Spice SSL error on Linux

[Sebastiaan7676]

Hi there,
I've searched the forums and consulted the wiki, but am unclear on how to solve an issue I'm having.

Currently I'm running Proxmox 4.2-2. I just have the self signed cert that came with Proxmox which is fine for me ( it's only being used on my LAN ), I just ignore the warning, and all works fine.

My issue is, when using remote-viewer to connect to a VM using SPICE, I get the error "Unable to connect to the graphic server spiceproxy"

In the commandline, I also get the following from remote-viewer: "GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)"

I'm using the shell script mentioned in the wiki, but it does the same direct from the browser too.

If I try to connect from a Windows machine, it works fine, so it's not the VM or the Spice setup on the Proxmox node.

I'm assuming my linux machine/remote-viewer isn't liking the Certificate or Cipher somehow. But adding the pve-root-ca.pem to my trusted ca certs does nothing for SPICE ( but makes logging into the Web UI easier )

I was going to generate a new intermediate CA and Server Cert/Key from Pfsense and replace the standard one, but in reading the line from the wiki on HTTP Cert config:

"When accessing the web interface on this node, you should be presented with the new certificate. Note that the alternative certificate is only used by the web interface (including noVNC), but not by the Spice Console/Shell."

So this makes me think, if that is the issue, it won't make any difference if I replace the HTTP cert.

Is there some other cert i need to be 'trusting' on my linux machine to enable this to work?

Any advice on how I could get this working would be much appreciated, as I'm at a loss on what to try next.

Kind Regards

Seb

 

[dietmar]

What version of remote-viewer (on what OS) do you use exactly?

 

[Sebastiaan7676]

I'm using remote-viewer 6.0 on Arch Linux

 

[Sebastiaan7676]

Below is the output of remote-viewer with debug mode on for Spice. I'm using the Shell Script suggested in the Proxmox wiki:

note it says the CA is null, not sure if that is concerning.

Also, I noticed in the files generated by the node ( the one with all the connection details etc ), the Certificate has a bunch of \n newline characters included, These are present in VIM, Sublime and cat on the commandline. Not sure if that could cause an issue with remote-viewer parsing the ca?



sebastiaan@sebarch:~|⇒ ./spiceopen.sh -u root@pam -p <MYPASSWORD> 102 <nodename> <node-ip>
AUTH OK
(remote-viewer:6038): GSpice-DEBUG: spice-session.c:286 New session (compiled from package spice-gtk 0.34)
(remote-viewer:6038): GSpice-DEBUG: spice-session.c:290 Supported channels: main, display, inputs, cursor, playback, record, smartcard, usbredir, webdav
(remote-viewer:6038): GSpice-DEBUG: usb-device-manager.c:509 auto-connect filter set to 0x03,-1,-1,-1,0|-1,-1,-1,-1,1
(remote-viewer:6038): GSpice-DEBUG: spice-session.c:1743 no migration in progress
(remote-viewer:6038): GSpice-DEBUG: spice-channel.c:146 main-1:0: spice_channel_constructed
(remote-viewer:6038): GSpice-DEBUG: spice-session.c:2246 main-1:0: new main channel, switching
(remote-viewer:6038): GSpice-DEBUG: spice-gtk-session.c:1107 Changing main channel from (nil) to 0x561b67f9c4f0
(remote-viewer:6038): GSpice-DEBUG: usb-device-manager.c:974 device added 1044:7a03 (0x561b67f6b410)
(remote-viewer:6038): GSpice-DEBUG: usb-device-manager.c:974 device added 0665:6000 (0x561b67f6c310)
(remote-viewer:6038): GSpice-DEBUG: usb-device-manager.c:974 device added 1532:0037 (0x561b67f728f0)
(remote-viewer:6038): GSpice-DEBUG: spice-channel.c:2688 main-1:0: Open coroutine starting 0x561b67f9c4f0
(remote-viewer:6038): GSpice-DEBUG: spice-channel.c:2529 main-1:0: Started background coroutine 0x561b67f9c3a0
(remote-viewer:6038): GSpice-DEBUG: spice-session.c:2180 Missing port value, not attempting unencrypted connection.
(remote-viewer:6038): GSpice-DEBUG: spice-channel.c:2555 main-1:0: trying with TLS port
(remote-viewer:6038): GSpice-DEBUG: spice-session.c:2192 main-1:0: Using TLS, port 61001
(remote-viewer:6038): GSpice-DEBUG: spice-session.c:2140 (with proxy htt p://thebox:3128)
(remote-viewer:6038): GSpice-DEBUG: spice-session.c:2064 proxy lookup ready
(remote-viewer:6038): GSpice-DEBUG: spice-session.c:2047 main-1:0: connecting 0x7f5e7e13aab0...
(remote-viewer:6038): GSpice-DEBUG: spice-session.c:2031 main-1:0: connect ready
(remote-viewer:6038): GSpice-DEBUG: spice-channel.c:2451 main-1:0: Load CA, file: (null), data: 0x561b67f75200

