Virtualbox HTTPS API w/ LE


#1

Hello. I hope this question is simple. Everything I’ve tried hasn’t worked so far.

I’m using the vboxweb service on my Debian machine to access a headless VirtualBox server. I want to control the VirtualBox machines using SSL.

I can set the following options in my /etc/default/virtualbox file:

(Each of these parameters above are prepended with VBOXWEB_, e.g. VBOXWEB_SSL_KEYFILE.)

SSL_KEYFILE - Server key and certificate file, PEM format
SSL_PASSWORDFILE - File name for password to server key
SSL_CACERT - CA certificate file, PEM format
SSL_CAPATH - CA certificate path
SSL_DHFILE - DH file name or DH key length in bits
SSL_RANDFILE - File containing seed for random number generator

(Source: https://www.virtualbox.org/manual/ch09.html#vboxwebsrv-linux )

I’ve created Diffie Hellman parameters (2048-bit). It’s at /dh2048.pem. I’ve copied all my LE cert files to / and set permissions to 666. Yes, I know this is very insecure. When everything is working properly, I’ll harden security.

There is no password on the cert, so I don’t need that option. I don’t think I need the random number seed either (do I?).

So…

VBOXWEB_SSL_KEYFILE="/privkey.pem"
VBOXWEB_SSL_DHFILE="/dh2048.pem"

Just the two parameters above generates an error. Unfortunately, it is rather vague in the vboxweb logfile.

VirtualBox web service 5.2.12 r122591 linux.amd64 (May 9 2018 15:00:04) release log
00:00:00.001964 main Log opened 2018-07-10T01:41:34.939663000Z
00:00:00.001966 main Build Type: release
00:00:00.001970 main OS Product: Linux
00:00:00.001971 main OS Release: 4.9.0-4-amd64
00:00:00.001972 main OS Version: #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23)
00:00:00.001998 main DMI Product Name: HP EliteBook 8440p
00:00:00.002005 main DMI Product Version:
00:00:00.002050 main Host RAM: 1861MB total, 1726MB available
00:00:00.002052 main Executable: /usr/lib/virtualbox/vboxwebsrv
00:00:00.002053 main Process ID: 2038
00:00:00.002054 main Package type: LINUX_64BITS_DEBIAN_9_0
00:00:00.016667 main IPC socket path: /tmp/.vbox-vbox-ipc/ipcd
00:00:00.179423 SQPmp #### SOAP FAULT: SSL/TLS error [is internal]

Perhaps I need the following parameters. What would they be? Any ideas?

VBOXWEB_SSL_CACERT="???"
VBOXWEB_SSL_CAPATH="???"

I’d be grateful for any advice. I’d really like to use my LE cert to ensure security for my VirtualBox setup. Thanks!


Edit:
BTW, if I use a self-signed cert, the last line in the logfile shows success as such:

00:00:00.271077 SQPmp Socket connection successful: host = 0.0.0.0, port = 18083, SSL, master socket = 9


#2

Sounds like it needs to be in combined PEM format

<privkey.pem contents>
<fullchain.pem contents>

Sometimes servers will refuse to use keys that are world-readable.

Not needed, used for client certificates.


#3

:man_facepalming:
Why didn’t I read that a little more closely… lol

That was exactly my problem. I concatenated those two files, restarted the service, and I’m up and running. Many thanks @_az!


#4

Strange it actually works. The help file you mentioned says: The parameters in the table below all start with VBOXWEB_ (VBOXWEB_HOST, VBOXWEB_PORT etc.):

So it should be VBOX_WEB_SSL_KEYFILE?


#5

@Osiris Yes, you are correct.

My apologies for stating they are prefixed with VBOX_. That is incorrect. Every parameter is prefixed with VBOXWEB_. I’ve corrected my original post.

Here is my config:

VBOXWEB_USER="vbox"
VBOXWEB_TIMEOUT=0
VBOXWEB_LOGFILE="/var/log/vboxwebservice.log"
# 0.0.0.0 will listen on all interfaces
VBOXWEB_HOST="0.0.0.0"
VBOXWEB_SSL_KEYFILE="/combined.pem"
VBOXWEB_SSL_DHFILE="/dh2048.pem"


Here are the tutorials I followed to get things started:

#1

#2


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.