<div style="font-family: Helvetica; font-size: 13px; ">@Kurt: Thank you, I'll check that command.<div><br></div><div>@Dietmar: And sorry for double-posting, but I really thought it was dead or bad registered.</div><div><br></div><div>I've replaced pve-ssl.pem, pve-ssl.key, added the chained certificate of my pem (which contains the CA AND the intermediate certificate). I missed pve-root-ca.* files, which I'm changing now.</div><div><br></div><div>AAAAAAAND. It fails because `pvecm updatecerts -force` is using the CA .key, which I don't have because I'm using trusted certificates.</div><div>No big deal, "Eneko Lacunza" has replied me after you, I'll check what he said.</div><div><br></div><div>Thank you !</div></div>
<div><div><br></div><div style="background-color: rgb(255, 255, 255); ">-- <br>Cordialement, Adnan RIHAN.<br><u>Président</u>-<u>Fondateur</u> de l'association (de loi 1901) <a href="http://www.virtual-info.info/" target="_blank" style="color: rgb(0, 106, 227); "><b>Virtual-Info</b></a>, <i>hébergeur Web et Serveurs de Jeux</i>.</div><div style="background-color: rgb(255, 255, 255); "><u>Directeur</u>-<u>Technique</u> pour le groupe <b>Rininvest</b>.<br><a href="http://rihan.fr/" target="_blank" style="color: rgb(0, 106, 227); "><u>Consultant</u></a>-<u>Technicien Supérieur</u> en <i>Informatique de Gestion</i>.<br><u>Ambassadeur</u> <a href="http://lyt.me/7E" target="_blank" style="color: rgb(0, 106, 227); "><b>Qt</b></a> (Projet <a href="http://rihan.fr/fr/projets/tagpg" target="_blank" style="color: rgb(0, 106, 227); "><b></b></a><b><a href="http://rihan.fr/projects/system/tagpg">Tag-PG</a></b>).</div><div><br></div></div>
<p style="color: #A0A0A8;">Le lundi 8 octobre 2012 à 09:44, Kurt Smolderen a écrit :</p>
<blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px;">
<span><div><div><div>On 08-10-12 06:57, Dietmar Maurer wrote:</div><blockquote type="cite"><div><blockquote type="cite"><div><div>I want to change my SSL certificates for valid one.</div><div>I've changed the SSL certificates in apache, without any problem.</div></div></blockquote><div>How did you change that? You need to replace the files</div><div><br></div><div>/etc/pve/local/pve-ssl.pem</div><div>/etc/pve/local/pve-ssl.key</div><div><br></div><div>Those files are normally auto-generated with the cluster wide CA:</div><div><br></div><div>/etc/pve/priv/ pve-root-ca.key</div><div>/etc/pve/ pve-root-ca.pem</div></div></blockquote><div>The problem here is that you also need to change the pve-root-ca.pem </div><div>certificate by one which also allows certificate signing. These </div><div>certificates tend to be quite expensive. If you don't do this, you won't </div><div>be able to add new nodes to your cluster, do you? Or can you manually </div><div>add the certificates for each node as long as they are signed by the </div><div>same root certificate?</div><div><br></div><div>In our cluster setup, we've replaced the certificates in the apache </div><div>configuration to a signed ones and left the certificates in </div><div>/etc/pve/local untouched (the signed ones are locate in /etc/ssl/certs). </div><div>THe only caveat we encountered was when you also changed the domain name </div><div>of the proxmox host: the certificates generated by proxmox contains the </div><div>server name as CN and the fully qualified domain name as Alternate DN. </div><div>So changing one of these makes your certificates invalid. You should run </div><div>"pvecm updatecerts -force" on each of your systems and I think reboot </div><div>you host (or restart the necessary services).</div><div><br></div><div>Regards,</div><div>Kurt</div></div></div></span>
</blockquote>
<div>
<br>
</div>