Proxmox is driving me fucking nuts last night and today…
noVNC isn’t working correctly and it has something to do with the certs. I was pretty sure that everything was kosher before I deployed a LE cert in place of the self generated ones. But ever since then, I’ve had a issue where any VNC console you open will refresh and reconnect every few seconds, making anything you’re doing infeasible.
After deploying the LE certs, I get this error in my logs –
pveproxy[1775]: problem with client xxx.xxx.xxx.xxx; ssl3_read_bytes: sslv3 alert bad certificate
But if I delete my LE certs and use the self-generated certs (via pvecm updatecerts -f), I still have the VNC issue and see this error instead.
pveproxy[3585]: problem with client xxx.xxx.xxx.xxx; ssl3_read_bytes: tlsv1 alert unknown ca
Proxmox help forums are failing me. Some people just re-gen their certs and it works again, some people try a different browser and clear cache and it works again, some topics don’t have any solutions. I’m 10 seconds away from just saying fuck it and reinstalling the OS again. I have a feeling it’s something to do with Proxmox being installed over top of Debian and some underlying incompatibility at play here. But that was my only option since you can’t use RAID in the Proxmox ISO installation without ZFS.
I can’t imagine that’s the issue, I always install Proxmox over Debian. With that being said, Proxmox’ web interface can be a real pain. If there’s nothing to lose, I would try doing a fresh install.
Just tedious to reinstall and reconfigure everything, plus I have 4 client VMs that I’ll have to remigrate. But in the end it’ll probably save me more time by just doing a reinstall rather than fighting with this any more.
If you’re unable to find much through the forums etc. then I I would just reinstall. Given how much time you’ve already sunk into it, it might just be easier haha.
I’ve found plenty of people with the same issue on the Proxmox forum, but no solutions worked. Tried a dozen times to remove the LE certs and use Proxmox generated ones and vice-versa. I’ve confirmed the cert itself is valid. I’ve tried a plethora of different browsers w/ incognito sessions. The node itself has been rebooted. Services have been restarted a hundred times. Nothing has worked.
Yep, I’ve always used this script to deploy and renew the LE cert:
#!/bin/bash
service nginx stop
certbot certonly --standalone --agree-tos --email {redacted.my.email} -d {redacted.my.domain}
rm -rf /etc/pve/local/pve-ssl.pem
rm -rf /etc/pve/local/pve-ssl.key
rm -rf /etc/pve/pve-root-ca.pem
cp /etc/letsencrypt/live/{redacted.my.domain}/fullchain.pem /etc/pve/local/pve-ssl.pem
cp /etc/letsencrypt/live/{redacted.my.domain}/chain.pem /etc/pve/pve-root-ca.pem
cp /etc/letsencrypt/live/{redacted.my.domain}/privkey.pem /etc/pve/local/pve-ssl.key
service pveproxy restart
service pvedaemon restart
service nginx start
I also tried to use the new built-in ACME cert manager as well to “order” and auto-deploy the certs. End result is always the same (one of the two errors above).
Looks like they moved it to: /usr/share/perl5/PVE/Service/pveproxy.pm
Added “sslv3 => 0” and the new “cipher_list” to the ssl block. But the issue persists Cleared cookies/browser data, tried incognito mode, tried completely different browser. Still getting the sslv3 error.
Seems I may have spoke too soon. VNC is currently stable and I’m not seeing the errors anymore. Going to monitor it for the next couple days, but fingers crossed that something I did fixed it or it just needed time to sort itself out.