Anthony James píše v Pá 23. 03. 2012 v 08:03 -0400: > I did have spaces after the commas in the host subject but after > regenerating the certs
Hi Anthony, You should not need to regenerate the certs, just do 's/, /,/' on the existing string. > and modifying the command I receive the same error. I followed the > steps to create the certs from the > http://www.spice-space.org/page/SSLConnection site. Should those > steps work? > They should. You have to put those cert/key files to /etc/pki/libvirt-spice (or any other location configured in /etc/libvirt/libvirtd.conf) but I think you have to have this right, otherwise qemu wouldn't start at all. I'm starting to suspect that you have some incompatible characters in host subject string. I tried basic plain qemu test here and it works for me. Please try these steps and tell me how far you got: 1. create an empty directory, cd to it 2. copy there the script from the page without any modifications 3. generate certs 4. run: /path/to/qemu_executable -spice tls-port=<port>,disable-ticketing 5. make sure that qemu indeed listens on the port and it's not blocked by anything (iptables, selinux) 5. from other terminal on the same machine, run: remote-viewer --spice-ca-file <working_dir_in_first_terminal>/ca-cert.pem --spice-host-subject 'C=IL,L=Raanana,O=Red Hat,CN=my server' spice://127.0.0.1/?tls-port=<port> or: spicec --ca-file <working_dir_in_first_terminal>/ca-cert.pem --host-subject 'C=IL,L=Raanana,O=Red Hat,CN=my server' -h 127.0.0.1 -s 5900 If this will not work for you, there is a bug somewhere. If it does, you should double-check your configuration again. David > On Fri, Mar 23, 2012 at 7:36 AM, David Jaša <dj...@redhat.com> wrote: > Hi Anthony, > > I don't see anything clearly wrong in what you posted in your > last two > mails. Just one note: -spice addr=127.0.0.1 means that the > host will > only be accessible on the localhost - if you add "<listen > type='address' > address='0.0.0.0'/>" element to "<graphics>" element in domain > xml, qemu > will bind to all ipv4 addresses. > > I'd just check the SSL/TLS stuff again - if your certs are OK, > if you > pass correct host subject (without space after comma!), if you > pass > correct CA file and so on... > > David > > Anthony James píše v Pá 23. 03. 2012 v 07:20 -0400: > > I just tried connecting using remote-viewer, here is the > command: > > > > > > remote-viewer --spice-ca-file=ca-cert.pem > > --spice-host-subject="$HOSTSUBJECT" spice://localhost/?port= > > $PORT&tls-port=$SPORT > > > > > > It connects but using only the non-tls port. When I remove > port=$PORT > > to try and force it to use the tls-port the connection fails > and I see > > this in the VM log: > > > > > > reds_handle_ssl_accept: SSL_accept failed, error=1 > > > > > > The remote-viewer version is 0.5.2. > > > > On Fri, Mar 23, 2012 at 7:10 AM, Anthony James > > <anthony.ja...@cintriq.com> wrote: > > I created and started the VM with virt-manager. > Here is what > > looks like the qemu cmd > from /var/log/libvirt/qemu/$VM.log > > > > > > /usr/bin/qemu-kvm -S -M pc-0.15 -cpu core2duo, > +lahf_lm, > > +rdtscp,+popcnt,+sse4.2,+sse4.1,+pdcm,+xtpr,+cx16, > +tm2,+est, > > +smx,+vmx,+ds_cpl,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds > -enable > > -kvm -m 2048 -smp 2,sockets=2,cores=1,threads=1 > -name $VMNAME > > -uuid 9046e3aa-81d5-028d-010f-2a755e20aa97 > -nodefconfi > > g -nodefaults -chardev > > > > socket,id=charmonitor,path=/var/lib/libvirt/qemu/$VMNAME.monitor,server,nowait > -mon chardev=c > > harmonitor,id=monitor,mode=control -rtc > base=localtime > > -no-shutdown -device > > virtio-serial-pci,id=virtio-serial0,bus=pci. > > 0,addr=0x5 -device > ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x8 > > -device > ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0 > > ,addr=0x9 -device > > > ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0xa > > -device ich9-usb-uhci3,masterbus=usb.0,f > > irstport=4,bus=pci.0,addr=0xb -drive > > > file=/vm/$VMNAME.img,if=none,id=drive-virtio-disk0,format=raw > > -device virtio-bl > > > > k-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 > -drive file=/iso/virtio-win-0.1-2 > > > 2.iso,if=none,media=cdrom,id=drive-ide0-1-0,readonly=on,format=raw > -device ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1 > > -0,id=ide0-1-0 -netdev > > tap,fd=26,id=hostnet0,vhost=on,vhostfd=27 -device > > virtio-net-pci,netdev=hostnet0,id=net0,mac=52:5 > > 4:00:43:e6:dd,bus=pci.0,addr=0x3 -chardev > pty,id=charserial0 > > -device isa-serial,chardev=charserial0,id=serial0 > -chardev > > spicevmc,id=charchannel0,name=vdagent -device > > > > virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0, > > name=com.redhat.spice.0 -device usb-tablet,id=input0 > -spice > > port=$PORT,tls-port= > > $SPORT,addr=127.0.0.1,x509-dir=/etc/pki/lib > > virt-spice -k en-us -vga qxl -global > > qxl-vga.vram_size=67108864 -device > > intel-hda,id=sound0,bus=pci.0,addr=0x4 -device h > > da-duplex,id=sound0-codec0,bus=sound0.0,cad=0 > -chardev > > spicevmc,id=charredir0,name=usbredir -device > > usb-redir,chardev=ch > > arredir0,id=redir0 -device > > virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 > > > > > > Also in the log I see the following messages for > everytime I > > try to connect using SSL: > > > > > > reds_handle_ssl_accept: SSL_accept failed, error=1 > > reds_handle_ssl_accept: SSL_accept failed, error=1 > > > > > > Here are the package versions I'm running: > > > > > > spice-xpi-2.7-2.fc16.x86_64 > > spice-gtk3-0.11-4.fc16.x86_64 > > spice-gtk-tools-0.11-4.fc16.x86_64 > > spice-client-0.10.1-1.fc16.x86_64 > > spice-server-0.10.1-1.fc16.x86_64 > > spice-gtk-python-0.11-4.fc16.x86_64 > > spice-gtk-0.11-4.fc16.x86_64 > > spice-protocol-0.10.1-1.fc16.noarch > > spice-glib-0.11-4.fc16.x86_64 > > libvirt-0.9.10-2.fc16.x86_64 > > libvirt-python-0.9.10-2.fc16.x86_64 > > libvirt-client-0.9.10-2.fc16.x86_64 > > qemu-system-x86-1.0-7.fc16.x86_64 > > gpxe-roms-qemu-1.0.1-4.fc16.noarch > > qemu-common-1.0-7.fc16.x86_64 > > qemu-img-1.0-7.fc16.x86_64 > > virt-manager-common-0.9.1-2.fc16.noarch > > virt-manager-0.9.1-2.fc16.noarch > > > > > > The host is running Fedora 16 with the > updates-testing > > virt-preview repos enabled. > > > > > > > > On Fri, Mar 23, 2012 at 6:58 AM, David Jaša > <dj...@redhat.com> > > wrote: > > Anthony James píše v Pá 23. 03. 2012 v 06:46 > -0400: > > > David, > > > > > > > > > I just tried about 20 times in a row, same > error. > > When you say it's a > > > known bug in spicec when connecting > manually, what > > is the alternative > > > to connecting manually? Is this bug > present in > > spicy or > > > remote-viewer? Thanks in advance. > > > > > > I don't recall hitting it with > remote-viewer. FTR, > > remote-viewer's > > invocation format differs from that of > spicec and > > spicy: > > > > remote-viewer <options> > > spice://<host>/?port=<port>&tls-port=<sport> > > > > you can get the complete list of of options > with: > > > > remote-viewer --help-all > > > > Speaking about it, it might be also the > libvirt/qemu > > bug that both fired > > up with main channel forced to SSL/TLS but > without > > setting up tls-port > > on which would qemu actually listen. Could > you post > > qemu command line > > here so we can rule it out? > > > > David > > > > > > On Fri, Mar 23, 2012 at 6:37 AM, David > Jaša > > <dj...@redhat.com> wrote: > > > Anthony James píše v Pá 23. 03. > 2012 v 06:26 > > -0400: > > > > David, > > > > > > > > Thanks for the reply. I've > tried adding > > --ca-file to the > > > spicec > > > > command line but still receive > the same > > error. Here is the > > > command: > > > > > > > > spicec -h localhost -p $PORT -s > $SPORT > > --secure-channels all > > > > --host-subject "$HOSTSUBJECT" > --ca-file > > ca-cert.pem -w > > > $PASSWD > > > > > > > > Same error: > > > > > > > > Error: failed to connect w/SSL, > ssl_error > > > > > error:00000001:lib(0):func(0):reason(1) > > > > > 140613653984512:error:14090086:SSL > > > > > > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate > > verify > > > > failed:s3_clnt.c:1063: > > > > Warning: SSL Error: > > > > > > > > > Hi Anthony, > > > > > > try several times. It's a known > bug in > > spicec that when you're > > > connecting manually, the > connection fails > > several times before > > > it is > > > established. Actually it's more > frequent if > > you specify > > > --secure > > > channels all or if you omit -p > altogether > > (both have the same > > > effect). > > > > > > David > > > > > > > > On Fri, Mar 23, 2012 at 6:06 AM, > David > > Jaša > > > <dj...@redhat.com> wrote: > > > > Hi Anthony, > > > > > > > > Anthony James píše v Čt > 22. 03. > > 2012 v 15:40 -0400: > > > > > I'm having problems > connecting > > to a spice virtual > > > machine > > > > using SSL. > > > > > I use the following > command to > > connect: > > > > > > > > > > > > > > > spicec -h localhost -p > $PORT -s > > $SPORT > > > --secure-channels all > > > > > --host-subject > "$HOSTSUBJECT" -w > > $PASSWD > > > > > > > > > > > > > You're missing --ca-file > > $CA_CERTIFICATE_FILE in > > > your command > > > > line. > > > > > > > > David > > > > > > > > > > The error I receive > is: > > > > > > > > > > > > > > > Error: failed to > connect w/SSL, > > ssl_error > > > > > > > error:00000001:lib(0):func(0):reason(1) > > > > > > > 139699632096512:error:14090086:SSL > > > > > > > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate > > > verify > > > > > failed:s3_clnt.c:1063: > > > > > Warning: SSL Error: > > > > > > > > > > > > > > > I have followed the > instructions > > from the > > > following 2 sites > > > > to > > > > > configure the SSL > certs: > > > > > > > > > > > > > > > > > > http://www.spice-space.org/page/SSLConnection > > > > > > > > > > > > > > > > > > > > > > > > > > http://fedoraproject.org/w/index.php?title=QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set&oldid=255162 > > > > > > > > > > > > > > > Any help would be > greatly > > appreciated, I'm sure > > > I'm missing > > > > something. > > > > > > > > > > > > > > > Thanks, > > > > > Tony > > > > > > > > > > > > _______________________________________________ > > > > > Spice-devel mailing > list > > > > > > > Spice-devel@lists.freedesktop.org > > > > > > > > > > > http://lists.freedesktop.org/mailman/listinfo/spice-devel > > > > > > > > > > > > -- > > > > > > > > David Jaša, RHCE > > > > > > > > SPICE QE based in Brno > > > > GPG Key: 22C33E24 > > > > Fingerprint: 513A 060B > D1B4 2A72 > > 7F0D 0278 B125 CD00 > > > 22C3 3E24 > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > Spice-devel mailing list > > > > > Spice-devel@lists.freedesktop.org > > > > > > > http://lists.freedesktop.org/mailman/listinfo/spice-devel > > > > > > -- > > > > > > David Jaša, RHCE > > > > > > SPICE QE based in Brno > > > GPG Key: 22C33E24 > > > Fingerprint: 513A 060B D1B4 2A72 > 7F0D 0278 > > B125 CD00 22C3 3E24 > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Spice-devel mailing list > > > Spice-devel@lists.freedesktop.org > > > > > > http://lists.freedesktop.org/mailman/listinfo/spice-devel > > > > -- > > > > David Jaša, RHCE > > > > SPICE QE based in Brno > > GPG Key: 22C33E24 > > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 > B125 CD00 > > 22C3 3E24 > > > > > > > > > > > > > > > > > > _______________________________________________ > > Spice-devel mailing list > > Spice-devel@lists.freedesktop.org > > http://lists.freedesktop.org/mailman/listinfo/spice-devel > > -- > > David Jaša, RHCE > > SPICE QE based in Brno > GPG Key: 22C33E24 > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 > > > > > > _______________________________________________ > Spice-devel mailing list > Spice-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/spice-devel -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 _______________________________________________ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
