SPICE Server & Custom SSL Certs

T

TheFunk

Member
Oct 25, 2016
35
4
8
31
--See latest update for actual issue--


Hey everyone!

I've just about ironed out my Proxmox install so that it does anything and everything I could ever ask of it.

One thing I'm still having trouble with is accessing my Proxmox VMs with SPICE enabled, via Android SPICE clients, like aSpice and Opaque.

Can anyone help me out? I can verify that I can connect to my Proxmox VMs using virt-viewer when connecting from a Windows desktop. The Proxmox GUI generates .vv files which tell virt-viewer how to connect to my SPICE server.

I tried pulling config info out of these vv files and plugging it into aSpice and Opaque but neither seems to want to open a connection to my SPICE server. Generally I receive a connection refused.
 
Last edited:
this should work, but you should note, that the info from the vv file is only valid for about 10 seconds, so you have to connect during this time
 
Sorry to be a nuisance. I updated the title and content of my post slightly.

My issue currently is that I can't get SPICE to function after applying a custom SSL cert to my host.

Is it possible that this bug filed a few months back is the reason my SPICE console no longer functions after applying a custom SSL Cert?

I am on the latest version of PVE 5.0 and the web interface is functioning properly and providing the correct cert chain.
 
no, we are using the self-signed certificate for spice (on purpose, because remote-viewer's certificate validation scheme does not allow certificate pinning on end certificates, only on CAs). we do include the self-signed CA in the generated config, so clients should be able to connect without manual intervention though?
 
@fabian

The idea of pinning is fairly new to me, but as I understand it, it's an added integrity check?

You pass a root cert to the remote-viewer client and it verifies that the host cert is chained to the root. Is that correct so far?

If you have a self signed root cert, then that cert should be unique to your server, assuming it was generated that way and didn't come packaged with the OS. As such, remote-viewer can use pinning to verify that you are connecting to your own server, regardless of where you are in the world.

Since the client needs to have a copy of the server's CA file somehow, this also provides a form of management opportunity/vetting for clients that aren't using config files downloaded from the web gui.

Would that be accurate, or is my understanding lacking?

Lastly, is the /etc/pve/pve-root-ca.pem file the self signed root cert of which you spoke?
 
TheFunk said:
@fabian

The idea of pinning is fairly new to me, but as I understand it, it's an added integrity check?

You pass a root cert to the remote-viewer client and it verifies that the host cert is chained to the root. Is that correct so far?

If you have a self signed root cert, then that cert should be unique to your server, assuming it was generated that way and didn't come packaged with the OS. As such, remote-viewer can use pinning to verify that you are connecting to your own server, regardless of where you are in the world.
Click to expand...

yes, but the root/CA cert is unique to a PVE cluster, not each server/node (each node gets their own node certificate signed/issued by that CA though).

Since the client needs to have a copy of the server's CA file somehow, this also provides a form of management opportunity/vetting for clients that aren't using config files downloaded from the web gui.
Click to expand...

no, the client does not really need to have a copy of the CA, as we cannot check what kind of checks a client does (the certificate information in the config file is for added protection ON the client side to authenticate the server, not for authentication OF the client on the server side). but if you have the generated remote-viewer config file, you also have the login token (which is only valid for a short period of time, 30s IIRC). since the config file is only available to authenticated users with the right permissions, and transferred securely over TLS, this is not problematic.

Lastly, is the /etc/pve/pve-root-ca.pem file the self signed root cert of which you spoke?
Click to expand...

yes. but please don't touch it except for deleting it (and all its issued node certificates) for regeneration via "pvecm updatecerts". chances are you'd break stuff, and there is nothing to gain from fiddling with it ;).
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back