# How to Fix SSL Certificate Error 596 on Each Proxmox Host **Error:** `error:0A000086:SSL routines::certificate verify failed (596)` --- ## Important: Host vs Container Commands ⚠️ **These commands must be run on Proxmox HOST nodes, NOT inside containers.** - `pvecm updatecerts -f` - Proxmox host command (not available in containers) - `systemctl restart pveproxy pvedaemon` - Proxmox host services (not in containers) --- ## Method 1: Automated Script (Recommended) Run the fix on all Proxmox host nodes automatically: ```bash cd /home/intlc/projects/proxmox ./scripts/fix-ssl-certificate-all-hosts.sh ``` This will: 1. Connect to each Proxmox host node 2. Run `pvecm updatecerts -f` on each host 3. Restart `pveproxy` and `pvedaemon` services on each host 4. Verify services are running --- ## Method 2: Manual Fix - One Host at a Time ### For Each Proxmox Host Node: **Proxmox Host Nodes:** - ml110: 192.168.11.10 - r630-01: 192.168.11.11 - r630-02: 192.168.11.12 - r630-03: 192.168.11.13 - r630-04: 192.168.11.14 **Commands to run on EACH host:** ```bash # SSH to the Proxmox host (NOT a container) ssh root@ # Once on the host, run: pvecm updatecerts -f systemctl restart pveproxy pvedaemon # Verify services are running systemctl status pveproxy pvedaemon ``` **Example for ml110:** ```bash ssh root@192.168.11.10 pvecm updatecerts -f systemctl restart pveproxy pvedaemon systemctl status pveproxy pvedaemon exit ``` **Example for r630-01:** ```bash ssh root@192.168.11.11 pvecm updatecerts -f systemctl restart pveproxy pvedaemon systemctl status pveproxy pvedaemon exit ``` --- ## Method 3: Loop Through All Hosts Run the fix on all hosts in a loop: ```bash # List of Proxmox host IPs HOSTS=( "192.168.11.10" # ml110 "192.168.11.11" # r630-01 "192.168.11.12" # r630-02 "192.168.11.13" # r630-03 "192.168.11.14" # r630-04 ) # Fix each host for HOST_IP in "${HOSTS[@]}"; do echo "=== Fixing $HOST_IP ===" ssh root@"$HOST_IP" " pvecm updatecerts -f systemctl restart pveproxy pvedaemon systemctl status pveproxy pvedaemon --no-pager | head -5 " echo "" done ``` --- ## Method 4: Using pvesh (Proxmox API) If you have API access configured: ```bash # For each host, SSH and run: ssh root@ "pvecm updatecerts -f && systemctl restart pveproxy pvedaemon" ``` --- ## What NOT to Do ❌ **Don't run these commands inside containers:** ```bash # WRONG - This won't work in a container pct exec 100 -- pvecm updatecerts -f # ❌ pvecm doesn't exist in containers pct exec 100 -- systemctl restart pveproxy # ❌ These services don't exist in containers ``` ✅ **Do run these commands on the Proxmox HOST:** ```bash # CORRECT - Run on the host itself ssh root@192.168.11.10 pvecm updatecerts -f systemctl restart pveproxy pvedaemon ``` --- ## Verification After fixing, verify on each host: ```bash # Check certificate ssh root@ "openssl x509 -in /etc/pve/pve-root-ca.pem -noout -dates" # Check services ssh root@ "systemctl status pveproxy pvedaemon" # Test web interface curl -k -I https://:8006/ ``` --- ## After Fixing All Hosts 1. **Clear browser cache and cookies** 2. **Access Proxmox UI:** `https://:8006` 3. **Accept certificate warning** if prompted (first time only) --- ## Quick Reference **All Proxmox Host Nodes:** ```bash # Fix all hosts at once for ip in 192.168.11.{10..14}; do echo "Fixing $ip..." ssh root@"$ip" "pvecm updatecerts -f && systemctl restart pveproxy pvedaemon" done ``` **Or use the automated script:** ```bash ./scripts/fix-ssl-certificate-all-hosts.sh ``` --- **Last Updated:** 2026-01-27