Hi Dietmar ----- Original Message ----- > I use the following certificate files: > > # openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/local/pve-ssl.pem > /etc/pve/local/pve-ssl.pem: OK > > I pass the content of /etc/pve/pve-root-ca.pem to virt-viewer: > [virt-viewer] > ca=-----BEGIN CERTIFICATE-----\nXXXXXXXXXX/Q=\n-----END CERTIFICATE-----\n > ... > > I also use above cert files when starting qemu, and remote-viewer works > perfectly unless > we use intermediate CAs. > > ----------------- > # remote-viewer /tmp/scDvEiLJ > (/usr/bin/remote-viewer:363337): Spice-Warning **: > ssl_verify.c:428:openssl_verify: openssl verify:num=20:unable to get local > issuer certificate:depth=1:/C=IL/O=StartCom Ltd./OU=Secure Digital > Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA > > (remote-viewer:363337): GSpice-WARNING **: main-1:0: SSL_connect: > error:00000001:lib(0):func(0):reason(1) > ------------------------ > > I tried to append the intermediate cert to /etc/pve/pve-root-ca.pem and > /etc/pve/local/pve-ssl.pem, but always > get the same error. > > Any ideas? Just a few ideas, I think you must be able to "openssl verify" your file without specifying the CAfile, if you want Spice ssl checks to pass. There are some suggestions on what could go wrong and how to solve it here: http://stackoverflow.com/questions/12041512/openssl-unable-to-get-local-issuer-certificate-unless-cafile-is-explicitly-speci cheers _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel