Proxmox with an Intermediate cert

Proxmox testing node running with an Intermediate Certificate Authority cert

It has been a long time since my last post. My boxes have been working fine so far and up until yesterday I had not noticed any issues. After updating JAVA on my machine I started to get errors concerning invalid certificates. I had previously installed new proper certs on my box so that might have been the cause.

Regarding my certs: I use the built in tools on pfSense to generate and manage all certs that I use on testing units. There I have a Root Certificate Authority setup and its cert is installed on the machines I use to debug my test installations (to avoid paying for temporary and easily disposable certs). On it I had created a server cert for my Proxmox testing node and had it installed a long time ago.

Looking for solutions I came across a post on how installing a intermediate certificate authority on the proxmox node could solve this and here is how I did it:

First I backed up all my old certs:

mv /etc/pve/pve-root-ca.pem /etc/pve/pve-root-ca.pem.bak 
mv /etc/pve/pve-www.key /etc/pve/pve-www.key.bak 
mv /etc/pve/priv/pve-root-ca.key /etc/pve/priv/pve-root-ca.key.bak 
mv /etc/pve/priv/pve-root-ca.srl /etc/pve/priv/pve-root-ca.srl.bak 
mv /etc/pve/local/pve-ssl.key /etc/pve/local/pve-ssl.key.bak 
mv /etc/pve/local/pve-ssl.pem /etc/pve/local/pve-ssl.pem.bak

Then I regenerated them and restarted all pvedaemon and pveproxy services:

pvecm updatecerts --force
service pvedaemon restart 
service pveproxy restart

I proceeded creating a new Intermediate Certificate Authority and a Server Certificate on my pfSense going on System > Cert Manager > CA > Add. Filled in the details and then Cert Manager > Certificate > Add and selected the previously intermediate cert authority. Downloaded the server key and cert and the authority cert.

Here came the tricky part:

  • The certificate authority cert became /etc/pve/pve-root-ca.pem;
  • The server key was copied to /etc/pve/local/pve-ssl.key; and
  • The server cert was edited to include the certificate authority cert at the bottom and copied to /etc/pve/local/pve-ssl.pem.

Restarted the services again and tested:

service pvedaemon restart 
service pveproxy restart

All working fine now!

Thanks to symmcom on the Proxmox forums and the maintainers of the Proxmox Wiki for some of these tips!

Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *