Hey, On Fri, Aug 22, 2014 at 08:22:22AM +0000, Dietmar Maurer wrote: > I use the following certificate files: > > # openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/local/pve-ssl.pem > /etc/pve/local/pve-ssl.pem: OK > > I pass the content of /etc/pve/pve-root-ca.pem to virt-viewer: > [virt-viewer] > ca=-----BEGIN CERTIFICATE-----\nXXXXXXXXXX/Q=\n-----END CERTIFICATE-----\n > ... > > I also use above cert files when starting qemu, and remote-viewer works perfectly unless > we use intermediate CAs. > > ----------------- > # remote-viewer /tmp/scDvEiLJ > (/usr/bin/remote-viewer:363337): Spice-Warning **: ssl_verify.c:428:openssl_verify: openssl verify:num=20:unable to get local issuer certificate:depth=1:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA > > (remote-viewer:363337): GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1) > ------------------------ > > I tried to append the intermediate cert to /etc/pve/pve-root-ca.pem and /etc/pve/local/pve-ssl.pem, but always > get the same error. > > Any ideas? To make sure I understand, you start with a Root CA which I assume you generated yourself and is self-signed? Then if you generate server certificates from this one, and use these with a spice host, all is working fine. But if you generate an intermediate CA from the Root CA instead, and then generate server certificates from the intermediate CA, then spice connections fail with the error you pasted? Did you run the openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/local/pve-ssl.pem command you gave on a certificate using the intermediate CA? Christophe
Attachment:
pgpox_Yy0qWXC.pgp
Description: PGP signature
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel