[PVE-User] Error joining cluster

Eneko Lacunza elacunza at binovo.es
Wed May 20 12:05:13 CEST 2015 

Hi all,

I'm just adding a new node to a 3-node cluster, v3.4 . When adding I got 
an error message regarding SSL certificate generation:

---
# pvecm add butroe
The authenticity of host 'butroe (192.168.1.7)' can't be established.
RSA key fingerprint is 55:f4:8a:bd:49:45:51:60:4b:8f:ac:ea:df:60:15:57.
Are you sure you want to continue connecting (yes/no)? yes
root at butroe's password:
root at butroe's password:
copy corosync auth key
stopping pve-cluster service
Stopping pve cluster filesystem: pve-cluster.
backup old database
Starting pve cluster filesystem : pve-cluster.
Starting cluster:
    Checking if cluster has been disabled at boot... [  OK  ]
    Checking Network Manager... [  OK  ]
    Global setup... [  OK  ]
    Loading kernel modules... [  OK  ]
    Mounting configfs... [  OK  ]
    Starting cman... [  OK  ]
    Waiting for quorum... [  OK  ]
    Starting fenced... [  OK  ]
    Starting dlm_controld... [  OK  ]
    Tuning DLM kernel config... [  OK  ]
    Unfencing self... [  OK  ]
waiting for quorum...OK
generating node certificates
Signature ok
subject=/OU=PVE Cluster Node/O=Proxmox Virtual 
Environment/CN=sanmarko.binovo.net
Getting CA Private Key
CA certificate and CA private key do not match
139833351603880:error:0B080074:x509 certificate 
routines:X509_check_private_key:key values mismatch:x509_cmp.c:330:
unable to generate pve ssl certificate:
command 'openssl x509 -req -in /tmp/pvecertreq-4734.tmp -days 3650 -out 
/etc/pve/nodes/sanmarko/pve-ssl.pem -CAkey /etc/pve/priv/pve-root-ca.key 
-CA /etc/pve/pve-root-ca.pem -CAserial /etc/pve/priv/pve-root-ca.srl 
-extfile /tmp/pvesslconf-4734.tmp' failed: exit code 1
---

I see that /etc/pve/nodes/sanmarko/pve-ssl.pem is empty (0 size). I 
think this is happening because I changed /etc/pve/pve-root-ca.pem some 
time ago (in 2012 :)  ), and it doesn't match the key in 
/etc/pve/priv/pve-root-ca.key

Am I on the safe side just generating a good 
/etc/pve/nodes/sanmarko/pve-ssl.pem file for 
/etc/pve/nodes/sanmarko/pve-ssl.key, or should I check other things? I'm 
re-issuing pve-ssl.pem files with our own IT CA anyways.

Thanks a lot
Eneko

-- 
Zuzendari Teknikoa / Director Técnico
Binovo IT Human Project, S.L.
Telf. 943575997
       943493611
Astigarraga bidea 2, planta 6 dcha., ofi. 3-2; 20180 Oiartzun (Gipuzkoa)
www.binovo.es

More information about the pve-user mailing list