VNC console certificate does not match

[matagou]

Hi,

I changed self signed certificates for Proxmox Version: 3.0-20/0428106c

I use a * certificate signed from PositiveSSL CA 2

i have changed according to instruction at http://pve.proxmox.com/wiki/HTTPSCertificateConfiguration

When I access in browser at https://myproxmoxserver.com:8006 the connection is ok, no security warnings.

When I want to open console of a VM, I receive the following error.

Error: TLS handshake failed javax.net.ssl.SSLHandshakeException:java.security.cert.CertificateException: certificate does not match

Please advise on above,

Thanks,

 

[tom]

are you sure you restarted the pveproxy and pvedaemon (see wiki)?

 

[matagou]

are you sure you restarted the pveproxy and pvedaemon (see wiki)?

Yes, the services were restarted

root@proxmox ~ # service pveproxy restart
Restarting PVE API Proxy Server: pveproxy.
root@proxmox ~ # service pvedaemon restart
Restarting PVE Daemon: pvedaemon.
root@proxmox ~ #

A little bit more explanation. The proxmox VE is reachable via https://proxmox.domain.com:8006

The * certificate for *.domain.com is signed by PositiveSSL CA 2. In browser, I have no warning about certificate, I see the correctly loaded certificate for *.domain.com.

VNC still not work.

 

[pherrera_tamu]

I've also followed the directions on http://pve.proxmox.com/wiki/HTTPSCertificateConfiguration. I did restart the two services. I'm also getting the same "Error: TLS .... certificate does not match" error.

Please advise. Thanks.

 

[matagou]

please share with link to more documentation about certificates for VNC console of Proxmox. The information from Wiki didn't help me a lot.

Thanks,

 

[mediamoon]

We have the same issue. Using a wildcard certificate with browser works like a charm. As soon as you open the java based vnc viewer we get this annoying java error. I tried several installations but always the same error: TLS handshake failed javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: certificate does not match
BTW it is not a wildcard related error. Same issue with "normal" certificates.

 

[dietmar]

BTW it is not a wildcard related error. Same issue with "normal" certificates.

Do you use intermediate certificates?

 

[mediamoon]

yes it is a rapidssl certificate, which uses intermediate. but i copied just the root-ca, server-certificate and private key (without Password).

 

[mir]

You need to do the following:
cat your_certificate.pem intermediate_certificate.pem > /etc/pve/local/pve-ssl.pem
on every node.

After that you need to clear your java cache:
- your_jre_folder/bin/ControlPanel
- click the button 'View' under 'Temporary Internet Files'
- under 'Show' choose the drop-down 'Resources'
- delete every instance of 'VncViewer.jar'
- restart your browser

After this your personal certificate should work.

You can check that your installation is correct here, provided there is public access to your gui:
http://www.digicert.com/help/

 

[dietmar]

You need to do the following:
cat your_certificate.pem intermediate_certificate.pem > /etc/pve/local/pve-ssl.pem
on every node.

@mir: would you mind to update the wiki too?

 

[mir]

Done. See http://pve.proxmox.com/wiki/HTTPSCertificateConfiguration

 

[dietmar]

Done. See http://pve.proxmox.com/wiki/HTTPSCertificateConfiguration

Many thanks!

 

[mediamoon]

Thank you for your fast reply.
I did it and i get no Errors testing via digicert.com. Everything is looking good.
I although cleared the Java cache on my Clients.
But VNC Console still refuses to work. At least i get a new error message:
"Error: Could not parse certificate: Java.io.IOException: illegal Header: -----BEGIN CERTIFICATE-----"

Now, because i thought it has something to do with a wrong coding of the files, I put all my .crt files into .pem files via openssl:
openssl x509 -in input.crt -out input.der -outform DER
then
openssl x509 -in input.der -inform DER -out output.pem -outform PEM
(Source:http://moze.koze.net/?p=81)

Reboot and I can access via browser without Problems. Checked with digicert.com -> everything is fine.

But now another different error when opening the console:

"Error: TLS handshake failed javax.net.ssl SSLHandshakeException: Java.security.cert.CertificateException: cert path too Long"

Crazy...



This is odd, because the certificate is definitely okay.
Any other ideas?
Best!
Florian

 

[mir]

What version of proxmox? proxmox 3.x is required.

 

[mediamoon]

woohhaaa. Where are my Posts?
Anyway. It is the latest release from the Proxmox Website. Downloaded and installed last week. Run into certificate issues yesterday, when changing to our own certificates.
It is Version 3.0-20/0428106c

This is what I did so far:
-> certificate and intermediate installed as described in your wiki
-> digicert.com check OK, console Fails "Parsing error ----BEGIN..."
-> changed .crt files to .pem files via openssl
(
openssl x509 -in input.crt -out input.der -outform DER
then
openssl x509 -in input.der -inform DER -out output.pem -outform PEM
)

-> Digicert.com check OK , Console Fails "Error: TLS Handshake ... path too Long"

I am clueless. Normally i would Switch back to proxmox certificates, but it Looks strange to my customers, when they get a certificate warning, everytime they access the Website.
Best!

Florian

 

[dietmar]

-> Digicert.com check OK , Console Fails "Error: TLS Handshake ... path too Long"

Make sure you use the latest vncterm package. Maybe you also need to clear your browser cache.

 

[mir]

A crt certificate is in PEM format already so there is no need for conversion. How did merge the two certificates? The order is important.

The error 'path to long' makes me believe that you have more than two certificates merged together. Is this a correct observation?

 

[mediamoon]

yes normally it is, but sometimes there are still issues with wrong codes. e.g. when you copy them from Windows to Linux there is sometimes a strange behaviour.
i checked all certificates for that issue, but they are fine.

i merged it like this: cat Server.crt intermediate.crt > pve-ssl.pem
So i think the order is okay.

The intermediate certificate has only one certificate "inside". so alltogether, the .pem file hast two certificates in the chain.

I although cleared Java and browser Cache.
How can i make sure that i have the latest vncterm package? i installed it from the proxmox iso file and I am not a 100% Linux pro.

 

[tom]

...
How can i make sure that i have the latest vncterm package? i installed it from the proxmox iso file and I am not a 100% Linux pro.

see http://pve.proxmox.com/wiki/Downloads#Update_a_running_Proxmox_Virtual_Environment_3.x_to_latest_3.0

 

[mediamoon]

thanks, that was easy
I updated everything. Did not touch the certificates and guess what, i got a brand new error
"TLS handshake failed...certificate does not match"
Digicert check still has no Errors. That is really weird.
But thank you in advance for your help!