[Spice-devel] problems with intermediate certificates

David Jaša djasa at redhat.com
Mon Aug 25 07:16:32 PDT 2014 

Hi Dietmar,

do the certificate setup works for other TLS apps, such as web
server/browser or just simple openssl s_(server|client)?

Also, do you account for intermediate CA in your setup? You have
basically two options how to handle it:

1) "standard": server-cert.pem should contain the whole chain of
certificates under root CA, e.g:
  * Int. CA 1
    * Int. CA 2
      * server cert
you just cat them to the file in that order. You then add the root CA to
the .vv file and things should work.

2) "custom": treat intermediate CA that actually signed the server cert
as trusted root: use it in ca-cert.pem and pass it to remote-viewer.
Given that you need to supply remote-viewer with a CA, this approach is
less "wrong" than in different TLS use cases.

HTH,

David


On Pá, 2014-08-22 at 08:22 +0000, Dietmar Maurer wrote:
> I use the following certificate files:
> 
> # openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/local/pve-ssl.pem
> /etc/pve/local/pve-ssl.pem: OK
> 
> I pass the content of /etc/pve/pve-root-ca.pem to virt-viewer:
> [virt-viewer]
> ca=-----BEGIN CERTIFICATE-----\nXXXXXXXXXX/Q=\n-----END CERTIFICATE-----\n
> ...
> 
> I also use above cert files when starting qemu, and remote-viewer works perfectly unless
> we use intermediate CAs.
> 
> -----------------
> # remote-viewer /tmp/scDvEiLJ 
> (/usr/bin/remote-viewer:363337): Spice-Warning **: ssl_verify.c:428:openssl_verify: openssl verify:num=20:unable to get local issuer certificate:depth=1:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
> 
> (remote-viewer:363337): GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)
> ------------------------
> 
> I tried to append the intermediate cert to /etc/pve/pve-root-ca.pem  and /etc/pve/local/pve-ssl.pem, but always
> get the same error.
> 
> Any ideas?
> 
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel

More information about the Spice-devel mailing list