I created and started the VM with virt-manager. Here is what looks like the qemu cmd from /var/log/libvirt/qemu/$VM.log<div><br></div><div><div>/usr/bin/qemu-kvm -S -M pc-0.15 -cpu core2duo,+lahf_lm,</div><div>+rdtscp,+popcnt,+sse4.2,+sse4.1,+pdcm,+xtpr,+cx16,+tm2,+est,+smx,+vmx,+ds_cpl,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds -enable</div> <div>-kvm -m 2048 -smp 2,sockets=2,cores=1,threads=1 -name $VMNAME -uuid 9046e3aa-81d5-028d-010f-2a755e20aa97 -nodefconfi</div><div>g -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/$VMNAME.monitor,server,nowait -mon chardev=c</div> <div>harmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -device virtio-serial-pci,id=virtio-serial0,bus=pci.</div><div>0,addr=0x5 -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x8 -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0</div> <div>,addr=0x9 -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0xa -device ich9-usb-uhci3,masterbus=usb.0,f</div><div>irstport=4,bus=pci.0,addr=0xb -drive file=/vm/$VMNAME.img,if=none,id=drive-virtio-disk0,format=raw -device virtio-bl</div> <div>k-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -drive file=/iso/virtio-win-0.1-2</div><div>2.iso,if=none,media=cdrom,id=drive-ide0-1-0,readonly=on,format=raw -device ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1</div> <div>-0,id=ide0-1-0 -netdev tap,fd=26,id=hostnet0,vhost=on,vhostfd=27 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:5</div><div>4:00:43:e6:dd,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev </div> <div>spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,</div><div>name=com.redhat.spice.0 -device usb-tablet,id=input0 -spice port=$PORT,tls-port=$SPORT,addr=127.0.0.1,x509-dir=/etc/pki/lib</div> <div>virt-spice -k en-us -vga qxl -global qxl-vga.vram_size=67108864 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device h</div><div>da-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev spicevmc,id=charredir0,name=usbredir -device usb-redir,chardev=ch</div> <div>arredir0,id=redir0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7</div><div><br></div><div>Also in the log I see the following messages for everytime I try to connect using SSL:</div><div><br></div><div><div> reds_handle_ssl_accept: SSL_accept failed, error=1</div><div>reds_handle_ssl_accept: SSL_accept failed, error=1</div></div><div><br></div><div>Here are the package versions I'm running:</div><div><br></div><div><div>spice-xpi-2.7-2.fc16.x86_64</div> <div>spice-gtk3-0.11-4.fc16.x86_64</div><div>spice-gtk-tools-0.11-4.fc16.x86_64</div><div>spice-client-0.10.1-1.fc16.x86_64</div><div>spice-server-0.10.1-1.fc16.x86_64</div><div>spice-gtk-python-0.11-4.fc16.x86_64</div><div> spice-gtk-0.11-4.fc16.x86_64</div><div>spice-protocol-0.10.1-1.fc16.noarch</div><div>spice-glib-0.11-4.fc16.x86_64</div><div><div>libvirt-0.9.10-2.fc16.x86_64</div><div>libvirt-python-0.9.10-2.fc16.x86_64</div><div>libvirt-client-0.9.10-2.fc16.x86_64</div> </div></div><div><div>qemu-system-x86-1.0-7.fc16.x86_64</div><div>gpxe-roms-qemu-1.0.1-4.fc16.noarch</div><div>qemu-common-1.0-7.fc16.x86_64</div><div>qemu-img-1.0-7.fc16.x86_64</div></div><div><div>virt-manager-common-0.9.1-2.fc16.noarch</div> <div>virt-manager-0.9.1-2.fc16.noarch</div></div><div><br></div><div>The host is running Fedora 16 with the updates-testing virt-preview repos enabled.</div><div><br></div><br><div class="gmail_quote">On Fri, Mar 23, 2012 at 6:58 AM, David Jaša <span dir="ltr"><<a href="mailto:djasa@redhat.com">djasa@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Anthony James píše v Pá 23. 03. 2012 v 06:46 -0400:<br> <div class="im">> David,<br> ><br> ><br> > I just tried about 20 times in a row, same error. When you say it's a<br> > known bug in spicec when connecting manually, what is the alternative<br> > to connecting manually? Is this bug present in spicy or<br> > remote-viewer? Thanks in advance.<br> <br> </div>I don't recall hitting it with remote-viewer. FTR, remote-viewer's<br> invocation format differs from that of spicec and spicy:<br> <br> remote-viewer <options> spice://<host>/?port=<port>&tls-port=<sport><br> <br> you can get the complete list of of options with:<br> <br> remote-viewer --help-all<br> <br> Speaking about it, it might be also the libvirt/qemu bug that both fired<br> up with main channel forced to SSL/TLS but without setting up tls-port<br> on which would qemu actually listen. Could you post qemu command line<br> here so we can rule it out?