Bobcares
Client Area
Emergency Support
Latest | Proxmox

Fingerprint Issues After Adding Let’s Encrypt ACME | Resolved

by | May 7, 2025

Learn how to proceed if you get fingerprint issues after adding Let’s Encrypt ACME. Our Proxmox Support team is here to help you with your questions and concerns.

Fingerprint Issues After Adding Let’s Encrypt ACME | ResolvedFingerprint Issues After Adding Let’s Encrypt ACME | Resolved

If you plan to improve security and automate certificate management, integrating Let’s Encrypt (LE) ACME certificates with Proxmox Backup Server (PBS) is a smart move.

However, a common issue often encountered during this process is a fingerprint mismatch. This typically occurs due to SSL/TLS verification failures when PBS attempts to establish a secure connection using the new certificate.

In this blog, we will explore the common causes of this issue and how to resolve them. Whether you’re running a standalone backup node or working with different Proxmox backup modes, having trusted SSL/TLS communication is essential for seamless operation.

Common Causes of Fingerprint Issues in PBS

  • If the Let’s Encrypt certificate doesn’t match the expected server fingerprint or is not properly installed, PBS may reject the connection. We need to ensure that the full certificate chain (comprising server, intermediate, and root certificates) is present and correctly configured.
  • Let’s Encrypt certificates must include all intermediate certificates to validate the trust chain. If any intermediate link is missing, PBS may fail to verify the certificate, resulting in a fingerprint mismatch.
  • Sometimes, after adding the new certificate, PBS may still point to the old configuration. This can happen due to misconfigured web servers (e.g., NGINX or Apache) or incorrect PBS settings. If you’re using Proxmox VE and accessing the web GUI via port 8006, certificate issues may also affect accessibility through that interface.
  • Even after updating the certificate files, PBS services may continue using the previous certificate unless they are restarted. This can also lead to fingerprint mismatch warnings.
  • Additionally, if the common name (CN) in the certificate doesn’t match the domain or hostname used in the connection, fingerprint errors can appear. This mismatch can occur due to NAT, DNS issues, or misconfigured URLs.

How to Fix the Fingerprint Mismatch

If we are using a valid Let’s Encrypt certificate or any certificate trusted by the PVE/PMG/PBS nodes, we can bypass the fingerprint check entirely. Here’s how:

  1. Before making any changes, back up the Proxmox storage configuration: 
    cp /etc/pve/storage.cfg /etc/pve/storage.cfg.bak
  2. Then, edit the `storage.cfg` file on any single node (since it’s cluster-aware) and remove the fingerprint line: 
    pbs: pbs01
    
datastore datastore-name
    
server pbs-server-address
    
content backup
    
encryption-key 1
    
prune-backups keep-last=255
    
username @pbs

    When using a trusted certificate (such as Let’s Encrypt), there is no need to define a fingerprint, as the client will verify the certificate using the CA trust chain.

  3. Then, make sure the whole chain (root, intermediate, and server certificates) is correctly installed on the PBS. If we are manually installing the certificates, double-check the paths and permissions, and ensure there are no typos or missing files.
  4. After updating the configuration, restart PBS services to apply the new certificate: 
    systemctl restart proxmox-backup

    This ensures the new certificate is in use and avoids fallback to outdated credentials in memory.

Additional Tips

  • To verify the certificate in use and its fingerprint, use: 
    proxmox-backup-manager cert info
  • Check the server dashboard to confirm that the certificate is correctly installed and active.
  • If we encounter hostname mismatch errors, ensure that the domain in the URL matches the Common Name (CN) or Subject Alternative Name (SAN) entries in the certificate.

For those customizing Proxmox further, such as enabling nested virtualization or adjusting container disk sizes, it’s equally important to ensure all security configurations are properly aligned to avoid downtime or access issues.

[Need assistance with a different issue? Our team is available 24/7.]

Conclusion

By understanding the root causes of fingerprint mismatches and applying the fixes outlined above, we can avoid the error.

In brief, our Support Experts demonstrated how to proceed if you get fingerprint issues after adding Let’s Encrypt ACME.

Related posts:

  1. pfSense ACME Cloudflare Invalid Domain Error – Resolved
  2. pfSense ACME Webroot Local folder | Guide
  3. Proxmox GPU Passthrough Ubuntu | How to enable
  4. Proxmox Upload ISO command line | How-to

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

Related Articles

  1. pfSense ACME Cloudflare Invalid Domain Error – Resolved
  2. pfSense ACME Webroot Local folder | Guide
  3. Proxmox GPU Passthrough Ubuntu | How to enable
  4. Proxmox Upload ISO command line | How-to

Speed issues driving customers away?
We’ve got your back!

OPTIMIZE TODAY