• Hosting Flash Sale: Starting at $0.43/mo for a limited time
Client Area
Client Area

Virtualizor VM Migration Failed – The Real Problem We Faced and the Fix That Finally Worked

While migrating a VPS between nodes in Virtualizor, we ran into a problem that at first looked very simple, but ended up taking a lot of time to understand.

The migration kept failing with an SSH error, even though everything seemed to be configured correctly. After trying every common fix and even following Virtualizor’s official recommendations, the issue still didn’t go away.

In this post, I want to share what actually went wrong and what finally fixed it, so others don’t have to waste the same amount of time.

The Problem

We were trying to migrate a VPS from one node to another using Virtualizor. Every time we started the migration, Virtualizor showed an error like:

SSH connection failed to destination server on port 22

At first, this looked like a normal SSH issue.

What We Checked First (All the Usual Things)

Naturally, we started with the basics:

  • SSH port was correct

  • We could log in via SSH using a password

  • Root login was enabled

  • SSH keys were regenerated multiple times

  • Permissions on .ssh and authorized_keys were correct

  • SELinux was disabled

  • Crypto policies were checked

  • Virtualizor database SSH keys were cleaned

Even manual SSH tests were confusing — sometimes SSH worked, sometimes it failed.

Nothing solved the issue permanently.

The Strange Error That Changed Everything

While testing SSH from the source node to the destination node using the same key Virtualizor uses, we kept seeing this message:

identity_sign: private key contents do not match public

This was very confusing because:

  • The public and private key fingerprints matched

  • The correct key was present in authorized_keys

  • Permissions were perfect

Yet SSH still refused key-based authentication and fell back to password login.

Virtualizor cannot use password fallback — so migration always failed.

The Real Root Cause (Important)

After deep investigation, we discovered the real issue:

RSA SSH keys do not work reliably with OpenSSL FIPS mode on some systems

Our environment was using:

  • OpenSSH 8.x

  • OpenSSL 1.1.1 with FIPS enabled

  • RSA SSH keys

This combination has a known cryptographic bug.
Even when the keys are correct, OpenSSL FIPS refuses to sign RSA keys properly, which causes SSH to fail with misleading errors.

This is not a misconfiguration — it’s a compatibility issue.

The Solution That Finally Worked 🙁

Instead of fighting RSA and FIPS, we switched to ED25519 SSH keys.

ED25519:

  • Does not use the problematic RSA signing path

  • Works perfectly with FIPS

  • Is faster and more secure

  • Is fully supported by Virtualizor

As soon as we switched, everything worked.

How We Fixed It (Step-by-Step)

1. Generate ED25519 key on the Source Server

rm -f /var/virtualizor/ssh-keys/id_*
ssh-keygen -t ed25519 -f /var/virtualizor/ssh-keys/id_ed25519 -N ""

2. Copy the key to the Destination Server

ssh-copy-id -i /var/virtualizor/ssh-keys/id_ed25519.pub root@DESTINATION_IP

3. Test SSH without password (this is important)

ssh -o PasswordAuthentication=no \
-i /var/virtualizor/ssh-keys/id_ed25519 \
root@DESTINATION_IP

If this logs in without asking for a password, SSH is fixed.

4. Restart Virtualizor Services

systemctl restart virtualizor
systemctl restart virtnetwork

After this, VM migration worked immediately.

Final Result

  • SSH key authentication started working properly

  • Virtualizor migration completed successfully

  • No need to disable FIPS mode

  • No need to weaken system security

The issue was not Virtualizor itself — it was RSA + FIPS + OpenSSH.

Tags:

Leave a Reply