Problem resolved, it was a cert issue. Thanks for the help. <div class="gmail_quote">On Fri, Mar 23, 2012 at 8:03 AM, Anthony James <<a href="mailto:anthony.james@cintriq.com">anthony.james@cintriq.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I did have spaces after the commas in the host subject but after regenerating the certs and modifying the command I receive the same error. I followed the steps to create the certs from the <a href="http://www.spice-space.org/page/SSLConnection" target="_blank">http://www.spice-space.org/page/SSLConnection</a> site. Should those steps work?<div class="HOEnZb"> <div class="h5"> <div class="gmail_quote">On Fri, Mar 23, 2012 at 7:36 AM, David Jaša <<a href="mailto:djasa@redhat.com" target="_blank">djasa@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> Hi Anthony, I don't see anything clearly wrong in what you posted in your last two mails. Just one note: -spice addr=127.0.0.1 means that the host will only be accessible on the localhost - if you add "<listen type='address' address='0.0.0.0'/>" element to "<graphics>" element in domain xml, qemu will bind to all ipv4 addresses. I'd just check the SSL/TLS stuff again - if your certs are OK, if you pass correct host subject (without space after comma!), if you pass correct CA file and so on... David Anthony James píše v Pá 23. 03. 2012 v 07:20 -0400: <div><div>> I just tried connecting using remote-viewer, here is the command: > > > remote-viewer --spice-ca-file=ca-cert.pem > --spice-host-subject="$HOSTSUBJECT" spice://localhost/?port= > $PORT&tls-port=$SPORT > > > It connects but using only the non-tls port. When I remove port=$PORT > to try and force it to use the tls-port the connection fails and I see > this in the VM log: > > > reds_handle_ssl_accept: SSL_accept failed, error=1 > > > The remote-viewer version is 0.5.2. > > On Fri, Mar 23, 2012 at 7:10 AM, Anthony James > <<a href="mailto:anthony.james@cintriq.com" target="_blank">anthony.james@cintriq.com</a>> wrote: > I created and started the VM with virt-manager. Here is what > looks like the qemu cmd from /var/log/libvirt/qemu/$VM.log > > > /usr/bin/qemu-kvm -S -M pc-0.15 -cpu core2duo,+lahf_lm, > +rdtscp,+popcnt,+sse4.2,+sse4.1,+pdcm,+xtpr,+cx16,+tm2,+est, > +smx,+vmx,+ds_cpl,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds -enable > -kvm -m 2048 -smp 2,sockets=2,cores=1,threads=1 -name $VMNAME > -uuid 9046e3aa-81d5-028d-010f-2a755e20aa97 -nodefconfi > g -nodefaults -chardev > socket,id=charmonitor,path=/var/lib/libvirt/qemu/$VMNAME.monitor,server,nowait -mon chardev=c > harmonitor,id=monitor,mode=control -rtc base=localtime > -no-shutdown -device > virtio-serial-pci,id=virtio-serial0,bus=pci. > 0,addr=0x5 -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x8 > -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0 > ,addr=0x9 -device > ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0xa > -device ich9-usb-uhci3,masterbus=usb.0,f > irstport=4,bus=pci.0,addr=0xb -drive > file=/vm/$VMNAME.img,if=none,id=drive-virtio-disk0,format=raw > -device virtio-bl > k-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -drive file=/iso/virtio-win-0.1-2 > 2.iso,if=none,media=cdrom,id=drive-ide0-1-0,readonly=on,format=raw -device ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1 > -0,id=ide0-1-0 -netdev > tap,fd=26,id=hostnet0,vhost=on,vhostfd=27 -device > virtio-net-pci,netdev=hostnet0,id=net0,mac=52:5 > 4:00:43:e6:dd,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 > -device isa-serial,chardev=charserial0,id=serial0 -chardev > spicevmc,id=charchannel0,name=vdagent -device > virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0, > name=com.redhat.spice.0 -device usb-tablet,id=input0 -spice > port=$PORT,tls-port= > $SPORT,addr=127.0.0.1,x509-dir=/etc/pki/lib > virt-spice -k en-us -vga qxl -global > qxl-vga.vram_size=67108864 -device > intel-hda,id=sound0,bus=pci.0,addr=0x4 -device h > da-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev > spicevmc,id=charredir0,name=usbredir -device > usb-redir,chardev=ch > arredir0,id=redir0 -device > virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 > > > Also in the log I see the following messages for everytime I > try to connect using SSL: > > > reds_handle_ssl_accept: SSL_accept failed, error=1 > reds_handle_ssl_accept: SSL_accept failed, error=1 > > > Here are the package versions I'm running: > > > spice-xpi-2.7-2.fc16.x86_64 > spice-gtk3-0.11-4.fc16.x86_64 > spice-gtk-tools-0.11-4.fc16.x86_64 > spice-client-0.10.1-1.fc16.x86_64 > spice-server-0.10.1-1.fc16.x86_64 > spice-gtk-python-0.11-4.fc16.x86_64 > spice-gtk-0.11-4.fc16.x86_64 > spice-protocol-0.10.1-1.fc16.noarch > spice-glib-0.11-4.fc16.x86_64 > libvirt-0.9.10-2.fc16.x86_64 > libvirt-python-0.9.10-2.fc16.x86_64 > libvirt-client-0.9.10-2.fc16.x86_64 > qemu-system-x86-1.0-7.fc16.x86_64 > gpxe-roms-qemu-1.0.1-4.fc16.noarch > qemu-common-1.0-7.fc16.x86_64 > qemu-img-1.0-7.fc16.x86_64 > virt-manager-common-0.9.1-2.fc16.noarch > virt-manager-0.9.1-2.fc16.noarch > > > The host is running Fedora 16 with the updates-testing > virt-preview repos enabled. > > > > On Fri, Mar 23, 2012 at 6:58 AM, David Jaša <<a href="mailto:djasa@redhat.com" target="_blank">djasa@redhat.com</a>> > wrote: > Anthony James píše v Pá 23. 03. 