signed SSL certificates

[mir]

I just did the check:
[h=3]The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following StartCom's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.[/h]The specific instructions: https://www.startssl.com/?app=42

 

[mir]

Hitting any other of my servers correctly using the intermediate certificate:

[h=3]The hostname (datanom.net) is correctly listed in the certificate.[/h]

	Common name: *.datanom.net SANs: *.datanom.net, datanom.net Organization: Michael Rasmussen Location: Kastrup, Kobenhavn, DK Valid from January 20, 2013 to January 21, 2015 Serial Number: 77302 (0x12df6) Signature Algorithm: sha1WithRSAEncryption Issuer: StartCom Class 2 Primary Intermediate Server CA
	Common name: StartCom Class 2 Primary Intermediate Server CA Organization: StartCom Ltd. Location: IL Valid from October 24, 2007 to October 24, 2017 Serial Number: 26 (0x1a) Signature Algorithm: sha1WithRSAEncryption Issuer: StartCom Certification Authority

 

[dietmar]

the problem seems to be that pveproxy is not using this for https connections

pveproxy uses the node certificate (/etc/pve/local/pve-ssl.pem).

 

[dietmar]

I just did the check:
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following StartCom's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.

The specific instructions: https://www.startssl.com/?app=42

Does it work if you 'cp sub.class1.server.ca.pem /etc/pve/pve-root-ca.pem'? I assume the startssl root ca is already trusted in your browser?

 

[mir]

pveproxy uses the node certificate (/etc/pve/local/pve-ssl.pem).

1) cat my.pem sub.class2.server.ca.pem > pve-ssl.pem
2) cp pve-ssl.pem /etc/pve/local/
3) service pveproxy restart
4) service pvedaemon restart

result:


Conclusion:
Code:
+ if (certs == null || certs.length > 1) {
+ throw new CertificateException("cert path too long");
+ }
We hit this bug.

 

[dietmar]

1) cat my.pem sub.class2.server.ca.pem > pve-ssl.pem

Again, the system does not expect a subclass there. But I am sure it is not particularly hard to implement that (if you need it).

 

[mir]

startssl root is trusted in any browser so this is not the issue.

Copy subclass1 produces error as expected. I must be subclass2.
subclass2 works with browser and java console but fails ssl checker:

[h=3]The hostname (datanom.net) is correctly listed in the certificate.[/h]
	[h=3]The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following StartCom's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.[/h]

	Common name: *.datanom.net SANs: *.datanom.net, datanom.net Organization: Michael Rasmussen Location: Kastrup, Kobenhavn, DK Valid from January 20, 2013 to January 21, 2015 Serial Number: 77302 (0x12df6) Signature Algorithm: sha1WithRSAEncryption Issuer: StartCom Class 2 Primary Intermediate Server CA

You ned a pve-ssl.pem consisting of your certificate and the chain certificate but your patch, as I have mention a couple of times, does not allow the pve-ssl.pem to contain more than one certificate (if (certs == null || certs.length > 1)).

you also need the cat my.pem my.root.ca.pem > pve-root-ca.pem otherwise you get a certificate does not match error.

 

[mir]

if a do cat my.pem subclass2.pem > /etc/local/pve-ssl.pem and tries the ssl checker it passes the test:

[h=3]The hostname (datanom.net) is correctly listed in the certificate.[/h]

	Common name: *.datanom.net SANs: *.datanom.net, datanom.net Organization: Michael Rasmussen Location: Kastrup, Kobenhavn, DK Valid from January 20, 2013 to January 21, 2015 Serial Number: 77302 (0x12df6) Signature Algorithm: sha1WithRSAEncryption Issuer: StartCom Class 2 Primary Intermediate Server CA
	Common name: StartCom Class 2 Primary Intermediate Server CA Organization: StartCom Ltd. Location: IL Valid from October 24, 2007 to October 24, 2017 Serial Number: 26 (0x1a) Signature Algorithm: sha1WithRSAEncryption Issuer: StartCom Certification Authority

​

 

[mir]

Again, the system does not expect a subclass there. But I am sure it is not particularly hard to implement that (if you need it).

If the users browser is picky you will need this to be able to avoid a warning from the browser which needs user intervention before access is allowed to the web gui.

IMHO the ssl setup is flawed in its current state and should be fixed.

 

[mir]

A quick fix would be to remove the check below:

+ if (certs == null || certs.length > 1) {
+ throw new CertificateException("cert path too long");
+ }

 

[dietmar]

A quick fix would be to remove the check below:

Please can you send patches to the pve-devel list instead?

 

[FastLaneJB]

A quick fix would be to remove the check below:

+ if (certs == null || certs.length > 1) {
+ throw new CertificateException("cert path too long");
+ }

Would it not be better to change it to something like...

+ if (certs == null) {
+ throw new CertificateException("no cert found");
+ }

As in leave the check for null or no cert but remove the check for greater than 1. Just my take on this.

 

[mir]

The check for certs == null is done prior to this check so no, your suggestion is not better;-)

 

[FastLaneJB]

Awwww. I thought I was being smart. I didn't read all the code above it as that wasn't quoted

 

[loisl]

in Proxmox VE 2 * you could simply adjust apache conf
Where to add the SSLCACertificateFile?


