SPICE not working with Let's Encrypt (wildcard) cetificates


Well-Known Member
Oct 22, 2015

We started using Let's Encrypt certificates on our proxmox cluster.
- The domain name used for is different from the internal LAN domain name. The servers were installed with the internal hostnames.
- The certificates are generated on a different machine.
- We use wildcard certificates

The web gui works fine, but if we want to use the spice console we get the following error:

(remote-viewer:32639): Spice-WARNING **: 11:14:52.969: ssl_verify.c:444:eek:penssl_verify: Error in certificate chain verification: unable to get local issuer certificate (num=20:depth1:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3)

The /etc/pve/nodes/NODENAME/pveproxy-ssl.pem is the LE certificate's fullchain.pem
Tried to follow
By removing the /etc/pve/pve-root-ca.pem and /etc/pve/priv/pve-root-ca.key files, running "pvecm updatecerts -f" and "systemctl restart pveproxy" on all of the nodes.
But we still get the same issue.
What can we do about this?


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!