[pve-devel] Something missing in http://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer) ?

[Fabian Grünbichler]

On Tue, Nov 22, 2016 at 12:11:22PM +0100, Stefan Priebe - Profihost AG wrote:
> Am 22.11.2016 um 11:56 schrieb Dietmar Maurer:
> > I think this commit should solve the issue:
> > 
> > https://git.proxmox.com/?p=pve-manager.git;a=commitdiff;h=333dd203d5e07d9d3e20d3674a2e3ff2fc89fa8c
> > 
> >> Please can you test with latest version from git?
> 
> Already running that version ;-) But thank you for pointing me to this
> commit. If i revert that one it's working fine again.
> 
> The issue in my case was that the verify in HTTPServer.pm verify_cb was
> failing.
> 
> The documentation says:
> "fullchain.pem (your certificate and all intermediate certificates,
> excluding the root certificate, in PEM format)"
> 
> With the full chain it's not working. I then removed the whole chain and
> only putted my final crt into that one and now it's working fine. With
> the full chain $depth was 2 in my case.

I will do some more testing later on - is it possible that you put the
certificates into the file in the "wrong" order (leaf first, then
intermediate would be correct)?

The pinning is supposed to only verify the last certificate in the chain
(as returned by the server), so whether you have a chain of depth 2 or 3
(self-signed root + leaf or root + ca + leaf) does not matter at all.
But when reading from a .pem file with multiple certificates OpenSSL
reads the first one in the file, so it's possible that in your case we
attempt to compare the leaf certificate's fingerprint (from the
connection / server) to the CA certificate's fingerprint (from the .pem
file), which obviously does not work.

If you want, you could send me the certificate file off-list (only the
certificate please! unless those are from a test node with self-signed
certificates that you don't care about) and I will try to recreate your
setup for further tests...