[pve-devel] spice problems
Michael Rasmussen
mir at datanom.net
Tue Jan 10 01:50:35 CET 2017
On Mon, 9 Jan 2017 08:08:54 +0100
Fabian Grünbichler <f.gruenbichler at proxmox.com> wrote:
>
> so you should now have
>
> /etc/pve/pve-root-ca.pem (self-signed cluster CA cert generated by pvecem)
> /etc/pve/priv/pve-root-ca.key (private key for ^^^)
>
check
> and for each node
>
> /etc/pve/nodes/NODE/pve-ssl.pem (node cert signed by cluster CA)
> /etc/pve/nodes/NODE/pve-ssl.key (private key for ^^^)
> /etc/pve/nodes/NODE/pveproxy-ssl.pem (custom cert chain for pveproxy)
> /etc/pve/nodes/NODE/pveproxy-ssl.pem (private key for node cert from ^^^)
>
Check (I guess pveproxy-ssl.pem (private key for node cert from ^^^)
should be pveproxy-ssl.key?)
> could you verify that the correct files are in the correct place with
> the following command for each of the certificates?
>
> # openssl x509 -in PATH -noout -subject -issuer
>
openssl x509 -in /etc/pve/pve-root-ca.pem -noout -subject -issuer
subject= /CN=Proxmox Virtual Environment/OU=d43de9da-071f-4ae5-b05b-a31593bb5668/O=PVE Cluster Manager CA
issuer= /CN=Proxmox Virtual Environment/OU=d43de9da-071f-4ae5-b05b-a31593bb5668/O=PVE Cluster Manager CA
openssl x509 -in /etc/pve/nodes/esx1/pve-ssl.pem -noout -subject -issuer
subject= /OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=esx1.datanom.net
issuer= /CN=Proxmox Virtual Environment/OU=d43de9da-071f-4ae5-b05b-a31593bb5668/O=PVE Cluster Manager CA
openssl x509 -in /etc/pve/nodes/esx2/pve-ssl.pem -noout -subject -issuer
subject= /OU=PVE Cluster Node/O=Proxmox Virtual Environment/CN=esx2.datanom.net
issuer= /CN=Proxmox Virtual Environment/OU=d43de9da-071f-4ae5-b05b-a31593bb5668/O=PVE Cluster Manager CA
openssl x509 -in /etc/pve/nodes/esx1/pveproxy-ssl.pem -noout -subject -issuer
subject= /OU=Domain Control Validated/CN=*.datanom.net
issuer= /C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
openssl x509 -in /etc/pve/nodes/esx2/pveproxy-ssl.pem -noout -subject -issuer
subject= /OU=Domain Control Validated/CN=*.datanom.net
issuer= /C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
> if you restart the pveproxy service, the log should indicate that the
> pveproxy-ssl.pem certificate chain file is used, and not display any
> errors, could you verify this as well?
>
systemctl restart pveproxy
systemctl status -l pveproxy
● pveproxy.service - PVE API Proxy Server
Loaded: loaded (/lib/systemd/system/pveproxy.service; enabled)
Active: active (running) since Tue 2017-01-10 01:31:51 CET; 13s ago
Process: 31999 ExecStop=/usr/bin/pveproxy stop (code=exited, status=0/SUCCESS)
Process: 32020 ExecStart=/usr/bin/pveproxy start (code=exited, status=0/SUCCESS)
Main PID: 32025 (pveproxy)
CGroup: /system.slice/pveproxy.service
├─32025 pveprox
├─32026 pveproxy worke
├─32027 pveproxy worke
└─32028 pveproxy worke
Jan 10 01:31:51 esx1 pveproxy[32020]: Using '/etc/pve/local/pveproxy-ssl.pem' as certificate for the web interface.
Jan 10 01:31:51 esx1 pveproxy[32025]: starting server
Jan 10 01:31:51 esx1 pveproxy[32025]: starting 3 worker(s)
Jan 10 01:31:51 esx1 pveproxy[32025]: worker 32026 started
Jan 10 01:31:51 esx1 pveproxy[32025]: worker 32027 started
Jan 10 01:31:51 esx1 pveproxy[32025]: worker 32028 started
Jan 10 01:31:51 esx1 systemd[1]: Started PVE API Proxy Server.
> the GUI and API should return the same certificate (they are handled by
> the same web server after all, and the GUI is just some static files +
> calls to the API), can you verify which one it is? e.g., using curl:
>
> $ curl -k -v https://YOURNODE:8006/
>
curl -k -v https://esx1.datanom.net:8006/
* Trying 172.16.3.8...
* TCP_NODELAY set
* Connected to esx1.datanom.net (172.16.3.8) port 8006 (#0)
* found 176 certificates in /etc/ssl/certs/ca-certificates.crt
* found 1117 certificates in /etc/ssl/certs
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: *.datanom.net (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: OU=Domain Control Validated,CN=*.datanom.net
* start date: Fri, 30 Dec 2016 20:47:18 GMT
* expire date: Tue, 31 Dec 2019 20:47:18 GMT
* issuer: C=BE,O=GlobalSign nv-sa,CN=AlphaSSL CA - SHA256 - G2
* compression: NULL
* ALPN, server did not agree to a protocol
The same certificate shown in browser.
> last but not least, could you verify that the node cert in pve-ssl.pem
> is actually signed by the cluster CA? example:
>
> # openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/nodes/nora/pve-ssl.pem
> /etc/pve/nodes/nora/pve-ssl.pem: OK
>
openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/nodes/esx1/pve-ssl.pem
/etc/pve/nodes/esx1/pve-ssl.pem: OK
openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/nodes/esx2/pve-ssl.pem
/etc/pve/nodes/esx2/pve-ssl.pem: OK
> note that you don't need to include the actual host names or other
> sensitive information when replying.
It's ok since the are all running on a closed network without access to
the outside world.
--
Hilsen/Regards
Michael Rasmussen
Get my public GnuPG keys:
michael <at> rasmussen <dot> cc
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E
mir <at> datanom <dot> net
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C
mir <at> miras <dot> org
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917
--------------------------------------------------------------
/usr/games/fortune -es says:
Thirteen at a table is unlucky only when the hostess has only twelve
chops. -- Groucho Marx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20170110/2dce735d/attachment.sig>
More information about the pve-devel
mailing list