proxmox/docs/SSL_FIX_FOR_EACH_HOST.md

# How to Fix SSL Certificate Error 596 on Each Proxmox Host

**Error:** `error:0A000086:SSL routines::certificate verify failed (596)`

---

## Important: Host vs Container Commands

⚠️ **These commands must be run on Proxmox HOST nodes, NOT inside containers.**

- `pvecm updatecerts -f` - Proxmox host command (not available in containers)
- `systemctl restart pveproxy pvedaemon` - Proxmox host services (not in containers)

---

## Method 1: Automated Script (Recommended)

Run the fix on all Proxmox host nodes automatically:

```bash
cd /home/intlc/projects/proxmox
./scripts/fix-ssl-certificate-all-hosts.sh
```

This will:
1. Connect to each Proxmox host node
2. Run `pvecm updatecerts -f` on each host
3. Restart `pveproxy` and `pvedaemon` services on each host
4. Verify services are running

---

## Method 2: Manual Fix - One Host at a Time

### For Each Proxmox Host Node:

**Proxmox Host Nodes:**
- ml110: 192.168.11.10
- r630-01: 192.168.11.11
- r630-02: 192.168.11.12
- r630-03: 192.168.11.13
- r630-04: 192.168.11.14

**Commands to run on EACH host:**

```bash
# SSH to the Proxmox host (NOT a container)
ssh root@<host-ip>

# Once on the host, run:
pvecm updatecerts -f
systemctl restart pveproxy pvedaemon

# Verify services are running
systemctl status pveproxy pvedaemon
```

**Example for ml110:**
```bash
ssh root@192.168.11.10
pvecm updatecerts -f
systemctl restart pveproxy pvedaemon
systemctl status pveproxy pvedaemon
exit
```

**Example for r630-01:**
```bash
ssh root@192.168.11.11
pvecm updatecerts -f
systemctl restart pveproxy pvedaemon
systemctl status pveproxy pvedaemon
exit
```

---

## Method 3: Loop Through All Hosts

Run the fix on all hosts in a loop:

```bash
# List of Proxmox host IPs
HOSTS=(
    "192.168.11.10"  # ml110
    "192.168.11.11"  # r630-01
    "192.168.11.12"  # r630-02
    "192.168.11.13"  # r630-03
    "192.168.11.14"  # r630-04
)

# Fix each host
for HOST_IP in "${HOSTS[@]}"; do
    echo "=== Fixing $HOST_IP ==="
    ssh root@"$HOST_IP" "
        pvecm updatecerts -f
        systemctl restart pveproxy pvedaemon
        systemctl status pveproxy pvedaemon --no-pager | head -5
    "
    echo ""
done
```

---

## Method 4: Using pvesh (Proxmox API)

If you have API access configured:

```bash
# For each host, SSH and run:
ssh root@<host-ip> "pvecm updatecerts -f && systemctl restart pveproxy pvedaemon"
```

---

## What NOT to Do

❌ **Don't run these commands inside containers:**
```bash
# WRONG - This won't work in a container
pct exec 100 -- pvecm updatecerts -f  # ❌ pvecm doesn't exist in containers
pct exec 100 -- systemctl restart pveproxy  # ❌ These services don't exist in containers
```

✅ **Do run these commands on the Proxmox HOST:**
```bash
# CORRECT - Run on the host itself
ssh root@192.168.11.10
pvecm updatecerts -f
systemctl restart pveproxy pvedaemon
```

---

## Verification

After fixing, verify on each host:

```bash
# Check certificate
ssh root@<host-ip> "openssl x509 -in /etc/pve/pve-root-ca.pem -noout -dates"

# Check services
ssh root@<host-ip> "systemctl status pveproxy pvedaemon"

# Test web interface
curl -k -I https://<host-ip>:8006/
```

---

## After Fixing All Hosts

1. **Clear browser cache and cookies**
2. **Access Proxmox UI:** `https://<host-ip>:8006`
3. **Accept certificate warning** if prompted (first time only)

---

## Quick Reference

**All Proxmox Host Nodes:**
```bash
# Fix all hosts at once
for ip in 192.168.11.{10..14}; do
    echo "Fixing $ip..."
    ssh root@"$ip" "pvecm updatecerts -f && systemctl restart pveproxy pvedaemon"
done
```

**Or use the automated script:**
```bash
./scripts/fix-ssl-certificate-all-hosts.sh
```

---

**Last Updated:** 2026-01-27