signed SSL certificates

[ods]

Hi,
in Proxmox VE 2.* I just had to open the apache2 virtualhost and add my trusted certificates. In PVE 3.0 apache2 was replaced with pveproxy and I can't find the configuration files.
I know the SSL Key that is being used is located at /etc/pve/NODE/pve-ssl.key, but replacing something like this broke things in 2.0.
So what do I do with the SSL Key, the crt and the CA Chain files in PVE 3.0?

 

[Michael Lednev]

It seems there's no configuration files for pveproxy. All options are inside pveproxy itself. And as I can see it cannot understand neither something like SSLCertificateChainFile like apache nor several certificates in one file like nginx. Looks like missing feature to me.

 

[loisl]

I have the same problem ...
can not find a configuration file.
How can I intigrieren a StartSSL Certificate for in pveproxy?
Thanks for the help

 

[tim2]

nano /usr/bin/pveproxy

ssl => {
key_file => '/etc/pve/local/pve-ssl.key',
cert_file => '/etc/pve/local/pve-ssl.pem',
},

 

[mir]

If you replace the pve certificates with your own you will not be able to use the java console since these certificates are hardcoded into the java plugin.

 

[dietmar]

The idea is that you can overwrite the certificates (do not change the path).

 

[dietmar]

you will not be able to use the java console since these certificates are hardcoded into the java plugin.

I am not aware of that.

 

[mir]

I have tried many times doing this in pve-2.x but never succeeded. If I changed the webservers certificates then I was not able to start the java console since the applet loader refused to start the applet since the applet was signed with a different certificate than the certificate presented by the webserver.

 

[Michael Lednev]

The idea is that you can overwrite the certificates (do not change the path).

Where can I put intermediate certificate then?

 

[dietmar]

since the applet was signed with a different certificate than the certificate presented by the webserver.

The applet is always signed with a different certificate.

 

[mir]

Maybe, but then something else is wrong. The security policy in java plugins changes repeatedly with every new catastrophic bug found and if I remember correct you are no more allowed to run signet applets unless the webserver and applet certificate are identical. I have been posted the error message to this list a couple of times but I am willing to test once again with the new pveproxy. Only thing with pveproxy is that since pveproxy does not support intermediate certificates so I doubt the result will be successful.

 

[ods]

The idea is that you can overwrite the certificates (do not change the path).

If I just replace them my browser will not show that I'm using a secure connection as long as I don't add the intermediate certificates

 

[mir]

Yes, without the intermediate certificate the chain of trust is broken.

 

[ods]

Maybe, but then something else is wrong. The security policy in java plugins changes repeatedly with every new catastrophic bug found and if I remember correct you are no more allowed to run signet applets unless the webserver and applet certificate are identical. I have been posted the error message to this list a couple of times but I am willing to test once again with the new pveproxy. Only thing with pveproxy is that since pveproxy does not support intermediate certificates so I doubt the result will be successful.

Ok, I played around a little
It looks like it is enough to paste the intermediate crt directly under the server crt into the /etc/pve/local/pve-ssl.pem
Now I only have to test if the java applet is still working.

 

[Michael Lednev]

Ok, I played around a little
It looks like it is enough to paste the intermediate crt directly under the server crt into the /etc/pve/local/pve-ssl.pem
Now I only have to test if the java applet is still working.

Yes, it worked for me. That's odd but when filename of certificate bundle is different from /etc/pve/local/pve-ssl.pem pveproxy doesn't respond at all, just gives timeout.

 

[ods]

Update:
Following things will work:
1) replace the SSL crt files and the browser will show a secure connection
2) change the SSL paths in /usr/bin/pveproxy and the browser will show a secure connection
Following things won't work:
- The Java console applet won't work with either of the solutions above.

I reverted all of my changes and now pveproxy won't start again with this error:

pveproxy[3204]: /etc/pve/local/pve-ssl.pem: failed to use local certificate chain (cert_file or cert) at /usr/share/perl5/PVE/HTTPServer.pm line 1125

properly implemented SSL is an absolute essential feature. It's just unacceptable for me to accept a certificate that is not signed by a trusted party.

 

[mo_]

It's just unacceptable for me to accept a certificate that is not signed by a trusted party.

you might want to reconsider that. theres absolutely zero increased security in "professionally" signed certs via self-signed ones, especially with CAs being hacked left and right nowadays. Its actually the other way around in such a way that having a list of auto-trusted CAs in your (operating) system is actually a vulnerability and not a security feature anymore.

 

[ods]

you might want to reconsider that. theres absolutely zero increased security in "professionally" signed certs via self-signed ones, especially with CAs being hacked left and right nowadays. Its actually the other way around in such a way that having a list of auto-trusted CAs in your (operating) system is actually a vulnerability and not a security feature anymore.

I wrote "trusted party". This does not necessarily has to be a professional CA.
I know the whole x.509 system isn't perfect, but in the end I prefer the list of preinstalled certificates over not knowing if the server is really who he says he is.

Even if I would sign my own certificates, there's no way I know of to add these into proxmox ve.

 

[dietmar]

Even if I would sign my own certificates, there's no way I know of to add these into proxmox ve.

For that case you just need to replace the cluster key/cert (/etc/pve/priv/pve-root-ca.key and /etc/pve/pve-root-ca.pem).

The node certificates can then be issued by 'pvecm updatecerts --force'

 

[anthonysomerset]

i updated the certs to my purchased ssl, while the interface now works with no self-signed errors, the java applet doesnt work

also tried the instructions at http://pve.proxmox.com/wiki/HTTPSCertificateConfiguration for the /etc/pve certs not just /etc/pve/local

i'm getting the following error when trying to load the console java applet after both attempts:

Error: TLS handshake failed javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: cert path too long