(remote-viewer:6038): GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)
(remote-viewer:6038): GSpice-DEBUG: spice-channel.c:2665 main-1:0: Coroutine exit main-1:0
(remote-viewer:6038): GSpice-DEBUG: spice-channel.c:2858 main-1:0: reset
(remote-viewer:6038): GSpice-DEBUG: channel-main.c:1539 agent connected: no
(remote-viewer:6038): GSpice-DEBUG: spice-channel.c:2800 main-1:0: channel reset
(remote-viewer:6038): GSpice-DEBUG: spice-channel.c:2410 main-1:0: Delayed unref channel 0x561b67f9c4f0
(remote-viewer:6038): GSpice-DEBUG: spice-session.c:1937 session: disconnecting 0
(remote-viewer:6038): GSpice-DEBUG: spice-session.c:286 New session (compiled from package spice-gtk 0.34)
(remote-viewer:6038): GSpice-DEBUG: spice-session.c:290 Supported channels: main, display, inputs, cursor, playback, record, smartcard, usbredir, webdav
(remote-viewer:6038): GSpice-DEBUG: usb-device-manager.c:509 auto-connect filter set to 0x03,-1,-1,-1,0|-1,-1,-1,-1,1
(remote-viewer:6038): GSpice-DEBUG: spice-session.c:1937 session: disconnecting 0


Hoping someone can help. This has really stumped me.

Edit:
Here is a 'cat' of the connection file before it's sent to remote-viewer - note the '\n' throughout the certificate ( me thinks this could be the issue ).

[virt-viewer]
type=spice
delete-this-file=1
password=<redacted>
proxy=http://thebox:3128
ca=-----BEGIN CERTIFICATE-----\nMIIFtzCCA5+gAwIBAgIJAM1n+dFNDPuVMA0GCSqGSIb3DQEBCwUAMHIxJDAiBgNV\nBAMMG1Byb3htb3ggVmlydHVhbCBFbnZpcm9ubWVudDEpMCcGA1UECwwgOTRhOGJj\nNTI1ZWY2OGRmODRmNzJmODhjMzVmZGFmMTAxHzAdBgNVBAoMFlBWRSBDbHVzdGVy\nIE1hbmFnZXIgQ0EwHhcNMTYwNzI1MTY1NjIzWhcNMjYwNzIzMTY1NjIzWjByMSQw\nIgYDVQQDDBtQcm94bW94IFZpcnR1YWwgRW52aXJvbm1lbnQxKTAnBgNVBAsMIDk0\nYThiYzUyNWVmNjhkZjg0ZjcyZjg4YzM1ZmRhZjEwMR8wHQYDVQQKDBZQVkUgQ2x1\nc3RlciBNYW5hZ2VyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA\nwSlBKWxXXd1KwHDKbB5lzHF9k4fPS3bFhKtDB+GyD/haAxQs0lBua2lucogt3uy0\nhexa2l6j+AZtaX3HR3K790UE3Kj8+He8VHF+paJzm0sOqDW5c7MnfNUDfLH4+dyb\nGPuu91HhmXsivuSJb18/TQ/CjyoSxMs/UBat0wPogy4LMzok/EyWf0la4PSIqbs0\nAYVckEn5db1wf/ooDZvJ+y65yy+9w/8mp/odzbF9pxxrR90JHLCB4L2+W6gLEo1S\nJrJixPbtKtkR4pWfdm6cXx+ERW44dmiSdzE5KY3vDtyPH/YYhWCdTkTJCWblcc2I\ndLNFZcvQ8GFXC/2q9ViF37qf+drMYwB6PSdaCHt+NTwEfGo6pIEwcqQRZXKacUqQ\n34no8o3sgQyeKv8zWO7EGEice8e9jtxu6pp0OpIAK4Z16m12r9s/aVjSFwT1asKy\nqwpJnzEIqb/JIfQVwe0UZdmZJJFlMJ2Wt6a/5mSn4kSJpI3LWr4/3Be/WFgI9ETD\nEGDaSWucKvx7E9I3gnoiJeyFL6w0WHtJ/HNtcJYnsGVq+io41wV+GU24QECRzMj7\nyvGme6+vDsefJiqV9Q7/9TmttcUUuU2s8ht5ccjCS+h2pym+2w9yvri1eyyKJQ8K\nTVtelCzRW70kaY8rtvyn4clK25fu8nrIW57Ld+driDcCAwEAAaNQME4wHQYDVR0O\nBBYEFJVXUuFENg+SJ/7FP9UWWjO0v+HdMB8GA1UdIwQYMBaAFJVXUuFENg+SJ/7F\nP9UWWjO0v+HdMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAK61oDJA\n4AcaHXCJoBhuVHSZq69hrBKQpPXPST1gydZmNfkRN99/YpFFFpKyczH8KnkGDP3g\nn9HGytUljKKrVFTfIl6Xm1VO+juuVs64eeDX9Iq4JEBEH2XLPNQ02tax3qFXJiC8\n7AuqK/rCToqvPHb6m3S79jTQy1ZDe1xQQHfe6SS857XSDLt0WQh7YermMwLDdVPR\nehtKuI7sbJsNuXc7SsteTliVC4fqWhSwO616xbUqmJpH4OEIhxaig1wxNgcxdQz+\nOcfHyc9H5psUMSwqcP7bbXc6rBJ17APcj4eFxZqS2gAdnSy1wERCn245CT/s282K\nmsisSIEjP5AuZtC595hXNTM0DzywK9TTiQcDYv2JLIFyh1i/P711+Mbk4Q5Jcd+B\nErTuJoms3SX+/iBL+Qa2R0Om/hkWh/pfqBQ9FFUl15KIAFgZzJ4G2j6NzoP1MR1l\n5JrpWguh5FwNRLQUEcG4sj2hVTDnUejT8sa02sApHqMrzHAkBzNYxWIDmpT4TxXI\nidHahbl93YtFR0n7haQAPKo5CVBgOLDGXAGDpwgcjdmyYEDVoRMQRMcTfukmPsWT\nWQRNihR76isxybMYcJr0vN3L6CGTOddDEV/mHHLdWozqhJd4OytC1xUUTD+3w9Ry\nf62U874U2O1/2X9EC+Wwk9vEld63J6i9KL2P\n-----END CERTIFICATE-----\n
release-cursor=Ctrl+Alt+R
title=VM 102 - Ubuntu16.04
secure-attention=Ctrl+Alt+Ins
tls-port=61001
host-subject=OU=PVE Cluster Node,O=Proxmox Virtual Environment,CN=thebox.sebastiaan-stoffels.com
host=pvespiceproxy:5aaf47f4:102:thebox::b21cff2011b713ef653a5f1331c4e7f4236cf3bc
toggle-fullscreen=Shift+F11

