VNC console certificate does not match

[mir]

If you click on the lock in the browser address line in ter vnc terminal window what information do you get about the certificate?
You might need to clear browser and java cache once more after your upgrade.

 

[mediamoon]

I can see my own certificate. now i reverted everything to the beginning. installed the original certificates
-> browser gives me a certificate warning, VNC terminal is running perfectly.

Then i made everything again like it is written in the wiki. Intermediate certs, browser Cache deleted, Java Cache deleted
-> browser everything perfect, VNC throws an error "could not parse certificate ... ----BEGIN..."

Come on. I think the Problem is the rapidssl Wildcard certificate. Can anybody confirm a running PVE 3.0 Environment with a Wildcard RapidSSL Certificate?
Or which SSL Certificates (vendor) to you use?
At the Moment i am pretty sure, that it is not human failure

 

[mir]

Mine is StartSSL from Startcom. Works flawlessly.

Have you followed these instructions: https://knowledge.rapidssl.com/supp...ntent&id=SO17664&actp=search&viewlocale=en_US

 

[anthonysomerset]

I can see my own certificate. now i reverted everything to the beginning. installed the original certificates
-> browser gives me a certificate warning, VNC terminal is running perfectly.

Then i made everything again like it is written in the wiki. Intermediate certs, browser Cache deleted, Java Cache deleted
-> browser everything perfect, VNC throws an error "could not parse certificate ... ----BEGIN..."

Come on. I think the Problem is the rapidssl Wildcard certificate. Can anybody confirm a running PVE 3.0 Environment with a Wildcard RapidSSL Certificate?
Or which SSL Certificates (vendor) to you use?
At the Moment i am pretty sure, that it is not human failure

i gave up initially before they patched it and just did an nginx reverse proxy - but the process is cert agnostic - although the thing to note - the intermediate certs for rapidssl counts at 2, so the cert count for a rapidssl wildcard setup including the cert itself would be 3 - not sure if that has any bearing on the java applet judging on the previous reasons to why it was failing

 

[degrootm]

This is my second time through this process. I had a similar situation prior to upgrading to the latest PVE 3.0. The last time it was a bit more complicated as Apache was in the mix. (http://forum.proxmox.com/threads/7316-VNC-TLS-handshake-failed)

This time I got my Certs to work with no real issue, followed the instructions as others above, even got my StartSSL intermediate certs working and verified using the DigiCert site.(trust but verify).

All that said I still can't get my console to open I get the "Error: TLS handshake failed javax.net.ssl.SSL Handshake Exception:java.security.cert...." error message. Looking back at my old post from PVE 2.X I had the exact same issue, basically you leave the original files in place and simply add your new certs; except for some reason (I'm sure it's ignorance on my part), the sames rules don't seem to apply.

Anyone have a clear set of steps to address not just using your own certs, that part works flawlessly. I an specifically asking how to list and validate/verify that the Console level certificate components are all in place. This way there is no ambiguity. I really need console access at this point on one of my VMs because I have to boot from ISO and run fsck, can't really do that too many other ways.

Thanks in advance for any constructive help.

 

[mediamoon]

I am still struggling with the same Problem like degrootm. Even with a StartSSL Certificate as mir recommended i wasn't able to get the console running. I even started from scratch, did EVERYTHING EXACTLY as it is described in the wiki. Downloaded the actual ISO installer file and all I get is a perfect running web GUI. But as soon as I want to start the Java Applet I get the same error again (like degrootm).
Because I did this approx. Minimum 10 times wit PVE 3.0(reinstall, reconfigure, different certificates, Wildcard, with intermediate, without intermediate, different certificate vendors) and ended up always with the same error, i think NOBODY made it to implement its own certificates and got a running Java Applet console.

 

[mir]

I have this working here.

Pay especially attention to this from the wiki: cat server.pem intermediate_certificate.pem > /etc/pve/local/pve-ssl.pem
The order is important doing it the other way round and your java console will fail.
You must also be sure to clean any cached version of the vnc-console on your client. (ControlPanel)
The operation must also be done on every client as well as restarting both pve-daemon and pve-proxy.

 

[degrootm]

I have this working here.

Pay especially attention to this from the wiki: cat server.pem intermediate_certificate.pem > /etc/pve/local/pve-ssl.pem
The order is important doing it the other way round and your java console will fail.
You must also be sure to clean any cached version of the vnc-console on your client. (ControlPanel)
The operation must also be done on every client as well as restarting both pve-daemon and pve-proxy.

Well the good news is that someone has it working, so now it's just a matter of getting past my ignorance.
I did exactly as stated above, even copying my sub.class2.server.ca.pem file to intermediate_certificate.pem just so I could cut and past the command from your post.

Restarted the PVE daemon and proxy with these commands:
service pveproxy restart
service pvedaemon restart

Went ahead and cleared the cache from the Java Console.
Yup, you guessed it, still no vnc-console(same java error). Even on a new machine never used before.
So clearly I'm missing something very basic.

I will rebuild from scratch this weekend if I can't get this to work. It's just hard to figure out why the Certificate is working and can be verified but the console can't work with the same certificate. I know in the previous version the root-CA was the source of the issue, in the sense that you had to leave some of the originally installed Certs in place. I took that to mean that the Java console certs are not the same as the Apache ones. That seemed to hold water in the previous version. Now that Apache is no more, I'm not clear on the mapping of the Console certs. The excellent instructions on replacing the default certs with your own are flawless(and still working BTW).

 

[mir]

The cert used by pve-proxy is identical to apache (/etc/pve/local/pve-ssl.key /etc/pve/local/pve-ssl.pem)

You are using latest stable pve-3.0?

 

[degrootm]

The cert used by pve-proxy is identical to apache (/etc/pve/local/pve-ssl.key /etc/pve/local/pve-ssl.pem)

You are using latest stable pve-3.0?

First of all thank you for the continued support in trytng to get this to work. Yes, I just updated again, just to be 100% sure.

# pveversion
pve-manager/3.0/957f0862


Still in the same place. I was hopeful but updating made no change.

Are the following files even relevant anymore ?:

/etc/pve/pve-root-ca.pem
/etc/pve/priv/pve-root-ca.key

When I look at the date stamp on those files they are old and I'm guessing no longer in use or relevant to the Cert changes.
At this point I just want to rule out pilot error, because in the rush to get stuff done, I can make dumb mistakes. I'm back tracking now to make sure I didn't shoot myself in the foot. Really don't want to blow a weekend reworking this to end up back in the same place.

 

[dgp]

I found that I had to put the intermediate certificate at the top of /etc/pve/pve-root-ca.pem. Maybe as well as /etc/pve/local/pve-ssl.pem? I didn't remove it from there after following the wiki instructions.

I now have a working console on PVE3.

 

[degrootm]

I found that I had to put the intermediate certificate at the top of /etc/pve/pve-root-ca.pem. Maybe as well as /etc/pve/local/pve-ssl.pem? I didn't remove it from there after following the wiki instructions.

I now have a working console on PVE3.

PERFECT !!! That was the it. I did exactly as you said no changes and then restarted the daemons and it worked.
Thank you for help now, I'm back on track.

I would suggest an update to the wiki instructions for this as well.

 

[tom]

...

I would suggest an update to the wiki instructions for this as well.

yes, please add your comments (everybody can add content to the wiki pages).

 

[dietmar]

I would suggest an update to the wiki instructions for this as well.

I thought that is already on the wiki - what do you miss exactly?

 

[mir]

PERFECT !!! That was the it. I did exactly as you said no changes and then restarted the daemons and it worked.
Thank you for help now, I'm back on track.

I would suggest an update to the wiki instructions for this as well.

The wiki states that you should replace both /etc/pve/pve-root-ca.pem and /etc/pve/local/pve-ssl.pem so I find it hard to see what needs to be updated?

 

[zzhjkrqlne]

The wiki states that you should replace both /etc/pve/pve-root-ca.pem and /etc/pve/local/pve-ssl.pem so I find it hard to see what needs to be updated?

I stumbled across the same issue as I was using StartSSL (with the need to use intermediate certificate) too.

Wiki doesn't mention that pve-root-ca.pem also needs intermediate certificate in it.

 

[mir]

My /etc/pve/pve-root-ca.pem contains the ca.pm found at startssl's site and only this certificate.

 

[zzhjkrqlne]

My /etc/pve/pve-root-ca.pem contains the ca.pm found at startssl's site and only this certificate.

For me, it (VNC console) only works when pve-root-ca.pem gets intermediate certificate added to it. Maybe it can be noted on the wiki as "if it doesn't work with ca certificate alone, try adding intermediate certificate to pve-root-ca.pem".

 

[Cayuga]

I'm another user who had to add the intermediate certificate to pve-root-ca.pem in order to get VNC consoles working (StartSSL certificate)

 

[u3ern003]

Hi guys

I have the exact same problem. I have tried the suggestions above, but no joy. I believe the only difference is I have self-signed certs.

* checked keys and (selfsigned) ca certificates with apache2 test server
* checked DNS is correct and have correct url
* Insert new keys into /etc/pve/local/pve-ssl.key and pve-ssl.pem (in PEM format)
* Insert CA certificate into /etc/pve-root-ca.pem (also PEM)
* restart pveproxy and pvedaemon
* close browser and clear all history,cookies etc
* open java control panel and clean all temporary files, especially .jar extensions.
* open proxmox browser and functions fine but when trying to open vnc console get:
Error: Could not parse certificate: java.io.IOExceptionL Illegal header: -----BEGIN CERTIFICATE-----

* Also tried pasting ca certificate above and below the normal server certificate, as per (cat Server.crt intermediate.crt > pve-ssl.pem) but I don't believe I have an intermediate certificate?

So I don't believe this is solved? I apologize if I have missed something