[pve-devel] spice problems

Fabian Gr├╝nbichler f.gruenbichler at proxmox.com
Mon Jan 9 08:08:54 CET 2017

On Thu, Jan 05, 2017 at 01:11:28AM +0100, Michael Rasmussen wrote:
> Hi all,
> [snip]
> I can see the certificate return from the API2 is the default
> selfsigned certificate installed with proxmox but I have real
> certificates installed following this howto:
> https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer)#CAs_other_than_Let.27s_Encrypt
> I did remember to revert to default configuration.

so you should now have

/etc/pve/pve-root-ca.pem (self-signed cluster CA cert generated by pvecem)
/etc/pve/priv/pve-root-ca.key (private key for ^^^)

and for each node

/etc/pve/nodes/NODE/pve-ssl.pem (node cert signed by cluster CA)
/etc/pve/nodes/NODE/pve-ssl.key (private key for ^^^)
/etc/pve/nodes/NODE/pveproxy-ssl.pem (custom cert chain for pveproxy)
/etc/pve/nodes/NODE/pveproxy-ssl.pem (private key for node cert from ^^^)

could you verify that the correct files are in the correct place with
the following command for each of the certificates?

# openssl x509 -in PATH -noout -subject -issuer

if you restart the pveproxy service, the log should indicate that the
pveproxy-ssl.pem certificate chain file is used, and not display any
errors, could you verify this as well?

the GUI and API should return the same certificate (they are handled by
the same web server after all, and the GUI is just some static files +
calls to the API), can you verify which one it is? e.g., using curl:

$ curl -k -v https://YOURNODE:8006/

last but not least, could you verify that the node cert in pve-ssl.pem
is actually signed by the cluster CA? example:

# openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/nodes/nora/pve-ssl.pem
/etc/pve/nodes/nora/pve-ssl.pem: OK

note that you don't need to include the actual host names or other
sensitive information when replying.

More information about the pve-devel mailing list