[pve-devel] spice problems

Michael Rasmussen mir at datanom.net
Tue Jan 10 01:50:35 CET 2017


On Mon, 9 Jan 2017 08:08:54 +0100
Fabian Grünbichler <f.gruenbichler at proxmox.com> wrote:

> 
> so you should now have
> 
> /etc/pve/pve-root-ca.pem (self-signed cluster CA cert generated by pvecem)
> /etc/pve/priv/pve-root-ca.key (private key for ^^^)
> 
check
> and for each node
> 
> /etc/pve/nodes/NODE/pve-ssl.pem (node cert signed by cluster CA)
> /etc/pve/nodes/NODE/pve-ssl.key (private key for ^^^)
> /etc/pve/nodes/NODE/pveproxy-ssl.pem (custom cert chain for pveproxy)
> /etc/pve/nodes/NODE/pveproxy-ssl.pem (private key for node cert from ^^^)
> 
Check (I guess pveproxy-ssl.pem (private key for node cert from ^^^)
should be pveproxy-ssl.key?)

> could you verify that the correct files are in the correct place with
> the following command for each of the certificates?
> 
> # openssl x509 -in PATH -noout -subject -issuer
> 
openssl x509 -in /etc/pve/pve-root-ca.pem -noout -subject -issuer
subject= /CN=Proxmox Virtual Environment/OU=d43de9da-071f-4ae5-b05b-a31593bb5668/O=PVE Cluster Manager CA
issuer= /CN=Proxmox Virtual Environment/OU=d43de9da-071f-4ae5-b05b-a31593bb5668/O=PVE Cluster Manager CA

openssl x509 -in /etc/pve/nodes/esx1/pve-ssl.pem -noout -subject -issuer
subject= /OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=esx1.datanom.net
issuer= /CN=Proxmox Virtual Environment/OU=d43de9da-071f-4ae5-b05b-a31593bb5668/O=PVE Cluster Manager CA

openssl x509 -in /etc/pve/nodes/esx2/pve-ssl.pem -noout -subject -issuer
subject= /OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=esx2.datanom.net
issuer= /CN=Proxmox Virtual Environment/OU=d43de9da-071f-4ae5-b05b-a31593bb5668/O=PVE Cluster Manager CA

openssl x509 -in /etc/pve/nodes/esx1/pveproxy-ssl.pem -noout -subject -issuer
subject= /OU=Domain Control Validated/CN=*.datanom.net
issuer= /C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2

openssl x509 -in /etc/pve/nodes/esx2/pveproxy-ssl.pem -noout -subject -issuer
subject= /OU=Domain Control Validated/CN=*.datanom.net
issuer= /C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2

> if you restart the pveproxy service, the log should indicate that the
> pveproxy-ssl.pem certificate chain file is used, and not display any
> errors, could you verify this as well?
> 
systemctl restart pveproxy
systemctl status -l pveproxy
● pveproxy.service - PVE API Proxy Server
   Loaded: loaded (/lib/systemd/system/pveproxy.service; enabled)
   Active: active (running) since Tue 2017-01-10 01:31:51 CET; 13s ago
  Process: 31999 ExecStop=/usr/bin/pveproxy stop (code=exited, status=0/SUCCESS)
  Process: 32020 ExecStart=/usr/bin/pveproxy start (code=exited, status=0/SUCCESS)
 Main PID: 32025 (pveproxy)
   CGroup: /system.slice/pveproxy.service
           ├─32025 pveprox
           ├─32026 pveproxy worke
           ├─32027 pveproxy worke
           └─32028 pveproxy worke

Jan 10 01:31:51 esx1 pveproxy[32020]: Using '/etc/pve/local/pveproxy-ssl.pem' as certificate for the web interface.
Jan 10 01:31:51 esx1 pveproxy[32025]: starting server
Jan 10 01:31:51 esx1 pveproxy[32025]: starting 3 worker(s)
Jan 10 01:31:51 esx1 pveproxy[32025]: worker 32026 started
Jan 10 01:31:51 esx1 pveproxy[32025]: worker 32027 started
Jan 10 01:31:51 esx1 pveproxy[32025]: worker 32028 started
Jan 10 01:31:51 esx1 systemd[1]: Started PVE API Proxy Server.

> the GUI and API should return the same certificate (they are handled by
> the same web server after all, and the GUI is just some static files +
> calls to the API), can you verify which one it is? e.g., using curl:
> 
> $ curl -k -v https://YOURNODE:8006/
> 
curl -k -v https://esx1.datanom.net:8006/
*   Trying 172.16.3.8...
* TCP_NODELAY set
* Connected to esx1.datanom.net (172.16.3.8) port 8006 (#0)
* found 176 certificates in /etc/ssl/certs/ca-certificates.crt
* found 1117 certificates in /etc/ssl/certs
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* 	 server certificate verification SKIPPED
* 	 server certificate status verification SKIPPED
* 	 common name: *.datanom.net (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: OU=Domain Control Validated,CN=*.datanom.net
* 	 start date: Fri, 30 Dec 2016 20:47:18 GMT
* 	 expire date: Tue, 31 Dec 2019 20:47:18 GMT
* 	 issuer: C=BE,O=GlobalSign nv-sa,CN=AlphaSSL CA - SHA256 - G2
* 	 compression: NULL
* ALPN, server did not agree to a protocol

The same certificate shown in browser.

> last but not least, could you verify that the node cert in pve-ssl.pem
> is actually signed by the cluster CA? example:
> 
> # openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/nodes/nora/pve-ssl.pem
> /etc/pve/nodes/nora/pve-ssl.pem: OK
> 
openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/nodes/esx1/pve-ssl.pem
/etc/pve/nodes/esx1/pve-ssl.pem: OK
openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/nodes/esx2/pve-ssl.pem
/etc/pve/nodes/esx2/pve-ssl.pem: OK

> note that you don't need to include the actual host names or other
> sensitive information when replying.
It's ok since the are all running on a closed network without access to
the outside world.

-- 
Hilsen/Regards
Michael Rasmussen

Get my public GnuPG keys:
michael <at> rasmussen <dot> cc
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E
mir <at> datanom <dot> net
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C
mir <at> miras <dot> org
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917
--------------------------------------------------------------
/usr/games/fortune -es says:
Thirteen at a table is unlucky only when the hostess has only twelve
chops. -- Groucho Marx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20170110/2dce735d/attachment.sig>


More information about the pve-devel mailing list