[Spice-devel] problems with intermediate certificates
Marc-André Lureau
mlureau at redhat.com
Fri Aug 22 04:00:57 PDT 2014
Hi Dietmar
----- Original Message -----
> I use the following certificate files:
>
> # openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/local/pve-ssl.pem
> /etc/pve/local/pve-ssl.pem: OK
>
> I pass the content of /etc/pve/pve-root-ca.pem to virt-viewer:
> [virt-viewer]
> ca=-----BEGIN CERTIFICATE-----\nXXXXXXXXXX/Q=\n-----END CERTIFICATE-----\n
> ...
>
> I also use above cert files when starting qemu, and remote-viewer works
> perfectly unless
> we use intermediate CAs.
>
> -----------------
> # remote-viewer /tmp/scDvEiLJ
> (/usr/bin/remote-viewer:363337): Spice-Warning **:
> ssl_verify.c:428:openssl_verify: openssl verify:num=20:unable to get local
> issuer certificate:depth=1:/C=IL/O=StartCom Ltd./OU=Secure Digital
> Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
>
> (remote-viewer:363337): GSpice-WARNING **: main-1:0: SSL_connect:
> error:00000001:lib(0):func(0):reason(1)
> ------------------------
>
> I tried to append the intermediate cert to /etc/pve/pve-root-ca.pem and
> /etc/pve/local/pve-ssl.pem, but always
> get the same error.
>
> Any ideas?
Just a few ideas,
I think you must be able to "openssl verify" your file without specifying
the CAfile, if you want Spice ssl checks to pass.
There are some suggestions on what could go wrong and how to solve it here:
http://stackoverflow.com/questions/12041512/openssl-unable-to-get-local-issuer-certificate-unless-cafile-is-explicitly-speci
cheers
More information about the Spice-devel
mailing list