Regenerate Certificates after hostname change

When you change the hostname of a Proxmox node (updating /etc/hostname and /etc/hosts) you must regenerate the SSL certificates used by the web UI and API. The following steps will force Proxmox to create new certificates based on the new hostname.

Step‑by‑step procedure

   # Edit /etc/hostname and set the new hostname, e.g.  newnode01
   # Edit /etc/hosts and ensure the new hostname resolves to 127.0.0.1

1. Update the hostname files

   pvecm updatecerts --force

1. Force Proxmox to regenerate its certificates

   systemctl restart pveproxy
   systemctl restart pvedaemon

1. Restart the required services

1. Verify the new certificate

     openssl s_client -connect newhost:8006 -servername newhost </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer

• Open the web UI (https://newhostname:8006) and confirm you can log in without a certificate warning.
• Alternatively, check the certificate details with:

Common pitfalls

• Missing entry in /etc/hosts – The hostname must resolve locally; otherwise the certificate generation will still use the old name.
• Stale services – If you skip the systemctl restart commands, the old certificates may remain cached.
• Cluster nodes – On a multi‑node cluster you should run the same commands on every node, then restart the cluster services (pve-cluster).

What to check next

• Ensure the new hostname is correctly set in both /etc/hostname and /etc/hosts.
• Confirm that no other services (e.g., pve-ha-cron) are still using the old hostname by checking their configuration files.

Following these steps will give you a clean, newly‑issued SSL certificate that matches your updated hostname.