[SOLVED] Wrong IP in "Subject Alternative Names" section

A

Adrian W.

Member
Dec 7, 2022
9
0
6
Hi,
I recently boldly tried to add an ACME account to my homelab that is not exposed to the internet and after trying to clean up the last few bits, I tried to reissue the Self Signed Certficate using:
Code: 
pvecm updatecerts -f
As Described in the Documentation and in this Forum Post.

Issue is, after the whole Self Signed SSL thing working again, when I go to my standalone node > System > Certificates, I see a wrong IP next to my correct local DNS names.

Image of "Certificates" Page in the Web-UI:
The IP beginning with "78.xx.xx.xx" was one of my public IP's - this is the wrong one
Proxmox-Certificate-1.png

Output of "pvenode cert info"
Code: 
root@HSRV01:/usr/share/proxmox-acme# pvenode cert info
┌─────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────────┐
│ filename        │ pve-root-ca.pem                                                                                  │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ fingerprint     │ 34:C1:ED:F3:C1:DA:FD:0C:13:A2:CF:86:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ subject         │ /CN=Proxmox Virtual Environment/OU=f3099e27-2e98-4bfb-8baf-be16287120b2/O=PVE Cluster Manager CA │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ issuer          │ /CN=Proxmox Virtual Environment/OU=f3099e27-2e98-4bfb-8baf-be16287120b2/O=PVE Cluster Manager CA │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ notbefore       │ 2026-01-17 22:00:44                                                                              │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ notafter        │ 2036-01-15 22:00:44                                                                              │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ public-key-type │ rsaEncryption                                                                                    │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ public-key-bits │ 4096                                                                                             │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ san             │ []                                                                                               │
└─────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────────┐
│ filename        │ pve-ssl.pem                                                                                      │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ fingerprint     │ 8E:9A:86:75:F9:0B:2C:D1:FE:8C:78:63:19:32:CF:66:48:CC:06:0F:D4:90:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX  │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ subject         │ /OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=HSRV01.waessa.host                         │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ issuer          │ /CN=Proxmox Virtual Environment/OU=f3099e27-2e98-4bfb-8baf-be16287120b2/O=PVE Cluster Manager CA │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ notbefore       │ 2026-01-17 22:34:47                                                                              │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ notafter        │ 2028-01-17 22:34:47                                                                              │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ public-key-type │ rsaEncryption                                                                                    │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ public-key-bits │ 2048                                                                                             │
├─────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────┤
│ san             │ - 127.0.0.1                                                                                      │
│                 │ - 0000:0000:0000:0000:0000:0000:0000:0001                                                        │
│                 │ - localhost                                                                                      │
│                 │ - 78.XXX.XXX.XXX                                                                                    │
│                 │ - HSRVXXXX                                                                                         │
│                 │ - HSRVXXXX.domain.tld                                                                             │
└─────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────┘

Note:
My Hostname configs are all checked, my network config also doesnt show any sort of IP starting with "78.XXX" (checked in "/etc/network/interfaces"), my coronsync is not showing it either. "resolve.conf" is not showing anything suspicious either...

I used ACME with the Namecheap integration and as it seems, my public IP from somewhere. - I deleted the ACME Account, Challange Plugin and so on in "Datacenter > ACME"

Did anybody else run into this so far? What can I do about it?
The worst thing is, that I use this Node in production and wanted to add it as the Main node of a new Cluster (with total of 3 Nodes), somehow, it however picks this Public IP instead of my local one (or the Hostname)...

Any help appreciated

On my Second note (not the one I need help with) I changed my local IP - this was resolvable by checking the hosts file, updating this one with correct IP and then reissuing the certificate. I just dont get, why ProxMox is trying to use my Public IP that is shown nowhere else for the Main Node... It must be a setting somewhere I don't see right now
 
Last edited:
I found out something more:

in the .members file it shows the Following:
Code: 
{
"nodename": "HSRVXXXX",
"version": 3,
"cluster": { "name": "HomeLab", "version": 1, "nodes": 1, "quorate": 1 },
"nodelist": {
  "HSRV01": { "id": 1, "online": 1, "ip": "78.XXX.XXX.XXX"}
  }
}

This lets me think there are still settings in some config... I recently edited the DNS config / hosts config because I read it could maybe help and overrite... but it did not help... sadly.
 
OMG - Idk how I did it but these steps will 99% fix the local IP issues in your .members file or in the Subject Alternative Names of your pve-ssl.pem (self signed certificate)

1. Check hotname configs:
Code: 
/etc/hosts
/etc/hostname

2. Check your the pve cert config:
Code: 
pvenode cert info

3. Check your network Settings
Siimply check the "Network" Tab in your web UI

4. Be sure you removed the ACME entrys in your "Datacenter > ACME" settings and under your Node config under "<NODENAME> > Certificates > ACME"

And after all that is done, lets start re-issuing the Self Signed SSL Certificates.

!! WARNING !! You might get disconnected using the WebUI, so these steps should be done trough SSH (PuTTY and similar) !!WARNING !!

Remove the SSL Keys:

Code: 
rm /etc/pve/pve-root-ca.pem
rm /etc/pve/priv/pve-root-ca.key
rm /etc/pve/nodes/<NodeName>/pve-ssl.pem
rm /etc/pve/nodes/<NodeName>/pve-ssl.key

For most forum posts you now will regenerate, but in my case I needed to do one additional simple step that was key:

Code: 
systemctl restart pve-cluster

after that, you can now issue the certificates:

Code: 
pvecm updatecerts -f

Thats it. now, everything is working again and I have the correct IP's shown everywhere.
I hope I can help somebody else than me.
 
You must log in or register to reply here.
Top Bottom