2012 v 06:46 -0400: > > David, > > > > > > I just tried about 20 times in a row, same error. > When you say it's a > > known bug in spicec when connecting manually, what > is the alternative > > to connecting manually? Is this bug present in > spicy or > > remote-viewer? Thanks in advance. > > > I don't recall hitting it with remote-viewer. FTR, > remote-viewer's > invocation format differs from that of spicec and > spicy: > > remote-viewer <options> > spice://<host>/?port=<port>&tls-port=<sport> > > you can get the complete list of of options with: > > remote-viewer --help-all > > Speaking about it, it might be also the libvirt/qemu > bug that both fired > up with main channel forced to SSL/TLS but without > setting up tls-port > on which would qemu actually listen. Could you post > qemu command line > here so we can rule it out? > > David > > > > On Fri, Mar 23, 2012 at 6:37 AM, David Jaša > <<a href="mailto:djasa@redhat.com" target="_blank">djasa@redhat.com</a>> wrote: > > Anthony James píše v Pá 23. 03. 2012 v 06:26 > -0400: > > > David, > > > > > > Thanks for the reply. I've tried adding > --ca-file to the > > spicec > > > command line but still receive the same > error. Here is the > > command: > > > > > > spicec -h localhost -p $PORT -s $SPORT > --secure-channels all > > > --host-subject "$HOSTSUBJECT" --ca-file > ca-cert.pem -w > > $PASSWD > > > > > > Same error: > > > > > > Error: failed to connect w/SSL, ssl_error > > > error:00000001:lib(0):func(0):reason(1) > > > 140613653984512:error:14090086:SSL > > > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify > > > failed:s3_clnt.c:1063: > > > Warning: SSL Error: > > > > > > Hi Anthony, > > > > try several times. It's a known bug in > spicec that when you're > > connecting manually, the connection fails > several times before > > it is > > established. Actually it's more frequent if > you specify > > --secure > > channels all or if you omit -p altogether > (both have the same > > effect). > > > > David > > > > > > On Fri, Mar 23, 2012 at 6:06 AM, David > Jaša > > <<a href="mailto:djasa@redhat.com" target="_blank">djasa@redhat.com</a>> wrote: > > > Hi Anthony, > > > > > > Anthony James píše v Čt 22. 03. > 2012 v 15:40 -0400: > > > > I'm having problems connecting > to a spice virtual > > machine > > > using SSL. > > > > I use the following command to > connect: > > > > > > > > > > > > spicec -h localhost -p $PORT -s > $SPORT > > --secure-channels all > > > > --host-subject "$HOSTSUBJECT" -w > $PASSWD > > > > > > > > > > You're missing --ca-file > $CA_CERTIFICATE_FILE in > > your command > > > line. > > > > > > David > > > > > > > > The error I receive is: > > > > > > > > > > > > Error: failed to connect w/SSL, > ssl_error > > > > > error:00000001:lib(0):func(0):reason(1) > > > > > 139699632096512:error:14090086:SSL > > > > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate > > verify > > > > failed:s3_clnt.c:1063: > > > > Warning: SSL Error: > > > > > > > > > > > > I have followed the instructions > from the > > following 2 sites > > > to > > > > configure the SSL certs: > > > > > > > > > > > > > <a href="http://www.spice-space.org/page/SSLConnection" target="_blank">http://www.spice-space.org/page/SSLConnection</a> > > > > > > > > > > > > > > > > > > <a href="http://fedoraproject.org/w/index.php?title=QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set&oldid=255162" target="_blank">http://fedoraproject.org/w/index.php?title=QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set&oldid=255162</a> > > > > > > > > > > > > Any help would be greatly > appreciated, I'm sure > > I'm missing > > > something. > > > > > > > > > > > > Thanks, > > > > Tony > > > > > > > > _______________________________________________ > > > > Spice-devel mailing list > > > > > <a href="mailto:Spice-devel@lists.freedesktop.org" target="_blank">Spice-devel@lists.freedesktop.org</a> > > > > > > > <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a> > > > > > > > > > -- > > > > > > David Jaša, RHCE > > > > > > SPICE QE based in Brno > > > GPG Key: 22C33E24 > > > Fingerprint: 513A 060B D1B4 2A72 > 7F0D 0278 B125 CD00 > > 22C3 3E24 > > > > > > > > > > > > > > > > _______________________________________________ > > > Spice-devel mailing list > > > <a href="mailto:Spice-devel@lists.freedesktop.org" target="_blank">Spice-devel@lists.freedesktop.org</a> > > > > <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a> > > > > -- > > > > David Jaša, RHCE > > > > SPICE QE based in Brno > > GPG Key: 22C33E24 > > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 > B125 CD00 22C3 3E24 > > > > > > > > > > > > > > _______________________________________________ > > Spice-devel mailing list > > <a href="mailto:Spice-devel@lists.freedesktop.org" target="_blank">Spice-devel@lists.freedesktop.org</a> > > > <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a> > > -- > > David Jaša, RHCE > > SPICE QE based in Brno > GPG Key: 22C33E24 > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 > 22C3 3E24 > > > > > > > > > _______________________________________________ > Spice-devel mailing list > <a href="mailto:Spice-devel@lists.freedesktop.org" target="_blank">Spice-devel@lists.freedesktop.org</a> > <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a> -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 </div></div></blockquote></div> </div></div></blockquote></div>