Proxmox VE 4.x 5.x – SSL Issue

We started to use VMs instead of containers a few months ago on our Proxmox cluster. We had some issues in the beginning but now it works well.

The problem:

Today I came across a very irritating problem as I was updating our certificates. After the update I couldn’t restart the working VMs and got the following error message:

Failed to start VNC server: Our own certificate /etc/pve/local/pve-ssl.pem failed validation against /etc/pve/pve-root-ca.pem: The certificate hasn't got a known issuer

The web interface was working well with the new certificate, so I started to search for answers.

Long story short, I found a few posts about the problem, but neither of them worked. And then I opened another one, and BOOM: It struck me hard.

So the solution is:

It turns out I misread the basic configuration on the main Proxmox wiki page about SSL

If you want to use your own certificate then you should create/update the pveproxy-ssl.pem and pveproxy-ssl.key files only! I’ve updated the pve-ssl.key and pve-ssl.pem files previously and that caused the problem.

1. Revert to original certificates:

pvecm updatecerts -f

2. Insert your certificate into the following files:

cp fullchain.pem /etc/pve/nodes/<node>/pveproxy-ssl.pem
cp private-key.pem /etc/pve/nodes/<node>/pveproxy-ssl.key

3. Restart the PVE-proxy service

systemctl restart pveproxy

The system log should inform you about the usage of the alternative SSL certificate (“Using ‘/etc/pve/local/pveproxy-ssl.pem’ as certificate for the web interface.”):

journalctl -b -u pveproxy.service

And voila, the web-interface has a shiny new certificate, and the console/shell is working again!



One Reply to “Proxmox VE 4.x 5.x – SSL Issue”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.