[pve-devel] Changing SSL Certificates

Adnan RIHAN axel50397 at gmail.com
Mon Oct 8 11:04:16 CEST 2012 

@Kurt: Thank you, I'll check that command.

@Dietmar: And sorry for double-posting, but I really thought it was dead or bad registered.

I've replaced pve-ssl.pem, pve-ssl.key, added the chained certificate of my pem (which contains the CA AND the intermediate certificate). I missed pve-root-ca.* files, which I'm changing now.

AAAAAAAND. It fails because `pvecm updatecerts -force` is using the CA .key, which I don't have because I'm using trusted certificates.
No big deal, "Eneko Lacunza" has replied me after you, I'll check what he said.

Thank you !  

--  
Cordialement, Adnan RIHAN.
Président-Fondateur de l'association (de loi 1901) Virtual-Info (http://www.virtual-info.info/), hébergeur Web et Serveurs de Jeux.
Directeur-Technique pour le groupe Rininvest.
Consultant (http://rihan.fr/)-Technicien Supérieur en Informatique de Gestion.
Ambassadeur Qt (http://lyt.me/7E) (Projet Tag-PG (http://rihan.fr/projects/system/tagpg)).


Le lundi 8 octobre 2012 à 09:44, Kurt Smolderen a écrit :

> On 08-10-12 06:57, Dietmar Maurer wrote:
> > > I want to change my SSL certificates for valid one.
> > > I've changed the SSL certificates in apache, without any problem.
> > >  
> >  
> > How did you change that? You need to replace the files
> >  
> > /etc/pve/local/pve-ssl.pem
> > /etc/pve/local/pve-ssl.key
> >  
> > Those files are normally auto-generated with the cluster wide CA:
> >  
> > /etc/pve/priv/ pve-root-ca.key
> > /etc/pve/ pve-root-ca.pem
> >  
>  
> The problem here is that you also need to change the pve-root-ca.pem  
> certificate by one which also allows certificate signing. These  
> certificates tend to be quite expensive. If you don't do this, you won't  
> be able to add new nodes to your cluster, do you? Or can you manually  
> add the certificates for each node as long as they are signed by the  
> same root certificate?
>  
> In our cluster setup, we've replaced the certificates in the apache  
> configuration to a signed ones and left the certificates in  
> /etc/pve/local untouched (the signed ones are locate in /etc/ssl/certs).  
> THe only caveat we encountered was when you also changed the domain name  
> of the proxmox host: the certificates generated by proxmox contains the  
> server name as CN and the fully qualified domain name as Alternate DN.  
> So changing one of these makes your certificates invalid. You should run  
> "pvecm updatecerts -force" on each of your systems and I think reboot  
> you host (or restart the necessary services).
>  
> Regards,
> Kurt
>  
>  


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20121008/b860a59a/attachment.htm>

More information about the pve-devel mailing list