Virtual PTP hardware clock on KVM guests

Written at evening time in English • Tags: , ,

Using a virtual PTP hardware clock with the ptp_kvm driver and chrony is an easy solution for keeping time on guest machines synchronized to their host. Ideally the host is already keeping accurate time by tracking a set of NTP servers, but it is still probably a good idea to still add some network NTP peers on guests as well. (more…)

I’ve been switching my NetBSD machines to using a serial console lately, as it is easier to copy output from it (no more screen shots). (more…) (2)
The Proxmox wiki has instructions for importing the CA certificate. Instead of following the OS X instructions to the letter and importing the host certificate of each cluster node, just import the pve-root-ca.pem file in Keychain Access (File > Import Items), then open the item and mark it trusted (e.g. Always trust).

Regenerating Proxmox certificates

Written early in the afternoon in English • Tags: ,

The new requirements for trusted certificates on macOS Catalina and iOS 13 blocked me from accessing the web UI on Proxmox installations (NET::ERR_CERT_REVOKED). Fresh installations would work, as Proxmox has been updated to generate “better” certificates. Existing installations, unfortunately, are not automatically fixed on upgrading to Proxmox 6.

Certificate management on Proxmox is handled with pvenode(1) — except when it isn’t. There is no functionality there for regenerating the self-signed certificates. An older wiki page for HTTPS certificate configuration provided some useful hints: pvecm(1) has an updatecerts command. It won’t, however, regenerate existing (unexpired) certificates.

Against the warnings on the Certificate mangement page I thought I’d try removing the apparently relevant files manually:

cd /etc/pve
rm pve-root-ca.pem priv/pve-root-ca.key nodes/*/pve-ssl.{key,pem}

Then I regenerated the certificates and restarted pveproxy(8) on each node:

pvecm updatecerts --force
systemctl restart pveproxy

Refreshing the page in the browser restores access to the web UI.