Modify Proxmox/Apache configuration file

Modify /etc/apache2/sites-available/pve-redirect.conf so it looks like this (bold is added/modified lines):

[COLOR=#333333][FONT=Helvetica Neue Light][INDENT][FONT=Courier New]<VirtualHost *:80>
    #RewriteLog "/root/rewrite.log"
    #RewriteLogLevel 10
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
    RewriteRule ^/(.*) https://%{HTTP_HOST}:8006/$1 [L,R]
</VirtualHost>
<VirtualHost *:443>
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCertificateFile /etc/pve/local/pve-ssl.pem
    SSLCertificateKeyFile /etc/pve/local/pve-ssl.key
    [B]SSLCertificateChainFile /etc/pve/local/sub.class1.server.ca.pem
    SSLCACertificateFile /etc/pve/local/ca.pem
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    CustomLog /var/log/apache2/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"[/B]
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
    RewriteRule ^/(.*) https://%{HTTP_HOST}:8006/$1 [L,R]
</VirtualHost>[/FONT][/INDENT]
[/FONT][/COLOR]

Modify /etc/apache2/sites-available/pve.conf so it looks like this (bold is added/modified lines):

[COLOR=#333333][FONT=Helvetica Neue Light][INDENT][FONT=Courier New]<IfModule mpm_prefork_module>
    StartServers 2
    MinSpareServers 1
    MaxSpareServers 2
    MaxClients          50
    MaxRequestsPerChild 200
</IfModule>
ServerName localhost
ServerSignature Off
ServerTokens Prod
ServerAdmin root
AddDefaultCharset On
# Hint1: Ajax use KeepAlive. We wnat that to get better performance.
# Hint2: We need to limit the number of request to avoid exhaustive
# memory usage (we still have small memory leaks).
# Apache KeepAlive in effect disables MaxRequestsPerChild,
# (max request are  MaxRequestsPerChild*MaxKeepAliveRequests)
# so we implemented and additional limit in REST.pm
# But KeepAlive spawns too many processes - so we disable that for now
KeepAlive off
MaxKeepAliveRequests 200
<IfModule mod_deflate.c>
 AddOutputFilterByType DEFLATE application/json
</IfModule>
CustomLog ${APACHE_LOG_DIR}/access.log combined
Listen 8006
<VirtualHost *:8006>
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCertificateFile /etc/pve/local/pve-ssl.pem
    SSLCertificateKeyFile /etc/pve/local/pve-ssl.key
    [B]SSLCertificateChainFile /etc/pve/local/sub.class1.server.ca.pem
    SSLCACertificateFile /etc/pve/local/ca.pem
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    CustomLog /var/log/apache2/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"[/B]
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
    DocumentRoot /usr/share/pve-manager/root
    <Directory />
 Options FollowSymLinks
 AllowOverride None
    </Directory>
    <Directory /usr/share/pve-manager/root>
 Options FollowSymLinks MultiViews
 AllowOverride None
 Order allow,deny
 allow from all
    </Directory>
    Alias /pve2/css/ /usr/share/pve-manager/css/
    Alias /pve2/ext4 /usr/share/pve-manager/ext4/
    Alias /pve2/images/ /usr/share/pve-manager/images/
    Alias /vncterm/ /usr/share/vncterm/

    # avoid authentication when accessing favicon
    Alias /favicon.ico /usr/share/pve-manager/images/favicon.ico
    PerlRequire /usr/share/pve-manager/startup.pl
    <Location /index.pl>
        SetHandler perl-script         PerlHandler ModPerl::Registry
        Options ExecCGI      </Location>
    <Location /api2/>
        SetHandler perl-script
        PerlHandler PVE::REST
    </Location>
</VirtualHost>[/FONT][/INDENT]
[/FONT][/COLOR]

 

[anthonysomerset]

I Ended up following the instructions for SSL in the wiki but then also setting up nginx as a reverse proxy with the following config file (domains/ssl's redacted) - i then setup the nginx certs correctly with the cert and intermediate concatenated together

java applet works and SSL checker is happy (and i dont have to open port 8006 in the hardware firewalls ) NOTE you will have to amend this for your setup which includes default listening ports/addresses etc

server {        listen 80;
        server_name pve1.domain.com;
        rewrite ^ https://pve1.domain.com$uri permanent;
}
server {
	listen	 443 ssl;


	ssl_certificate /root/ssl/star.domain.com.crt;
	ssl_certificate_key /root/ssl/star.domain.com.key;


	server_name pve1.domain.com;
	location / {
		proxy_pass https://localhost:8006;
                include /etc/nginx/proxy_params;
	}
}

 

[MikaelJ]

I am new to proxmox, but I am trying to figure out how to make my server use a startssl.com certificate, however following the guide at http://pve.proxmox.com/wiki/HTTPSCertificateConfiguration is not working, I have then searched and found 2 threads on this forum with similar problems, however getting a solution that works have eluded me.
I also tryed the cacert.org they write about in the guide, but it seems impossible to get enough points to actually get a certificate from them.

My real questions is, is there a solution where you can actually have both a cert from startssl.com working on the proxmox 3.2-1 and also have the java/console option working?
Or should i rather revert back to the stock cert (that i thankfully got backed up) and wait for a fix to be released?

Thanks in advance
Mikael, Denmark.

 

[egrueda]

after:
cat my.pem ca.pem > ca-unified.pem this works

Saved my ass! thank you!