Proxmox with an Intermediate cert

Proxmox testing node running with an Intermediate Certificate Authority cert

It has been a long time since my last post. My boxes have been working fine so far and up until yesterday I had not noticed any issues. After updating JAVA on my machine I started to get errors concerning invalid certificates. I had previously installed new proper certs on my box so that might have been the cause.

Regarding my certs: I use the built in tools on pfSense to generate and manage all certs that I use on testing units. There I have a Root Certificate Authority setup and its cert is installed on the machines I use to debug my test installations (to avoid paying for temporary and easily disposable certs). On it I had created a server cert for my Proxmox testing node and had it installed a long time ago.

Looking for solutions I came across a post on how installing a intermediate certificate authority on the proxmox node could solve this and here is how I did it:

First I backed up all my old certs:

mv /etc/pve/pve-root-ca.pem /etc/pve/pve-root-ca.pem.bak 
mv /etc/pve/pve-www.key /etc/pve/pve-www.key.bak 
mv /etc/pve/priv/pve-root-ca.key /etc/pve/priv/pve-root-ca.key.bak 
mv /etc/pve/priv/ /etc/pve/priv/ 
mv /etc/pve/local/pve-ssl.key /etc/pve/local/pve-ssl.key.bak 
mv /etc/pve/local/pve-ssl.pem /etc/pve/local/pve-ssl.pem.bak

Then I regenerated them and restarted all pvedaemon and pveproxy services:

pvecm updatecerts --force
service pvedaemon restart 
service pveproxy restart

I proceeded creating a new Intermediate Certificate Authority and a Server Certificate on my pfSense going on System > Cert Manager > CA > Add. Filled in the details and then Cert Manager > Certificate > Add and selected the previously intermediate cert authority. Downloaded the server key and cert and the authority cert.

Here came the tricky part:

  • The certificate authority cert became /etc/pve/pve-root-ca.pem;
  • The server key was copied to /etc/pve/local/pve-ssl.key; and
  • The server cert was edited to include the certificate authority cert at the bottom and copied to /etc/pve/local/pve-ssl.pem.

Restarted the services again and tested:

service pvedaemon restart 
service pveproxy restart

All working fine now!

Thanks to symmcom on the Proxmox forums and the maintainers of the Proxmox Wiki for some of these tips!


Creating a customized Proxmox VE OpenVZ template


Every time I want to test some code or software I usually do it on a virtualized environment to keep it isolated from my main system and every time I setup a machine from scratch. I use Virtual Box when I am on the go but at home I have several single-purpose VMs running on Proxmox VE, a powerful open source virtualization platform, based on KVM and OpenVZ. Here is how to simplify the setup process creating a custom Debian-based OpenVZ template:

  1. Create a regular OpenVZ Container having debian-6.0-standard_6.0-6_i386 as base.
  2. With the VM up and running, log in and setup networking. In my case I am using DHCP, so I added the following lines to /etc/network/interfaces:

    auto eth0 
    iface eth0 inet dhcp

    and reseted the network stack with /etc/init.d/networking restart.

  3. Update the system to install the latest patches:

    apt-get update && apt-get upgrade
  4. Make sure sudo and openssh-server are installed:

    apt-get install sudo openssh-server
  5. Create the default admin user, add it to the sudoer’s list and setup your ssh-key:

    adduser USERNAME
    usermod -a -G sudo USERNAME 
    mkdir /home/USERNAME/.ssh 
    echo "YOURSSSHKEYHERE" > /home/USERNAME/.ssh/authorized_keys 
    chown -R USERNAME:USERNAME /home/USERNAME/.ssh
  6. Add PuppetLabs as a repository and install puppet:

    echo -e "deb squeeze main\ndeb-src squeeze main" >> /etc/apt/sources.list.d/puppet.list 
    apt-key adv --keyserver --recv 4BD6EC30 
    apt-get update 
    apt-get install puppet
  7. Cleanup!

    apt-get --purge clean
    rm -f /etc/hostname 
    cat /dev/null > /etc/resolv.conf

    Let’s remove the current host ssh keys and create a script to auto generate them on the next full Stayin’ Alive: A Grammy Salute to the Music of the Bee Gees 2017 film online

    rm -f /etc/ssh/ssh_host_*
    vi /etc/init.d/ssh_gen_host_keys

    Paste the script, a modified version of the one shown on HowToForge:

    # Provides:          Generates new ssh host keys on first boot
    # Required-Start:    $remote_fs $syslog
    # Required-Stop:     $remote_fs $syslog
    # Default-Start:     2 3 4 5
    # Default-Stop:
    # Short-Description: Generates new ssh host keys on first boot
    # Description:       Generates new ssh host keys on first boot
    ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ""
    ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ""
    /etc/init.d/ssh restart
    insserv -r /etc/init.d/ssh_gen_host_keys
    rm -f \$0

    After editing the file, make it executable and install it:

    chmod a+x /etc/init.d/ssh_gen_host_keys
    insserv /etc/init.d/ssh_gen_host_keys
  8. Done setting up the VM but don’t turn it off yet! Now take note of your VM ID (CTID) and ssh into Proxmox then run:

    vzctl set CTID --ipdel all --save

    You might want to tweak the /etc/network/interfaces now. Before continuing is a good idea to create an /tmp/excludes file with the following:


    Stop the VM and change directory to the VM root:

    vzctl stop CTID
    cd /var/lib/vz/private/CTID

    Then, tar the directory:

    tar --numeric-owner -czvf /var/lib/vz/template/cache/debian-6.0-YOURCUSTOMTEMPLATE\_6.0-6\_i386.tar.gz -X /tmp/excludes .

After that it will be available as a template for you to create new OpenVZ containers from. Please note that the template name should match one of the conf files on /etc/vz/dists (in your Proxmox box), otherwise you will have to write yourself your own.

This was heavily based on the OpenVZ Wiki, How to create a CentOS template and on Proxmox Forums.

That’s it!