[pve-devel] Something missing in http://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer) ?

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Tue Nov 22 13:09:17 CET 2016


Hi,

Am 22.11.2016 um 12:26 schrieb Fabian Grünbichler:
> On Tue, Nov 22, 2016 at 12:11:22PM +0100, Stefan Priebe - Profihost AG wrote:
>> Am 22.11.2016 um 11:56 schrieb Dietmar Maurer:
>>> I think this commit should solve the issue:
>>>
>>> https://git.proxmox.com/?p=pve-manager.git;a=commitdiff;h=333dd203d5e07d9d3e20d3674a2e3ff2fc89fa8c
>>>
>>>> Please can you test with latest version from git?
>>
>> Already running that version ;-) But thank you for pointing me to this
>> commit. If i revert that one it's working fine again.
>>
>> The issue in my case was that the verify in HTTPServer.pm verify_cb was
>> failing.
>>
>> The documentation says:
>> "fullchain.pem (your certificate and all intermediate certificates,
>> excluding the root certificate, in PEM format)"
>>
>> With the full chain it's not working. I then removed the whole chain and
>> only putted my final crt into that one and now it's working fine. With
>> the full chain $depth was 2 in my case.
> 
> I will do some more testing later on - is it possible that you put the
> certificates into the file in the "wrong" order (leaf first, then
> intermediate would be correct)?
> 
> The pinning is supposed to only verify the last certificate in the chain
> (as returned by the server), so whether you have a chain of depth 2 or 3
> (self-signed root + leaf or root + ca + leaf) does not matter at all.
> But when reading from a .pem file with multiple certificates OpenSSL
> reads the first one in the file, so it's possible that in your case we
> attempt to compare the leaf certificate's fingerprint (from the
> connection / server) to the CA certificate's fingerprint (from the .pem
> file), which obviously does not work.
> 
> If you want, you could send me the certificate file off-list (only the
> certificate please! unless those are from a test node with self-signed
> certificates that you don't care about) and I will try to recreate your
> setup for further tests...

As this is a real life certificate which is not self signed but signed
from the ca i'm not comfortable with that.

But may be you're already right and the order in the file is important.

Wouldn't it be easier for users to just put the sigle .crt into this
location and put the ca chain into pve-root-ca.pem ?

Greets,
Stefan

> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 



More information about the pve-devel mailing list