We started to use VMs instead of containers a few months ago on our Proxmox cluster. We had some issues in the beginning but now it works well.
Today I came across a very irritating problem as I was updating our certificates. After the update I couldn’t restart the working VMs and got the following error message:
Failed to start VNC server: Our own certificate /etc/pve/local/pve-ssl.pem failed validation against /etc/pve/pve-root-ca.pem: The certificate hasn't got a known issuer
The web interface was working well with the new certificate, so I started to search for answers.
Long story short, I found a few posts about the problem, but neither of them worked. And then I opened another one, and BOOM: It struck me hard.
So the solution is:
It turns out I misread the basic configuration on the main Proxmox wiki page about SSL
If you want to use your own certificate then you should create/update the
pveproxy-ssl.key files only! I’ve updated the pve-ssl.key and pve-ssl.pem files previously and that caused the problem.
1. Revert to original certificates:
pvecm updatecerts -f
2. Insert your certificate into the following files:
cp fullchain.pem /etc/pve/nodes/<node>/pveproxy-ssl.pem cp private-key.pem /etc/pve/nodes/<node>/pveproxy-ssl.key
3. Restart the PVE-proxy service
systemctl restart pveproxy
The system log should inform you about the usage of the alternative SSL certificate (“Using ‘/etc/pve/local/pveproxy-ssl.pem’ as certificate for the web interface.”):
journalctl -b -u pveproxy.service
And voila, the web-interface has a shiny new certificate, and the console/shell is working again!