<br> <div class="HOEnZb"><div class="h5"><br> David<br> ><br> > On Fri, Mar 23, 2012 at 6:37 AM, David Jaša <<a href="mailto:djasa@redhat.com">djasa@redhat.com</a>> wrote:<br> > Anthony James píše v Pá 23. 03. 2012 v 06:26 -0400:<br> > > David,<br> > ><br> > > Thanks for the reply. I've tried adding --ca-file to the<br> > spicec<br> > > command line but still receive the same error. Here is the<br> > command:<br> > ><br> > > spicec -h localhost -p $PORT -s $SPORT --secure-channels all<br> > > --host-subject "$HOSTSUBJECT" --ca-file ca-cert.pem -w<br> > $PASSWD<br> > ><br> > > Same error:<br> > ><br> > > Error: failed to connect w/SSL, ssl_error<br> > > error:00000001:lib(0):func(0):reason(1)<br> > > 140613653984512:error:14090086:SSL<br> > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify<br> > > failed:s3_clnt.c:1063:<br> > > Warning: SSL Error:<br> ><br> ><br> > Hi Anthony,<br> ><br> > try several times. It's a known bug in spicec that when you're<br> > connecting manually, the connection fails several times before<br> > it is<br> > established. Actually it's more frequent if you specify<br> > --secure<br> > channels all or if you omit -p altogether (both have the same<br> > effect).<br> ><br> > David<br> > ><br> > > On Fri, Mar 23, 2012 at 6:06 AM, David Jaša<br> > <<a href="mailto:djasa@redhat.com">djasa@redhat.com</a>> wrote:<br> > > Hi Anthony,<br> > ><br> > > Anthony James píše v Čt 22. 03. 2012 v 15:40 -0400:<br> > > > I'm having problems connecting to a spice virtual<br> > machine<br> > > using SSL.<br> > > > I use the following command to connect:<br> > > ><br> > > ><br> > > > spicec -h localhost -p $PORT -s $SPORT<br> > --secure-channels all<br> > > > --host-subject "$HOSTSUBJECT" -w $PASSWD<br> > > ><br> > ><br> > > You're missing --ca-file $CA_CERTIFICATE_FILE in<br> > your command<br> > > line.<br> > ><br> > > David<br> > > ><br> > > > The error I receive is:<br> > > ><br> > > ><br> > > > Error: failed to connect w/SSL, ssl_error<br> > > > error:00000001:lib(0):func(0):reason(1)<br> > > > 139699632096512:error:14090086:SSL<br> > > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate<br> > verify<br> > > > failed:s3_clnt.c:1063:<br> > > > Warning: SSL Error:<br> > > ><br> > > ><br> > > > I have followed the instructions from the<br> > following 2 sites<br> > > to<br> > > > configure the SSL certs:<br> > > ><br> > > ><br> > > > <a href="http://www.spice-space.org/page/SSLConnection" target="_blank">http://www.spice-space.org/page/SSLConnection</a><br> > > ><br> > > ><br> > > ><br> > ><br> > <a href="http://fedoraproject.org/w/index.php?title=QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set&oldid=255162" target="_blank">http://fedoraproject.org/w/index.php?title=QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set&oldid=255162</a><br> > > ><br> > > ><br> > > > Any help would be greatly appreciated, I'm sure<br> > I'm missing<br> > > something.<br> > > ><br> > > ><br> > > > Thanks,<br> > > > Tony<br> > ><br> > > > _______________________________________________<br> > > > Spice-devel mailing list<br> > > > <a href="mailto:Spice-devel@lists.freedesktop.org">Spice-devel@lists.freedesktop.org</a><br> > > ><br> > <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a><br> > ><br> > ><br> > > --<br> > ><br> > > David Jaša, RHCE<br> > ><br> > > SPICE QE based in Brno<br> > > GPG Key: 22C33E24<br> > > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00<br> > 22C3 3E24<br> > ><br> > ><br> > ><br> > ><br> > > _______________________________________________<br> > > Spice-devel mailing list<br> > > <a href="mailto:Spice-devel@lists.freedesktop.org">Spice-devel@lists.freedesktop.org</a><br> > > <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a><br> ><br> > --<br> ><br> > David Jaša, RHCE<br> ><br> > SPICE QE based in Brno<br> > GPG Key: 22C33E24<br> > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24<br> ><br> ><br> ><br> ><br> ><br> ><br> > _______________________________________________<br> > Spice-devel mailing list<br> > <a href="mailto:Spice-devel@lists.freedesktop.org">Spice-devel@lists.freedesktop.org</a><br> > <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a><br> <br> --<br> <br> David Jaša, RHCE<br> <br> SPICE QE based in Brno<br> GPG Key: 22C33E24<br> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24<br> <br> <br> <br> </div></div></blockquote></div><br></div>