# r630-02 SSL Error 596 Fix Guide

**Date**: 2026-01-06  
**Error**: `error:0A000086:SSL routines::certificate verify failed (596)`  
**Node**: r630-02 (192.168.11.12)  
**Status**: ⚠️ **REQUIRES BROWSER CACHE CLEAR**

---

## Problem

The Proxmox VE GUI displays SSL certificate error 596 even after certificate regeneration. This is typically a **browser cache issue** where the browser has cached old certificate information.

---

## Root Cause

The SSL certificate error 596 can persist in the browser even after fixing server-side certificates because:

1. **Browser SSL Cache**: Browsers cache SSL certificate information
2. **Certificate Subject Mismatch**: Certificate may have old hostname (pve2.lan) instead of current (r630-02)
3. **Certificate Chain**: Browser may have cached incomplete certificate chain

---

## Server-Side Fixes Applied

### ✅ Fix 1: Certificate Regeneration
```bash
# Regenerated certificates on r630-02
pvecm updatecerts -f
systemctl restart pveproxy pvedaemon
```

### ✅ Fix 2: Certificate Chain Verification
- Certificate chain verified: ✅ OK
- Root CA certificate: ✅ Valid (expires 2035)
- Node certificate: ✅ Valid (expires 2027)

### ✅ Fix 3: Certificate Synchronization
- Certificates regenerated on all cluster nodes:
  - ✅ ml110 (192.168.11.10)
  - ✅ r630-01 (192.168.11.11)
  - ✅ r630-02 (192.168.11.12)

---

## Browser-Side Fix (REQUIRED)

**⚠️ CRITICAL**: You MUST clear your browser cache and cookies to resolve the SSL error 596.

### Chrome/Edge Browser

1. **Open Settings**:
   - Press `Ctrl+Shift+Delete` (Windows/Linux)
   - Or `Cmd+Shift+Delete` (Mac)

2. **Clear Browsing Data**:
   - Select "Cached images and files" ✅
   - Select "Cookies and other site data" ✅
   - Time range: **"All time"**
   - Click **"Clear data"**

3. **Alternative - Clear SSL State**:
   - Go to: `chrome://settings/clearBrowserData`
   - Advanced tab
   - Select "Cached images and files"
   - Select "Cookies and other site data"
   - Click "Clear data"

4. **Close and Reopen Browser**

### Firefox Browser

1. **Open Settings**:
   - Press `Ctrl+Shift+Delete` (Windows/Linux)
   - Or `Cmd+Shift+Delete` (Mac)

2. **Clear Data**:
   - Select "Cached Web Content" ✅
   - Select "Cookies" ✅
   - Time range: **"Everything"**
   - Click **"Clear Now"**

3. **Close and Reopen Browser**

### Alternative: Use Incognito/Private Mode

1. Open browser in **Incognito/Private mode**
2. Navigate to: `https://192.168.11.12:8006`
3. Accept certificate warning if prompted
4. This bypasses cached certificate information

---

## Verification Steps

### Step 1: Clear Browser Cache
Follow the browser-specific instructions above.

### Step 2: Access Proxmox UI
```
https://192.168.11.12:8006
```

### Step 3: Accept Certificate Warning (First Time)
- If you see a security warning, click **"Advanced"**
- Click **"Proceed to 192.168.11.12 (unsafe)"** or **"Accept the Risk and Continue"**
- This is normal for self-signed certificates in Proxmox

### Step 4: Verify No Error 596
- The GUI should load without SSL error 596
- You should see the Proxmox login page

---

## If Error Persists After Clearing Cache

### Option 1: Try Different Browser
- Use a different browser (Chrome, Firefox, Edge)
- Or use a browser you haven't used to access Proxmox before

### Option 2: Access via IP Address Directly
- Use: `https://192.168.11.12:8006`
- Avoid using hostname or FQDN

### Option 3: Check Browser Console
1. Open browser Developer Tools (F12)
2. Go to Console tab
3. Look for SSL/certificate errors
4. Check Network tab for failed requests

### Option 4: Verify Certificate in Browser
1. Click the lock icon in address bar
2. View certificate details
3. Check if certificate matches current date/time
4. Verify certificate chain is complete

### Option 5: Manual Certificate Import (Advanced)
If the above doesn't work, you can manually import the root CA certificate:

```bash
# Get the root CA certificate
ssh root@192.168.11.12 "cat /etc/pve/pve-root-ca.pem" > /tmp/pve-root-ca.pem

# Import into browser:
# Chrome: Settings → Privacy and security → Security → Manage certificates → Authorities → Import
# Firefox: Settings → Privacy & Security → Certificates → View Certificates → Authorities → Import
```

---

## Server-Side Verification

### Check Certificate Status
```bash
# SSH to r630-02
ssh root@192.168.11.12

# Check certificate dates
openssl x509 -in /etc/pve/pve-root-ca.pem -noout -dates
openssl x509 -in /etc/pve/local/pve-ssl.pem -noout -dates

# Verify certificate chain
openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/local/pve-ssl.pem

# Check services
systemctl status pveproxy pvedaemon
```

### Test Web Interface from Server
```bash
# Test locally
curl -k -I https://localhost:8006/

# Should return HTTP 200 or 401
```

---

## Certificate Information

**Root CA Certificate**:
- Valid from: Sep 2, 2025
- Valid until: Aug 31, 2035
- Status: ✅ Valid

**Node Certificate**:
- Valid from: Dec 22, 2025
- Valid until: Dec 22, 2027
- Status: ✅ Valid
- Subject: CN=pve2.lan (old hostname - this is normal for Proxmox)

**Note**: The certificate subject showing "pve2.lan" is expected in Proxmox clusters. The certificate is valid and will work once browser cache is cleared.

---

## Common Causes of Persistent Error 596

1. **Browser Cache Not Cleared**: Most common cause
2. **Browser Extension**: Some security extensions block self-signed certificates
3. **Corporate Proxy**: Corporate proxy may be intercepting SSL
4. **System Time Mismatch**: Browser's system time must match server time
5. **Multiple Browser Profiles**: Cache may be in a different profile

---

## Quick Fix Checklist

- [ ] Clear browser cache and cookies (REQUIRED)
- [ ] Close and reopen browser
- [ ] Try accessing via IP: `https://192.168.11.12:8006`
- [ ] Accept certificate warning if prompted
- [ ] Try incognito/private mode
- [ ] Try different browser
- [ ] Check browser console for errors
- [ ] Verify system time is correct

---

## Scripts Available

### Comprehensive SSL Fix Script
```bash
./scripts/fix-ssl-596-comprehensive.sh r630-02
```

### Standard SSL Fix Script
```bash
./scripts/fix-ssl-certificate-error-596.sh r630-02
```

---

## Summary

**Server-Side Status**: ✅ **FIXED**
- Certificates regenerated
- Services restarted
- Certificate chain verified
- All cluster nodes synchronized

**Browser-Side Action Required**: ⚠️ **CLEAR CACHE**
- You MUST clear browser cache and cookies
- This is the most common cause of persistent error 596
- After clearing cache, the error should disappear

---

**Last Updated**: 2026-01-06  
**Status**: ⚠️ **REQUIRES BROWSER CACHE CLEAR**  
**Next Step**: Clear browser cache and cookies, then access `https://192.168.11.12:8006`