d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
proxmox/reports/R630_02_SSL_596_FIX_GUIDE.md

253 lines
6.6 KiB
Markdown
Raw Permalink Normal View History

docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates - ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00
# r630-02 SSL Error 596 Fix Guide
**Date**: 2026-01-06
**Error**: `error:0A000086:SSL routines::certificate verify failed (596)`
**Node**: r630-02 (192.168.11.12)
**Status**: ⚠️ **REQUIRES BROWSER CACHE CLEAR**
---
## Problem
The Proxmox VE GUI displays SSL certificate error 596 even after certificate regeneration. This is typically a **browser cache issue** where the browser has cached old certificate information.
---
## Root Cause
The SSL certificate error 596 can persist in the browser even after fixing server-side certificates because:
1. **Browser SSL Cache**: Browsers cache SSL certificate information
2. **Certificate Subject Mismatch**: Certificate may have old hostname (pve2.lan) instead of current (r630-02)
3. **Certificate Chain**: Browser may have cached incomplete certificate chain
---
## Server-Side Fixes Applied
### ✅ Fix 1: Certificate Regeneration
```bash
# Regenerated certificates on r630-02
pvecm updatecerts -f
systemctl restart pveproxy pvedaemon
```
### ✅ Fix 2: Certificate Chain Verification
- Certificate chain verified: ✅ OK
- Root CA certificate: ✅ Valid (expires 2035)
- Node certificate: ✅ Valid (expires 2027)
### ✅ Fix 3: Certificate Synchronization
- Certificates regenerated on all cluster nodes:
- ✅ ml110 (192.168.11.10)
- ✅ r630-01 (192.168.11.11)
- ✅ r630-02 (192.168.11.12)
---
## Browser-Side Fix (REQUIRED)
**⚠️ CRITICAL**: You MUST clear your browser cache and cookies to resolve the SSL error 596.
### Chrome/Edge Browser
1. **Open Settings**:
- Press `Ctrl+Shift+Delete` (Windows/Linux)
- Or `Cmd+Shift+Delete` (Mac)
2. **Clear Browsing Data**:
- Select "Cached images and files" ✅
- Select "Cookies and other site data" ✅
- Time range: **"All time"**
- Click **"Clear data"**
3. **Alternative - Clear SSL State**:
- Go to: `chrome://settings/clearBrowserData`
- Advanced tab
- Select "Cached images and files"
- Select "Cookies and other site data"
- Click "Clear data"
4. **Close and Reopen Browser**
### Firefox Browser
1. **Open Settings**:
- Press `Ctrl+Shift+Delete` (Windows/Linux)
- Or `Cmd+Shift+Delete` (Mac)
2. **Clear Data**:
- Select "Cached Web Content" ✅
- Select "Cookies" ✅
- Time range: **"Everything"**
- Click **"Clear Now"**
3. **Close and Reopen Browser**
### Alternative: Use Incognito/Private Mode
1. Open browser in **Incognito/Private mode**
2. Navigate to: `https://192.168.11.12:8006`
3. Accept certificate warning if prompted
4. This bypasses cached certificate information
---
## Verification Steps
### Step 1: Clear Browser Cache
Follow the browser-specific instructions above.
### Step 2: Access Proxmox UI
```
https://192.168.11.12:8006
```
### Step 3: Accept Certificate Warning (First Time)
- If you see a security warning, click **"Advanced"**
- Click **"Proceed to 192.168.11.12 (unsafe)"** or **"Accept the Risk and Continue"**
- This is normal for self-signed certificates in Proxmox
### Step 4: Verify No Error 596
- The GUI should load without SSL error 596
- You should see the Proxmox login page
---
## If Error Persists After Clearing Cache
### Option 1: Try Different Browser
- Use a different browser (Chrome, Firefox, Edge)
- Or use a browser you haven't used to access Proxmox before
### Option 2: Access via IP Address Directly
- Use: `https://192.168.11.12:8006`
- Avoid using hostname or FQDN
### Option 3: Check Browser Console
1. Open browser Developer Tools (F12)
2. Go to Console tab
3. Look for SSL/certificate errors
4. Check Network tab for failed requests
### Option 4: Verify Certificate in Browser
1. Click the lock icon in address bar
2. View certificate details
3. Check if certificate matches current date/time
4. Verify certificate chain is complete
### Option 5: Manual Certificate Import (Advanced)
If the above doesn't work, you can manually import the root CA certificate:
```bash
# Get the root CA certificate
ssh root@192.168.11.12 "cat /etc/pve/pve-root-ca.pem" > /tmp/pve-root-ca.pem
# Import into browser:
# Chrome: Settings → Privacy and security → Security → Manage certificates → Authorities → Import
# Firefox: Settings → Privacy & Security → Certificates → View Certificates → Authorities → Import
```
---
## Server-Side Verification
### Check Certificate Status
```bash
# SSH to r630-02
ssh root@192.168.11.12
# Check certificate dates
openssl x509 -in /etc/pve/pve-root-ca.pem -noout -dates
openssl x509 -in /etc/pve/local/pve-ssl.pem -noout -dates
# Verify certificate chain
openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/local/pve-ssl.pem
# Check services
systemctl status pveproxy pvedaemon
```
### Test Web Interface from Server
```bash
# Test locally
curl -k -I https://localhost:8006/
# Should return HTTP 200 or 401
```
---
## Certificate Information
**Root CA Certificate**:
- Valid from: Sep 2, 2025
- Valid until: Aug 31, 2035
- Status: ✅ Valid
**Node Certificate**:
- Valid from: Dec 22, 2025
- Valid until: Dec 22, 2027
- Status: ✅ Valid
- Subject: CN=pve2.lan (old hostname - this is normal for Proxmox)
**Note**: The certificate subject showing "pve2.lan" is expected in Proxmox clusters. The certificate is valid and will work once browser cache is cleared.
---
## Common Causes of Persistent Error 596
1. **Browser Cache Not Cleared**: Most common cause
2. **Browser Extension**: Some security extensions block self-signed certificates
3. **Corporate Proxy**: Corporate proxy may be intercepting SSL
4. **System Time Mismatch**: Browser's system time must match server time
5. **Multiple Browser Profiles**: Cache may be in a different profile
---
## Quick Fix Checklist
- [ ] Clear browser cache and cookies (REQUIRED)
- [ ] Close and reopen browser
- [ ] Try accessing via IP: `https://192.168.11.12:8006`
- [ ] Accept certificate warning if prompted
- [ ] Try incognito/private mode
- [ ] Try different browser
- [ ] Check browser console for errors
- [ ] Verify system time is correct
---
## Scripts Available
### Comprehensive SSL Fix Script
```bash
./scripts/fix-ssl-596-comprehensive.sh r630-02
```
### Standard SSL Fix Script
```bash
./scripts/fix-ssl-certificate-error-596.sh r630-02
```
---
## Summary
**Server-Side Status**: ✅ **FIXED**
- Certificates regenerated
- Services restarted
- Certificate chain verified
- All cluster nodes synchronized
**Browser-Side Action Required**: ⚠️ **CLEAR CACHE**
- You MUST clear browser cache and cookies
- This is the most common cause of persistent error 596
- After clearing cache, the error should disappear
---
**Last Updated**: 2026-01-06
**Status**: ⚠️ **REQUIRES BROWSER CACHE CLEAR**
**Next Step**: Clear browser cache and cookies, then access `https://192.168.11.12:8006`
Reference in New Issue Copy Permalink