Spice & Custom Self Signed Certificate

[nizon]

Hi!

Just updated my Proxmox Certs (self signed) like described in https://pve.proxmox.com/wiki/HTTPSCertificateConfiguration without any problems - brower interface & everything else is working fine except connecting to my win7 VM through SPICE. Got it completely working before.

Debugging the Spice Connection gives me an self signed cert error:

C:\Program Files\VirtViewer v2.0256\bin>remote-viewer.exe Download.vv --debug
C:\Program Files\VirtViewer v2.0256\bin>(remote-viewer.exe:256): remote-viewer-DEBUG: fullscreen display 0: 0
(remote-viewer.exe:256): remote-viewer-DEBUG: Opening display to Download.vv
(remote-viewer.exe:256): remote-viewer-DEBUG: Guest (null) has a spice display
(remote-viewer.exe:256): remote-viewer-DEBUG: After open connection callback fd=-1
(remote-viewer.exe:256): remote-viewer-DEBUG: Opening connection to display at Download.vv
(remote-viewer.exe:256): remote-viewer-DEBUG: New spice channel 0000000001026010 SpiceMainChannel 0
(remote-viewer.exe:256): remote-viewer-DEBUG: notebook show status 000000000101B840
((null):256): Spice-Warning **: ../../../spice-common/common/ssl_verify.c:429penssl_verify: Error in certificate chain verification: self signed certificate in certificate chain (num=19:depth1:/CN=Proxmox Virtual Environment/OU=17cb65412addccef86c0ce1865be41ce/O=PVE Cluster Manager CA)
(remote-viewer.exe:256): GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)
(remote-viewer.exe:256): remote-viewer-DEBUG: Disposing window 0000000003B450A0
(remote-viewer.exe:256): remote-viewer-DEBUG: Set connect info: (null),(null),(null),-1,(null),(null),(null),0

Can't really figure how to handle that error...

Also tried copying the CA to %APPDATA%\spicec\spice_truststore.pem but no change...

Any hints on how to get this back working?

 

[ianr-ks]

I know this is an ancient thread but did this ever get fixed? I've followed the SSL FAQ like you have but on linux I'm now getting the same issue;

(remote-viewer:32190): Spice-WARNING **: 06:16:26.751: ssl_verify.c:445:openssl_verify: Error in certificate chain verification: self signed certificate in certificate chain (num=19:depth1:/CN=Proxmox Virtual Environment/OU=75584baa-ff22-4c91-a21e-526a1b9de722/O=PVE Cluster Manager CA)

 

[fabian]

the generated config file contains the CA certificate.. it's not impossible that the spice client broke that (again).. can you check on the PVE side that node and CA certificate match:

$ openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/local/pve-ssl.pem
/etc/pve/local/pve-ssl.pem: OK

on all nodes

 

[ianr-ks]

Hello Fabian, thanks for the reply, after thrashing around a bit this morning it seems I've managed to get this sorted out, yesterday I had added a new node, renamed it, then renamed another established node then regenerated SSL certificates as I was getting SSL errors even from the web interface. I then found that I had to either restart pveproxy or reboot the machine and also restart guests rather than just migrate them (not sure why) before the issues finally went away. I've just transferred a VM back to one of the host machines I got the above error from and was able to successfully connect via spice. So it seems if certificates need to be regenerated it's then best to basically restart everything. This is now closed as far as I'm concerned.

 

[Elbandi]

something is changed with remote-viewer. v10-256
the downloaded vv file is looks good:

ca=-----BEGIN CERTIFICATE-----....Cg==\n-----END CERTIFICATE-----\n
host-subject=OU=PVE Cluster Node,O=Proxmox Virtual Environment,CN=proxmoxserver.domain.com
proxy=http://proxmoxserver.domain.com:3128
host=pvespiceproxy:60ab941f:122:proxmoxserver::25486b7dc4bbbfdbc504088effbd511e4f5e5417
tls-port=61000

the ca parameter has same cert as pve-root-ca.pem

pve-ssl look good.
# openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/local/pve-ssl.pem
/etc/pve/local/pve-ssl.pem: OK


but remote-viewer checks for different certificate (the proxy cert: pveproxy-ssl.pem):

(remote-viewer.exe:15568): Spice-WARNING **: 13:48:02.644: ../subprojects/spice-common/common/ssl_verify.c:444:openssl_verify: Error in certificate chain verification: self signed certificate in certificate chain (num=19:depth1:/C=HU/ST=Hungary/L=Budapest/O=Domain/OU=Certificate Authority/CN=Domain CA/emailAddress=elbandi@domain.com)

what is configured bad?
(proxmox 6.4 up to date)

 

[fabian]

please post the output of openssl x509 -noout -subject -issuer -in /etc/pve/local/pve-ssl.pem, openssl x509 -noout -subject -issuer -in /etc/pve/local/pveproxy-ssl.pem and openssl x509 -noout -subject -issuer -in /etc/pve/pve-root-ca.pem

 

[Elbandi]

# openssl x509 -noout -subject -issuer -in /etc/pve/local/pve-ssl.pem
subject=OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = proxmoxserver.domain.com
issuer=CN = Proxmox Virtual Environment, OU = af89651d-ffa4-4906-9659-43bb301ee95f, O = PVE Cluster Manager CA
# openssl x509 -noout -subject -issuer -in /etc/pve/pve-root-ca.pem
subject=CN = Proxmox Virtual Environment, OU = af89651d-ffa4-4906-9659-43bb301ee95f, O = PVE Cluster Manager CA
issuer=CN = Proxmox Virtual Environment, OU = af89651d-ffa4-4906-9659-43bb301ee95f, O = PVE Cluster Manager CA

# openssl x509 -noout -subject -issuer -in /etc/pve/local/pveproxy-ssl.pem
subject=C = HU, ST = Hungary, L = Budapest, O = Domain, CN = proxmoxserver.domain.com, emailAddress = elbandi@domain.com
issuer=C = HU, ST = Hungary, L = Budapest, O = Domain, OU = Certificate Authority, CN = Domain CA, emailAddress = elbandi@domain.com

 

[fabian]

does it work with the linux remote-viewer? does it work with an older version of the windows viewer?

 

[Elbandi]

hmm, i dont know, what happened, but i restart (=stop + start) the vm, and now looks good.