On Wed, Feb 9, 2022 at 7:52 AM Patrick Hibbs <[email protected]> wrote:
> The certificates used in SPICE connections are stored on the VM hosts. By > default they are at /etc/pki/vdsm/libvirt-spice, and configured by VDSM in > /etc/libvirt/qemu.conf. Their default names are ca-cert.pem, > server-cert.pem, and server-key.pem. Using openssl x509 -noout -text -in > </path/to/cert-file> should show you the certificate's expiration info. > > Note: Don't try to change anything, it will be overwritten by VDSM on the > next host update / reinstall. > > As for remote-viewer, if you run it manually from the console with > "remote-viewer --debug </path/to/console.vv>" or "remote-viewer --verbose > </path/to/console.vv>" it will print log information about the connection > it's trying to establish. > > -Patrick Hibbs > > Hello, You must have missed my answer above. (Understandable, given the length of this thread...) I replaced and verified /etc/pki/vdsm/libvirt-spice/server-cert.pem Restarted all the services on the host. $ openssl x509 -in /etc/pki/vdsm/libvirt-spice/server-cert.pem -noout -dates notBefore=Feb 7 13:59:14 2022 GMT notAfter=Feb 7 13:59:14 2027 GMT $ openssl x509 -in /etc/pki/vdsm/libvirt-spice/ca-cert.pem -noout -dates notBefore=Dec 26 16:25:01 2020 GMT notAfter=Dec 25 16:25:01 2030 GMT However, remote-viewer still fails: $ remote-viewer --debug console.vv ... (remote-viewer:14874): Spice-WARNING **: 18:14:33.500: ../subprojects/spice-common/common/ssl_verify.c:506:openssl _verify: ssl: subject 'O=localdomain,CN=gilboa-wx-srv.localdomain' verification failed The main problem here is that while we assume the problem is expired certificates, it can be something else (Subject, CN, etc). The error is not informative.. - Gilboa. > On Wed, 2022-02-09 at 06:58 +0200, Gilboa Davara wrote: > > > > On Wed, Feb 9, 2022 at 1:05 AM Strahil Nikolov <[email protected]> > wrote: > > I have no clue , but I would give vdsm.service a restart. > > > Thanks again for the prompt response. > Tried that, restarted all services and the all the VMS, didn't work. > > Any idea how I can verify the certificate information actually being used > by qemu for the spice console? > remote-viewer just fails, without giving any meaningful error message. > > - Gilboa > > > > Best Regards, > Strahil Nikolov > > On Tue, Feb 8, 2022 at 18:19, Gilboa Davara > <[email protected]> wrote: > _______________________________________________ > Users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > > https://lists.ovirt.org/archives/list/[email protected]/message/2GAQH44QD6KTS4RHXQBDWL6PNI6OKCS3/ > > _______________________________________________ > Users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/[email protected]/message/OG57VT2XGDTY2MFOJFFUCZAMXS22W4OG/ > > > _______________________________________________ > Users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/[email protected]/message/AKQVBARD4EWIS3PCQYLX7AH575XRDYAD/ >
_______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/5FFDOORY2QJ6QGWT3RNVVYE2DIVTB4KL/
