Proxmox with an Intermediate cert

Proxmox testing node running with an Intermediate Certificate Authority cert

It has been a long time since my last post. My boxes have been working fine so far and up until yesterday I had not noticed any issues. After updating JAVA on my machine I started to get errors concerning invalid certificates. I had previously installed new proper certs on my box so that might have been the cause.

Regarding my certs: I use the built in tools on pfSense to generate and manage all certs that I use on testing units. There I have a Root Certificate Authority setup and its cert is installed on the machines I use to debug my test installations (to avoid paying for temporary and easily disposable certs). On it I had created a server cert for my Proxmox testing node and had it installed a long time ago.

Looking for solutions I came across a post on how installing a intermediate certificate authority on the proxmox node could solve this and here is how I did it:

First I backed up all my old certs:

mv /etc/pve/pve-root-ca.pem /etc/pve/pve-root-ca.pem.bak 
mv /etc/pve/pve-www.key /etc/pve/pve-www.key.bak 
mv /etc/pve/priv/pve-root-ca.key /etc/pve/priv/pve-root-ca.key.bak 
mv /etc/pve/priv/pve-root-ca.srl /etc/pve/priv/pve-root-ca.srl.bak 
mv /etc/pve/local/pve-ssl.key /etc/pve/local/pve-ssl.key.bak 
mv /etc/pve/local/pve-ssl.pem /etc/pve/local/pve-ssl.pem.bak

Then I regenerated them and restarted all pvedaemon and pveproxy services:

pvecm updatecerts --force
service pvedaemon restart 
service pveproxy restart

I proceeded creating a new Intermediate Certificate Authority and a Server Certificate on my pfSense going on System > Cert Manager > CA > Add. Filled in the details and then Cert Manager > Certificate > Add and selected the previously intermediate cert authority. Downloaded the server key and cert and the authority cert.

Here came the tricky part:

  • The certificate authority cert became /etc/pve/pve-root-ca.pem;
  • The server key was copied to /etc/pve/local/pve-ssl.key; and
  • The server cert was edited to include the certificate authority cert at the bottom and copied to /etc/pve/local/pve-ssl.pem.

Restarted the services again and tested:

service pvedaemon restart 
service pveproxy restart

All working fine now!

Thanks to symmcom on the Proxmox forums and the maintainers of the Proxmox Wiki for some of these tips!

Cheers!

Creating a customized Proxmox VE OpenVZ template

proxmox-create-custom-openvz-container

Every time I want to test some code or software I usually do it on a virtualized environment to keep it isolated from my main system and every time I setup a machine from scratch. I use Virtual Box when I am on the go but at home I have several single-purpose VMs running on Proxmox VE, a powerful open source virtualization platform, based on KVM and OpenVZ. Here is how to simplify the setup process creating a custom Debian-based OpenVZ template:

  1. Create a regular OpenVZ Container having debian-6.0-standard_6.0-6_i386 as base.
  2. With the VM up and running, log in and setup networking. In my case I am using DHCP, so I added the following lines to /etc/network/interfaces:

    auto eth0 
    iface eth0 inet dhcp
    

    and reseted the network stack with /etc/init.d/networking restart.

  3. Update the system to install the latest patches:

    apt-get update && apt-get upgrade
    
  4. Make sure sudo and openssh-server are installed:

    apt-get install sudo openssh-server
    
  5. Create the default admin user, add it to the sudoer’s list and setup your ssh-key:

    adduser USERNAME
    usermod -a -G sudo USERNAME 
    mkdir /home/USERNAME/.ssh 
    echo "YOURSSSHKEYHERE" > /home/USERNAME/.ssh/authorized_keys 
    chown -R USERNAME:USERNAME /home/USERNAME/.ssh
    
  6. Add PuppetLabs as a repository and install puppet:

    echo -e "deb http://apt.puppetlabs.com/ squeeze main\ndeb-src http://apt.puppetlabs.com/ squeeze main" >> /etc/apt/sources.list.d/puppet.list 
    apt-key adv --keyserver keyserver.ubuntu.com --recv 4BD6EC30 
    apt-get update 
    apt-get install puppet
    
  7. Cleanup!

    apt-get --purge clean
    rm -f /etc/hostname 
    cat /dev/null > /etc/resolv.conf
    

    Let’s remove the current host ssh keys and create a script to auto generate them on the next boot.watch full Stayin’ Alive: A Grammy Salute to the Music of the Bee Gees 2017 film online

    rm -f /etc/ssh/ssh_host_*
    vi /etc/init.d/ssh_gen_host_keys
    

    Paste the script, a modified version of the one shown on HowToForge:

    #!/bin/sh
    ### BEGIN INIT INFO
    # Provides:          Generates new ssh host keys on first boot
    # Required-Start:    $remote_fs $syslog
    # Required-Stop:     $remote_fs $syslog
    # Default-Start:     2 3 4 5
    # Default-Stop:
    # Short-Description: Generates new ssh host keys on first boot
    # Description:       Generates new ssh host keys on first boot
    ### END INIT INFO
    ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ""
    ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ""
    /etc/init.d/ssh restart
    insserv -r /etc/init.d/ssh_gen_host_keys
    rm -f \$0
    

    After editing the file, make it executable and install it:

    chmod a+x /etc/init.d/ssh_gen_host_keys
    insserv /etc/init.d/ssh_gen_host_keys
    
  8. Done setting up the VM but don’t turn it off yet! Now take note of your VM ID (CTID) and ssh into Proxmox then run:

    vzctl set CTID --ipdel all --save
    

    You might want to tweak the /etc/network/interfaces now. Before continuing is a good idea to create an /tmp/excludes file with the following:

    .bash_history
    lost+found
    /dev/*
    /mnt/*
    /tmp/*
    /proc/*
    /sys/*
    /usr/src/*
    /etc/ssh/ssh_host*
    

    Stop the VM and change directory to the VM root:

    vzctl stop CTID
    cd /var/lib/vz/private/CTID
    

    Then, tar the directory:

    tar --numeric-owner -czvf /var/lib/vz/template/cache/debian-6.0-YOURCUSTOMTEMPLATE\_6.0-6\_i386.tar.gz -X /tmp/excludes .
    

After that it will be available as a template for you to create new OpenVZ containers from. Please note that the template name should match one of the conf files on /etc/vz/dists (in your Proxmox box), otherwise you will have to write yourself your own.

This was heavily based on the OpenVZ Wiki, How to create a CentOS template and on Proxmox Forums.

That’s it!