[Spice-devel] TLS + Letsencrypt doesn't work on Windows
Frediano Ziglio
freddy77 at gmail.com
Tue Dec 15 15:00:45 UTC 2020
Il giorno mar 15 dic 2020 alle ore 11:45 Armin Ranjbar <zoup at zoup.org>
ha scritto:
>
> Dear Everyone,
>
> As always, let me thank you first for the effort you put in Spice.
>
> I have a strange case here, libvirt is configured with letsencrypt certificates, remote-viewer works happily on Linux, but it doesn't seem to be able to get local issuer certificate on windows.
> same error even when I try to give the address of CA file via --spice-ca-file, attaching logs with spice-debug here:
>
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.293: ../src/spice-session.c:292 Supported channels: main, display, inputs, cursor, playback, record, usbredir
> (remote-viewer.exe:3584): Spice-DEBUG: 15:13:17.293: ../src/usb-device-manager.c:259:spice_usb_device_manager_init: UsbDk driver is not installed
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.293: ../src/usb-device-manager.c:485 auto-connect filter set to 0x03,-1,-1,-1,0|-1,-1,-1,-1,1
>
> (remote-viewer.exe:3584): GSpice-CRITICAL **: 15:13:17.293: _usbdk_hider_update: assertion 'priv->usbdk_api != NULL' failed
>
> (remote-viewer.exe:3584): GSpice-WARNING **: 15:13:17.962: password may be visible in process listings
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965: ../src/spice-session.c:1814 no migration in progress
> Spice-INFO: 15:13:17.965: ../src/channel-main.c:337:spice_main_set_property: SpiceMainChannel::color-depth has been deprecated. Property is ignored
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965: ../src/spice-channel.c:141 main-1:0: spice_channel_constructed
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965: ../src/spice-session.c:2309 main-1:0: new main channel, switching
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680: ../src/spice-channel.c:2707 main-1:0: Open coroutine starting 000000000462E480
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680: ../src/spice-channel.c:2544 main-1:0: Started background coroutine 000000000462E338
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680: ../src/spice-session.c:2231 Missing port value, not attempting unencrypted connection.
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680: ../src/spice-channel.c:2570 main-1:0: trying with TLS port
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694: ../src/spice-session.c:2244 main-1:0: Using TLS, port 5901
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694: ../src/spice-session.c:2177 open host DOMAIN_REPLACED:5901
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694: ../src/spice-session.c:2099 main-1:0: connecting 00000000071DFDD0...
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.757: ../src/spice-session.c:2083 main-1:0: connect ready
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.757: ../src/spice-channel.c:2466 main-1:0: Load CA, file: C:\ca-cert.pem, data: 0000000000000000
>
This "data: 0000000000000000" refers to a specific CA loaded, the
function should load certificates from the file afterward.
If the load would fail there should be a warning like "loading ca
certs from C:\ca-cert.pem failed" but it's not present.
Also if the load fails there should be another "loading ca certs from
default location failed" warning.
> (remote-viewer.exe:3584): Spice-WARNING **: 15:13:18.819: ../subprojects/spice-common/common/ssl_verify.c:444:openssl_verify: Error in certificate chain verification: unable to get issuer certificate (num=2:depth1:/C=US/O=Let's Encrypt/CN=R3)
>
Sure the C:\ca-file.pem contains the CA certificate for Let's Encrypt ?
Frediano
More information about the Spice-devel
mailing list