compared to the cert straight off /etc/pve

-----BEGIN CERTIFICATE-----
MIIFtzCCA5+gAwIBAgIJAM1n+dFNDPuVMA0GCSqGSIb3DQEBCwUAMHIxJDAiBgNV
BAMMG1Byb3htb3ggVmlydHVhbCBFbnZpcm9ubWVudDEpMCcGA1UECwwgOTRhOGJj
NTI1ZWY2OGRmODRmNzJmODhjMzVmZGFmMTAxHzAdBgNVBAoMFlBWRSBDbHVzdGVy
IE1hbmFnZXIgQ0EwHhcNMTYwNzI1MTY1NjIzWhcNMjYwNzIzMTY1NjIzWjByMSQw
IgYDVQQDDBtQcm94bW94IFZpcnR1YWwgRW52aXJvbm1lbnQxKTAnBgNVBAsMIDk0
YThiYzUyNWVmNjhkZjg0ZjcyZjg4YzM1ZmRhZjEwMR8wHQYDVQQKDBZQVkUgQ2x1
c3RlciBNYW5hZ2VyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
wSlBKWxXXd1KwHDKbB5lzHF9k4fPS3bFhKtDB+GyD/haAxQs0lBua2lucogt3uy0
hexa2l6j+AZtaX3HR3K790UE3Kj8+He8VHF+paJzm0sOqDW5c7MnfNUDfLH4+dyb
GPuu91HhmXsivuSJb18/TQ/CjyoSxMs/UBat0wPogy4LMzok/EyWf0la4PSIqbs0
AYVckEn5db1wf/ooDZvJ+y65yy+9w/8mp/odzbF9pxxrR90JHLCB4L2+W6gLEo1S
JrJixPbtKtkR4pWfdm6cXx+ERW44dmiSdzE5KY3vDtyPH/YYhWCdTkTJCWblcc2I
dLNFZcvQ8GFXC/2q9ViF37qf+drMYwB6PSdaCHt+NTwEfGo6pIEwcqQRZXKacUqQ
34no8o3sgQyeKv8zWO7EGEice8e9jtxu6pp0OpIAK4Z16m12r9s/aVjSFwT1asKy
qwpJnzEIqb/JIfQVwe0UZdmZJJFlMJ2Wt6a/5mSn4kSJpI3LWr4/3Be/WFgI9ETD
EGDaSWucKvx7E9I3gnoiJeyFL6w0WHtJ/HNtcJYnsGVq+io41wV+GU24QECRzMj7
yvGme6+vDsefJiqV9Q7/9TmttcUUuU2s8ht5ccjCS+h2pym+2w9yvri1eyyKJQ8K
TVtelCzRW70kaY8rtvyn4clK25fu8nrIW57Ld+driDcCAwEAAaNQME4wHQYDVR0O
BBYEFJVXUuFENg+SJ/7FP9UWWjO0v+HdMB8GA1UdIwQYMBaAFJVXUuFENg+SJ/7F
P9UWWjO0v+HdMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAK61oDJA
4AcaHXCJoBhuVHSZq69hrBKQpPXPST1gydZmNfkRN99/YpFFFpKyczH8KnkGDP3g
n9HGytUljKKrVFTfIl6Xm1VO+juuVs64eeDX9Iq4JEBEH2XLPNQ02tax3qFXJiC8
7AuqK/rCToqvPHb6m3S79jTQy1ZDe1xQQHfe6SS857XSDLt0WQh7YermMwLDdVPR
ehtKuI7sbJsNuXc7SsteTliVC4fqWhSwO616xbUqmJpH4OEIhxaig1wxNgcxdQz+
OcfHyc9H5psUMSwqcP7bbXc6rBJ17APcj4eFxZqS2gAdnSy1wERCn245CT/s282K
msisSIEjP5AuZtC595hXNTM0DzywK9TTiQcDYv2JLIFyh1i/P711+Mbk4Q5Jcd+B
ErTuJoms3SX+/iBL+Qa2R0Om/hkWh/pfqBQ9FFUl15KIAFgZzJ4G2j6NzoP1MR1l
5JrpWguh5FwNRLQUEcG4sj2hVTDnUejT8sa02sApHqMrzHAkBzNYxWIDmpT4TxXI
idHahbl93YtFR0n7haQAPKo5CVBgOLDGXAGDpwgcjdmyYEDVoRMQRMcTfukmPsWT
WQRNihR76isxybMYcJr0vN3L6CGTOddDEV/mHHLdWozqhJd4OytC1xUUTD+3w9Ry
f62U874U2O1/2X9EC+Wwk9vEld63J6i9KL2P
-----END CERTIFICATE-----


