#!/bin/bash # Fix Proxmox SSL Certificate Error 596 # Error: error:0A000086:SSL routines::certificate verify failed (596) # Usage: ./scripts/fix-ssl-certificate-error-596.sh [node_ip|all] set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)" # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' log_info() { echo -e "${BLUE}[INFO]${NC} $1"; } log_success() { echo -e "${GREEN}[✓]${NC} $1"; } log_warn() { echo -e "${YELLOW}[⚠]${NC} $1"; } log_error() { echo -e "${RED}[✗]${NC} $1"; } # Proxmox cluster nodes declare -A NODES NODES[ml110]="192.168.11.10" NODES[r630-01]="192.168.11.11" NODES[r630-02]="192.168.11.12" NODES[r630-03]="192.168.11.13" NODES[r630-04]="192.168.11.14" fix_node() { local node_ip="$1" local node_name="${2:-$node_ip}" log_info "=== Fixing SSL certificates on ${node_name} (${node_ip}) ===" echo "" # Test connectivity if ! ping -c 2 -W 2 "$node_ip" >/dev/null 2>&1; then log_error "Node ${node_ip} is NOT reachable" return 1 fi log_info "Connecting to ${node_ip}..." echo "" # Check if we can SSH without password (key-based auth) if ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no -o BatchMode=yes root@"$node_ip" "echo 'Connected'" >/dev/null 2>&1; then log_info "Using SSH key authentication" SSH_CMD="ssh -o StrictHostKeyChecking=no root@${node_ip}" else log_warn "SSH key authentication not available" log_info "You will need to run the commands manually on the node:" echo "" echo "SSH to the node:" echo " ssh root@${node_ip}" echo "" echo "Then run:" echo " pvecm updatecerts -f" echo " systemctl restart pveproxy pvedaemon" echo "" return 1 fi log_info "Executing SSL certificate fix..." echo "" $SSH_CMD bash <<'ENDSSH' set -e echo "=== Step 1: Checking current certificate status ===" if [ -f /etc/pve/pve-root-ca.pem ]; then echo "Current certificate dates:" openssl x509 -in /etc/pve/pve-root-ca.pem -noout -dates 2>/dev/null || echo "Could not read certificate dates" else echo "Certificate file not found (may be normal)" fi echo "" echo "=== Step 2: Regenerating SSL certificates ===" if command -v pvecm >/dev/null 2>&1; then pvecm updatecerts -f echo "✓ Certificates regenerated" else echo "ERROR: pvecm command not found" exit 1 fi echo "" echo "=== Step 3: Restarting Proxmox services ===" systemctl restart pveproxy pvedaemon sleep 2 echo "✓ Services restarted" echo "" echo "=== Step 4: Verifying services are running ===" if systemctl is-active --quiet pveproxy && systemctl is-active --quiet pvedaemon; then echo "✓ pveproxy: active" echo "✓ pvedaemon: active" else echo "⚠ Some services may not be running properly" systemctl status pveproxy --no-pager -l | head -5 || true systemctl status pvedaemon --no-pager -l | head -5 || true fi echo "" echo "=== Step 5: Verifying new certificate ===" if [ -f /etc/pve/pve-root-ca.pem ]; then echo "New certificate dates:" openssl x509 -in /etc/pve/pve-root-ca.pem -noout -dates 2>/dev/null || echo "Could not read certificate dates" fi echo "" echo "=== Step 6: Testing web interface ===" if curl -k -s -o /dev/null -w "HTTP Status: %{http_code}\n" https://localhost:8006/ >/dev/null 2>&1; then HTTP_CODE=$(curl -k -s -o /dev/null -w "%{http_code}" https://localhost:8006/ 2>/dev/null || echo "000") if [ "$HTTP_CODE" = "200" ] || [ "$HTTP_CODE" = "401" ] || [ "$HTTP_CODE" = "302" ]; then echo "✓ Web interface is responding (HTTP $HTTP_CODE)" else echo "⚠ Web interface returned HTTP $HTTP_CODE" fi else echo "⚠ Could not test web interface" fi echo "" ENDSSH if [ $? -eq 0 ]; then log_success "SSL certificate fix completed for ${node_name}" # Test from remote log_info "Testing web interface from remote..." sleep 2 HTTP_CODE=$(curl -k -s -o /dev/null -w "%{http_code}" --connect-timeout 5 "https://${node_ip}:8006/" 2>/dev/null || echo "000") if [ "$HTTP_CODE" = "200" ] || [ "$HTTP_CODE" = "401" ] || [ "$HTTP_CODE" = "302" ]; then log_success "Web interface is accessible at https://${node_ip}:8006" else log_warn "Web interface test returned HTTP $HTTP_CODE" log_info "You may need to clear your browser cache and cookies" fi else log_error "SSL certificate fix failed for ${node_name}" return 1 fi echo "" echo "----------------------------------------" echo "" } # Determine target TARGET="${1:-all}" if [[ "$TARGET" == "all" ]]; then log_info "Fixing SSL certificates on all Proxmox nodes..." echo "" for node_name in "${!NODES[@]}"; do node_ip="${NODES[$node_name]}" fix_node "$node_ip" "$node_name" || log_warn "Failed to fix ${node_name}, continuing..." done log_success "All fix attempts complete!" echo "" log_info "Next steps:" log_info " 1. Clear browser cache and cookies" log_info " 2. Access Proxmox UI: https://:8006" log_info " 3. Accept certificate warning if prompted (first time only)" elif [[ -n "${NODES[$TARGET]:-}" ]]; then # Target is a node name node_ip="${NODES[$TARGET]}" fix_node "$node_ip" "$TARGET" elif [[ "$TARGET" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then # Target is an IP address fix_node "$TARGET" "$TARGET" else log_error "Invalid target: $TARGET" echo "" echo "Usage: $0 [node_name|node_ip|all]" echo "" echo "Available nodes:" for node_name in "${!NODES[@]}"; do echo " - $node_name (${NODES[$node_name]})" done echo " - all (fix all nodes)" exit 1 fi