aspice SSL Error

[Bob Dushok]

I'm using aspice with Proxmox.   It was working fine when my Proxmox servers were using the SSL cert provided by Proxmox.    Once I switched to a Let's Encrypt generated cert aspice stopped working.   The log shows the following error when connections are attempted:

../subprojects/spice-common/common/ssl_verify.c:481:openssl_verify: Error in server certificate verification: unable to get local issuer certificate (num=20:depth0:/CN=....

The cert works fine when the PVE server is accessed via a browser, so I think the SSL cert is fine.   Could the Let's Encrypt root certs be missing from whatever truststore aspice is using?

Thanks,

Bob

[i iordanov]

Hi Bob,

That sounds very likely.

https://github.com/iiordanov/remote-desktop-clients/issues/

Could you please open a bug-report there?

Thanks!
Iordan

--
You received this message because you are subscribed to the Google Groups "bVNC, aRDP, aSPICE, Opaque Remote Desktop Clients" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bvnc-ardp-aspice-opaque-remot...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bvnc-ardp-aspice-opaque-remote-desktop-clients/e44c60cc-64c6-4c18-966b-de77b81f2234n%40googlegroups.com.

[Bob Dushok]

Thanks for the reply.   I've posted this as an issue on Github as you've requested.

[bVNC user]

I have a SSH KEY which has been created with "ssh-keygen -t rsa".

Everything works fine with it by connecting with the SSH command line or Remmina from a computer.

I don't however manage to import it into bVNC :/ I get an error "Failed to import..."

The passphrase entered seems correct as if I modify it or don't enter any, I get a different error 'Failed to decrypt PEM...".

Could there be a bug in bVNC preventing to import passphrase protected RSA SSH keys ?

Thanks.

[iior...@gmail.com]

You need to generate it with, e.g.:

ssh-keygen -t rsa -m PKCS8

[bVNC user]

Hi, thanks for the answer!

Right, I could of course generate a new key in another format. I wanted to avoid that.

I fail to understand why my current key wouln't be usable. Shouldn't bNVC be able to import it? Other programs are fine with it...

[bVNC user]

Alright, after looking a bit into this, ssh-keygen generates by default the key in an "openSSH" format, which I understand bVNC might not support.

But there seem to be something wrong with importing keys WITH PASSPHRASES (on top of the "openSSH" format not being supported, indeed). I tried with newly generated keys, including in ECDSA (yes, in PKCS8).

Importing a key generated with NO passphrase works fine! I would appreciate if you could test it and have a look about that. Thank you very much.

On Thursday, 13 March 2025 at 19:15:41 UTC+1 iior...@gmail.com wrote:

[i iordanov]

Could you please report the issue here with how it can be reproduced?

https://github.com/iiordanov/remote-desktop-clients/issues/

Thanks!

To view this discussion visit https://groups.google.com/d/msgid/bvnc-ardp-aspice-opaque-remote-desktop-clients/d39bf90a-6a88-49db-b302-a7cf5fc0f714n%40googlegroups.com.