d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
main
proxmox/reports/R630_02_SSL_596_FIX_GUIDE.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

6.6 KiB
Raw Permalink Blame History

r630-02 SSL Error 596 Fix Guide

Date: 2026-01-06
Error: error:0A000086:SSL routines::certificate verify failed (596)
Node: r630-02 (192.168.11.12)
Status: ⚠️ REQUIRES BROWSER CACHE CLEAR

Problem

The Proxmox VE GUI displays SSL certificate error 596 even after certificate regeneration. This is typically a browser cache issue where the browser has cached old certificate information.

Root Cause

The SSL certificate error 596 can persist in the browser even after fixing server-side certificates because:

  1. Browser SSL Cache: Browsers cache SSL certificate information
  2. Certificate Subject Mismatch: Certificate may have old hostname (pve2.lan) instead of current (r630-02)
  3. Certificate Chain: Browser may have cached incomplete certificate chain

Server-Side Fixes Applied

Fix 1: Certificate Regeneration

# Regenerated certificates on r630-02
pvecm updatecerts -f
systemctl restart pveproxy pvedaemon

Fix 2: Certificate Chain Verification

  • Certificate chain verified: OK
  • Root CA certificate: Valid (expires 2035)
  • Node certificate: Valid (expires 2027)

Fix 3: Certificate Synchronization

  • Certificates regenerated on all cluster nodes:
    • ml110 (192.168.11.10)
    • r630-01 (192.168.11.11)
    • r630-02 (192.168.11.12)

Browser-Side Fix (REQUIRED)

⚠️ CRITICAL: You MUST clear your browser cache and cookies to resolve the SSL error 596.

Chrome/Edge Browser

  1. Open Settings:

    • Press Ctrl+Shift+Delete (Windows/Linux)
    • Or Cmd+Shift+Delete (Mac)

  2. Clear Browsing Data:

    • Select "Cached images and files"
    • Select "Cookies and other site data"
    • Time range: "All time"
    • Click "Clear data"

  3. Alternative - Clear SSL State:

    • Go to: chrome://settings/clearBrowserData
    • Advanced tab
    • Select "Cached images and files"
    • Select "Cookies and other site data"
    • Click "Clear data"

  4. Close and Reopen Browser

Firefox Browser

  1. Open Settings:

    • Press Ctrl+Shift+Delete (Windows/Linux)
    • Or Cmd+Shift+Delete (Mac)

  2. Clear Data:

    • Select "Cached Web Content"
    • Select "Cookies"
    • Time range: "Everything"
    • Click "Clear Now"

  3. Close and Reopen Browser

Alternative: Use Incognito/Private Mode

  1. Open browser in Incognito/Private mode
  2. Navigate to: https://192.168.11.12:8006
  3. Accept certificate warning if prompted
  4. This bypasses cached certificate information

Verification Steps

Step 1: Clear Browser Cache

Follow the browser-specific instructions above.

Step 2: Access Proxmox UI

https://192.168.11.12:8006

Step 3: Accept Certificate Warning (First Time)

  • If you see a security warning, click "Advanced"
  • Click "Proceed to 192.168.11.12 (unsafe)" or "Accept the Risk and Continue"
  • This is normal for self-signed certificates in Proxmox

Step 4: Verify No Error 596

  • The GUI should load without SSL error 596
  • You should see the Proxmox login page

If Error Persists After Clearing Cache

Option 1: Try Different Browser

  • Use a different browser (Chrome, Firefox, Edge)
  • Or use a browser you haven't used to access Proxmox before

Option 2: Access via IP Address Directly

  • Use: https://192.168.11.12:8006
  • Avoid using hostname or FQDN

Option 3: Check Browser Console

  1. Open browser Developer Tools (F12)
  2. Go to Console tab
  3. Look for SSL/certificate errors
  4. Check Network tab for failed requests

Option 4: Verify Certificate in Browser

  1. Click the lock icon in address bar
  2. View certificate details
  3. Check if certificate matches current date/time
  4. Verify certificate chain is complete

Option 5: Manual Certificate Import (Advanced)

If the above doesn't work, you can manually import the root CA certificate:

# Get the root CA certificate
ssh root@192.168.11.12 "cat /etc/pve/pve-root-ca.pem" > /tmp/pve-root-ca.pem

# Import into browser:
# Chrome: Settings → Privacy and security → Security → Manage certificates → Authorities → Import
# Firefox: Settings → Privacy & Security → Certificates → View Certificates → Authorities → Import

Server-Side Verification

Check Certificate Status

# SSH to r630-02
ssh root@192.168.11.12

# Check certificate dates
openssl x509 -in /etc/pve/pve-root-ca.pem -noout -dates
openssl x509 -in /etc/pve/local/pve-ssl.pem -noout -dates

# Verify certificate chain
openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/local/pve-ssl.pem

# Check services
systemctl status pveproxy pvedaemon

Test Web Interface from Server

# Test locally
curl -k -I https://localhost:8006/

# Should return HTTP 200 or 401

Certificate Information

Root CA Certificate:

  • Valid from: Sep 2, 2025
  • Valid until: Aug 31, 2035
  • Status: Valid

Node Certificate:

  • Valid from: Dec 22, 2025
  • Valid until: Dec 22, 2027
  • Status: Valid
  • Subject: CN=pve2.lan (old hostname - this is normal for Proxmox)

Note: The certificate subject showing "pve2.lan" is expected in Proxmox clusters. The certificate is valid and will work once browser cache is cleared.

Common Causes of Persistent Error 596

  1. Browser Cache Not Cleared: Most common cause
  2. Browser Extension: Some security extensions block self-signed certificates
  3. Corporate Proxy: Corporate proxy may be intercepting SSL
  4. System Time Mismatch: Browser's system time must match server time
  5. Multiple Browser Profiles: Cache may be in a different profile

Quick Fix Checklist

  • Clear browser cache and cookies (REQUIRED)
  • Close and reopen browser
  • Try accessing via IP: https://192.168.11.12:8006
  • Accept certificate warning if prompted
  • Try incognito/private mode
  • Try different browser
  • Check browser console for errors
  • Verify system time is correct

Scripts Available

Comprehensive SSL Fix Script

./scripts/fix-ssl-596-comprehensive.sh r630-02

Standard SSL Fix Script

./scripts/fix-ssl-certificate-error-596.sh r630-02

Summary

Server-Side Status: FIXED

  • Certificates regenerated
  • Services restarted
  • Certificate chain verified
  • All cluster nodes synchronized

Browser-Side Action Required: ⚠️ CLEAR CACHE

  • You MUST clear browser cache and cookies
  • This is the most common cause of persistent error 596
  • After clearing cache, the error should disappear

Last Updated: 2026-01-06
Status: ⚠️ REQUIRES BROWSER CACHE CLEAR
Next Step: Clear browser cache and cookies, then access https://192.168.11.12:8006

Reference in New Issue View Git Blame Copy Permalink