Re: problems with intermediate certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey,

On Fri, Aug 22, 2014 at 08:22:22AM +0000, Dietmar Maurer wrote:
> I use the following certificate files:
> 
> # openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/local/pve-ssl.pem
> /etc/pve/local/pve-ssl.pem: OK
> 
> I pass the content of /etc/pve/pve-root-ca.pem to virt-viewer:
> [virt-viewer]
> ca=-----BEGIN CERTIFICATE-----\nXXXXXXXXXX/Q=\n-----END CERTIFICATE-----\n
> ...
> 
> I also use above cert files when starting qemu, and remote-viewer works perfectly unless
> we use intermediate CAs.
> 
> -----------------
> # remote-viewer /tmp/scDvEiLJ 
> (/usr/bin/remote-viewer:363337): Spice-Warning **: ssl_verify.c:428:openssl_verify: openssl verify:num=20:unable to get local issuer certificate:depth=1:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
> 
> (remote-viewer:363337): GSpice-WARNING **: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)
> ------------------------
> 
> I tried to append the intermediate cert to /etc/pve/pve-root-ca.pem  and /etc/pve/local/pve-ssl.pem, but always
> get the same error.
> 
> Any ideas?

To make sure I understand, you start with a Root CA which I
assume you generated yourself and is self-signed? Then if you generate
server certificates from this one, and use these with a spice host, all
is working fine.
But if you generate an intermediate CA from the Root CA instead, and
then generate server certificates from the intermediate CA, then spice
connections fail with the error you pasted?

Did you run the openssl verify -CAfile /etc/pve/pve-root-ca.pem
/etc/pve/local/pve-ssl.pem command you gave on a certificate using the
intermediate CA?

Christophe

Attachment: pgpox_Yy0qWXC.pgp
Description: PGP signature

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]