SPICE error: "certificate has expired"

Oct 7, 2019
793
325
108
Spain
I've had an issue with one VM when trying to connect to it's SPICE console, complaining about an expired certificate. This is odd as I'm using the self generated certificates for this cluster:

Code:
(remote-viewer:57402): Spice-WARNING **: 10:05:14.912: ssl_verify.c:479:openssl_verify: Error in server certificate verification: certificate has expired (num=10:depth0:/OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=pve03.domain.local)
(remote-viewer:57402): GSpice-WARNING **: 10:05:14.912: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)

Checked the certificate used by pveproxy and it got automatically renewed on December 28 2023, so it is valid. Time on both servers and client is ok. There are a couple more VMs with SPICE on this server and I can access their consoles. The only difference I see among them is that the problematic VM's uptime was around 4 months and the other two are less than a week. Seems to me that the VM was still using the old certificate even if it got renewed. I migrated that VM to another node and back, then I could use SPICE again.

Is that the expected behavior? Maybe some service (spiceproxy maybe?) had to be reloaded when the certs get automatically renewed? Is there something I could do to avoid this in the future besides live migrating the VMs when the certificate is renewed?

Thanks!
 
Hi,
Checked the certificate used by pveproxy and it got automatically renewed on December 28 2023, so it is valid. Time on both servers and client is ok. There are a couple more VMs with SPICE on this server and I can access their consoles. The only difference I see among them is that the problematic VM's uptime was around 4 months and the other two are less than a week. Seems to me that the VM was still using the old certificate even if it got renewed. I migrated that VM to another node and back, then I could use SPICE again.
sounds very likely. AFAICS, the certificate is only set when the SPICE server is initialized by QEMU. Didn't find any code to reload it via a QMP command or similar from a quick search.
 
I had a similar incident today. I had no second PVE to migrate it to, so I simply stopped and started the VM (I guess restart wouldn't work) and it generated a new certificate.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!