand...
no, bash is the default shell.

But this can't be my problem with the wrong fingerprint. Even whe i type this on the specific host, i get the right FP...
 
You must log in or register to reply here.
Top Bottom