The question is - why is it doing this? And How can I get Proxmox to output the file without these spurious '\n's ( if this is indeed the problem )

Edit: tried turning all the \n into actual newlines, but it complains about invalid file. Also tried stripping all newlines, and same thing ( using sed and tr ) The file looked correct, but remote-viewer no like it.

Back to square 1.

 

[Klaus Steinberger]

the viewer try's to check the CA Certificate which of course does not exist with an self-signed certificate

Please read this:

https://people.freedesktop.org/~teuf/spice-doc/html/ch02s08.html

 

[Sebastiaan7676]

Hmm, OK, so doing something like is outlined here: http://blog.raphaelabreu.com/2014/07/watch-logan-2017-movie-online-streaming-download/
i.e. creating a new intermediate CA ( using pfsense ) and replacing the certs, could be a fix after all?

 

[Klaus Steinberger]

yes that could work, or you use this file:

/etc/pve/pve-root-ca.pem

this should be the ca for the self signed cert.


or use lets encrypt:

https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer)

 

[Sebastiaan7676]

I've followed that blog tutorial, created my own CA + Intermediate CA + Server certs, got it all working perfectly in the browser, but still no joy with Spice.

So strange that the browser is totally OK with the new cert and Spice still errors, maybe it's something different again.

I can't use Lets Encrypt as my Host/Node isn't Internet facing.

 

[tom]

I can't use Lets Encrypt as my Host/Node isn't Internet facing.

Just to note, in this case you can use DNS mode.

 

[jihere]

Hi all,
Sebastiaan, Did you find a solution ? I have exactly the same problem with self signed default pve cert and the debian stretch remote-viewer client.
I have imported the ca in the system trust certs, no luck...
Even if I use --spice-ca-file= to load my pve ca it shows

GSpice-DEBUG: spice-channel.c:2382 main-1:0: Load CA, file: (null), data: 0x55ede9bdbc30

It works pretty well with windows client.

 

[Sebastiaan7676]

I never got it working in Proxmox 4.2, but ended up re-installing ( upgrading ) to the latest Proxmox version, and it worked after that.

I have no idea what was causing the error.

Hi all,
Sebastiaan, Did you find a solution ? I have exactly the same problem with self signed default pve cert and the debian stretch remote-viewer client.
I have imported the ca in the system trust certs, no luck...
Even if I use --spice-ca-file= to load my pve ca it shows

GSpice-DEBUG: spice-channel.c:2382 main-1:0: Load CA, file: (null), data: 0x55ede9bdbc30

It works pretty well with windows client.

 

[jihere]

OK thanks. I cant upgrade for the moment, I'll do it asap.

 

[jihere]

I can confirm It works well with pve 5.1, tested it in a nested vm configuration.