Proxmox with an Intermediate cert

Proxmox testing node running with an Intermediate Certificate Authority cert

It has been a long time since my last post. My boxes have been working fine so far and up until yesterday I had not noticed any issues. After updating JAVA on my machine I started to get errors concerning invalid certificates. I had previously installed new proper certs on my box so that might have been the cause.

Regarding my certs: I use the built in tools on pfSense to generate and manage all certs that I use on testing units. There I have a Root Certificate Authority setup and its cert is installed on the machines I use to debug my test installations (to avoid paying for temporary and easily disposable certs). On it I had created a server cert for my Proxmox testing node and had it installed a long time ago.

Looking for solutions I came across a post on how installing a intermediate certificate authority on the proxmox node could solve this and here is how I did it:

First I backed up all my old certs:

mv /etc/pve/pve-root-ca.pem /etc/pve/pve-root-ca.pem.bak 
mv /etc/pve/pve-www.key /etc/pve/pve-www.key.bak 
mv /etc/pve/priv/pve-root-ca.key /etc/pve/priv/pve-root-ca.key.bak 
mv /etc/pve/priv/pve-root-ca.srl /etc/pve/priv/pve-root-ca.srl.bak 
mv /etc/pve/local/pve-ssl.key /etc/pve/local/pve-ssl.key.bak 
mv /etc/pve/local/pve-ssl.pem /etc/pve/local/pve-ssl.pem.bak

Then I regenerated them and restarted all pvedaemon and pveproxy services:

pvecm updatecerts --force
service pvedaemon restart 
service pveproxy restart

I proceeded creating a new Intermediate Certificate Authority and a Server Certificate on my pfSense going on System > Cert Manager > CA > Add. Filled in the details and then Cert Manager > Certificate > Add and selected the previously intermediate cert authority. Downloaded the server key and cert and the authority cert.

Here came the tricky part:

  • The certificate authority cert became /etc/pve/pve-root-ca.pem;
  • The server key was copied to /etc/pve/local/pve-ssl.key; and
  • The server cert was edited to include the certificate authority cert at the bottom and copied to /etc/pve/local/pve-ssl.pem.

Restarted the services again and tested:

service pvedaemon restart 
service pveproxy restart

All working fine now!

Thanks to symmcom on the Proxmox forums and the maintainers of the Proxmox Wiki for some of these tips!

Cheers!