[pve-devel] Something missing in http://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer) ?

Fabian Grünbichler f.gruenbichler at proxmox.com
Tue Nov 22 13:57:47 CET 2016


On Tue, Nov 22, 2016 at 01:09:17PM +0100, Stefan Priebe - Profihost AG wrote:
> Hi,
> 
> Am 22.11.2016 um 12:26 schrieb Fabian Grünbichler:
> > On Tue, Nov 22, 2016 at 12:11:22PM +0100, Stefan Priebe - Profihost AG wrote:
> >> Am 22.11.2016 um 11:56 schrieb Dietmar Maurer:
> >>> I think this commit should solve the issue:
> >>>
> >>> https://git.proxmox.com/?p=pve-manager.git;a=commitdiff;h=333dd203d5e07d9d3e20d3674a2e3ff2fc89fa8c
> >>>
> >>>> Please can you test with latest version from git?
> >>
> >> Already running that version ;-) But thank you for pointing me to this
> >> commit. If i revert that one it's working fine again.
> >>
> >> The issue in my case was that the verify in HTTPServer.pm verify_cb was
> >> failing.
> >>
> >> The documentation says:
> >> "fullchain.pem (your certificate and all intermediate certificates,
> >> excluding the root certificate, in PEM format)"
> >>
> >> With the full chain it's not working. I then removed the whole chain and
> >> only putted my final crt into that one and now it's working fine. With
> >> the full chain $depth was 2 in my case.
> > 
> > I will do some more testing later on - is it possible that you put the
> > certificates into the file in the "wrong" order (leaf first, then
> > intermediate would be correct)?
> > 
> > The pinning is supposed to only verify the last certificate in the chain
> > (as returned by the server), so whether you have a chain of depth 2 or 3
> > (self-signed root + leaf or root + ca + leaf) does not matter at all.
> > But when reading from a .pem file with multiple certificates OpenSSL
> > reads the first one in the file, so it's possible that in your case we
> > attempt to compare the leaf certificate's fingerprint (from the
> > connection / server) to the CA certificate's fingerprint (from the .pem
> > file), which obviously does not work.
> > 
> > If you want, you could send me the certificate file off-list (only the
> > certificate please! unless those are from a test node with self-signed
> > certificates that you don't care about) and I will try to recreate your
> > setup for further tests...
> 
> As this is a real life certificate which is not self signed but signed
> from the ca i'm not comfortable with that.

understandable. but maybe you could confirm the order? you can just copy
the file and split at the end/start marker, with "openssl x509 -in
PEMFILE -noout -subject" you should get the subject of each resulting
PEMFILE

> 
> But may be you're already right and the order in the file is important.
> 
> Wouldn't it be easier for users to just put the sigle .crt into this
> location and put the ca chain into pve-root-ca.pem ?

that does not work (unfortunately) - AnyEvent cannot load the chain / CA
certificate from a separate file.. since the root certificate is not
supposed to be part of the chain sent by the server (it needs to be
trusted separately anyway), this is not a problem for the self-signed
chain with depth 2. but for the "regular" chain of depth 3 you need to
put the leaf/server certificate and the intermediate(s) into
pveproxy-ssl.pem (and the root into your OS/browser, if it is not
already there ;)).

I'll test some more, and as a last workaround we could do the split of
pveproxy-ssl.pem in the verification code (and simply only take the one
that is not a CA certificate - this is easy to check because the CA
property is a certificate extension, but of course we have additional
overhead and complexity for parsing and splitting..).




More information about the pve-devel mailing list