Unable to Connect to Graphics Server after installing valid ssl cert

[Imad Daou]

Dear ProxMox community / Support,

Today morning I have faced an issues with firefox and brave that it won't connect me to my PVE server unless I have valid cert. So I did using sslforfree.com.

I installed the cert as shown below and I was able to login to PVE admin panel, however, I got the following error trying to connect to my VM using Spice. It was working just fine with self-signed cert. Please help.

If I revert it back to self-signed certificate, Firefox,water, and brave browsers shows that the host has a security policy called HTTP Strict Transport Security (HSTS), which means that Waterfox can only connect to it securely. You can’t add an exception to visit this site.

Unable to Connect to Graphics Server​

# ProxMox self-signed cert or use sslforfree.com

Note: Self signed certificate are not valid by browsers anymore

#
# Create self-signed cert
#

# Remove certs if needed
rm -f /etc/pve/pve-root-ca.pem
rm -f /etc/pve/priv/pve-root-ca.key
rm -f /etc/pve/nodes/<node>/pve-ssl.pem
rm -f /etc/pve/nodes/imad-pve/pve-ssl.pem
rm -f /etc/pve/nodes/imad-pve/pve-ssl.key

# Restart the services and update certs
systemctl restart pve-cluster && systemctl restart pvedaemon && systemctl restart pvestatd && systemctl restart pveproxy
pvecm updatecerts

# Regenerate self-signed cert
pvecm updatecerts -f

#
# Create cert using sslforfree.com
#

Source: https://eskwelaonline.com/how-to-fix-did-not-connect-potential-security-issue-on-your-site/

# Go to sslforfree.com to create or renew your cert
# Rename the cert files to match the pve files below and copy them
# Every 3 months the free cert needs to be renewed

# Overwrite self-signed certs
\cp /home/imad/Downloads/imad-pve.imaddaou.com/pve-root-ca.pem /etc/pve/pve-root-ca.pem
\cp /home/imad/Downloads/imad-pve.imaddaou.com/pve-www.key /etc/pve/pve-www.key
\cp /home/imad/Downloads/imad-pve.imaddaou.com/pve-ssl.key /etc/pve/local/pve-ssl.key
\cp /home/imad/Downloads/imad-pve.imaddaou.com/pve-ssl.pem /etc/pve/local/pve-ssl.pem

# Restart the services and update certs
systemctl restart pve-cluster && systemctl restart pvedaemon && systemctl restart pvestatd && systemctl restart pveproxy
pvecm updatecerts

# Using let's Encrypt or certbot
https://sjamso.blogspot.com/2021/01/solved-install-ssl-for-proxmox-ve-63.html
https://pve.proxmox.com/wiki/Certificate_Management

 

[Imad Daou]

TEMP ALTERNATIVE SOLUTION

I found temp alternative to spice which will allow me to use dual monitors. but I stll need to use spice though.

That is xfreerdp and xrdp server

#
# Using xfreerdp
#

# Original command

source: https://github.com/FreeRDP/FreeRDP/issues/5129

#function xrdpm () { xfreerdp -window-drag -menu-anims -themes +fonts /bpp:32 /f /smart-sizing -decorations -compression \
#/audio-mode:0 /mic:format:1 /sound:latency:50 /multimon -floatbar /u:$1 /p:$2 /v:$3:3389 ;}

# For Windows single monitor

function xrdp_win () { xfreerdp +clipboard /dynamic-resolution /u:imad /p:PASS_WORD /v:WIN10-machine:3389 ;}

# For Debian but You need xrdp server installed on Debian
function xrdp_deb () { xfreerdp +clipboard /dynamic-resolution /u:imad /p:PASS_WORD /v:DEBIAN-machine:3389 ;}

#
# Dual monitors
#

# For windows
function xrdpm_win () { xfreerdp +clipboard +window-drag +menu-anims +themes +fonts /bpp:32 /f /smart-sizing +decorations -compression \
/audio-mode:0 /mic:format:1 /sound:latency:50 /multimon +floatbar /u:imad /p:PASS_WORD /v:WIN10.EXAMPLE.COM:3389 ;}

# For Debian
function xrdpm_deb () { xfreerdp +clipboard +window-drag +menu-anims +themes +fonts /bpp:32 /f /smart-sizing +decorations -compression \
/audio-mode:0 /mic:format:0 /sound:latency:50 /multimon +floatbar /u:imad /p:Pass_word /v:debian.example.com:3389 ;}

 

[Imad Daou]

I found the solution, I wasn't copying the cert to the right place. Any one interested, please find the steps I made to install valid cert for my proxmox Web GUI and keep the spice working.