Hi I'm going through the process now logging everything I am doing.<div><br></div><div>The VM does start BTW, the problem is that it cannot open the secure channel from remote-viewer attempts to connect, with qemu giving those errors in VM11.log. I will post my new attempt here anyway in a little while, with a success or failure, I've had some minor issues with the pki directory, hence removing and and trying again with fully checked permissions.<br>
<br>Thanks for the help.<br><br><div class="gmail_quote">On Mon, Nov 12, 2012 at 10:12 PM, David Jaša <span dir="ltr"><<a href="mailto:djasa@redhat.com" target="_blank">djasa@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Jodi Curtis píše v Po 12. 11. 2012 v 19:47 +0000:<br>
<div class="im">> hi<br>
><br>
><br>
> sorry I should explain that I used squealer as the server name which<br>
> matches the hostname, this is aliased to various ip's and domain names<br>
> in hosts, the usual method, I'll check the local ip is listed in there<br>
> though,I could try the local ip used to connect .<br>
><br>
<br>
</div>Well, all of these are side problems as long as your VMs refuse to<br>
start... Anyway, given that spice knows how to override the CN check<br>
since its very beginnings (using --spice-host-subject option), this is<br>
no big deal, it's just more convenient if you don't have to.<br>
<div class="im"><br>
><br>
> yes the keys were created in the correct directory<br>
<br>
</div>and you already stated that.<br>
<br>
The error message is pretty clear though: there is either something<br>
wrong with certificates themselves or qemu can not access them. If you<br>
can see details of all of them using CLI tools, then the certificates<br>
should be ok. You could verify that ultimately by trying to run<br>
minimalistic qemu manually:<br>
<br>
$ sudo /usr/bin/kvm -monitor stdio -spice tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing<br>
<br>
you should see just a message like this:<br>
QEMU 0.12.1 monitor - type 'help' for more information<br>
(qemu)<br>
<br>
If you see the same error again, there is something wrong with<br>
certificates themselves. If not, verify that they are accessible to the<br>
qemu process - note that it may run under different user than root and<br>
in addition, it may be confined by SELinux or AppArmor. I can't speak<br>
for AppArmor but for SELinux, you may need to restore context of the<br>
files (and directories) to make them accessible for qemu.<br>
<span class="HOEnZb"><font color="#888888"><br>
David<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
><br>
> On Mon, Nov 12, 2012 at 7:42 PM, David Jaša <<a href="mailto:djasa@redhat.com">djasa@redhat.com</a>> wrote:<br>
> Jodi Curtis píše v Po 12. 11. 2012 v 18:53 +0000:<br>
> > Hi<br>
> ><br>
> ><br>
> > Package and OS<br>
> > ------------------------------<br>
> > Ubuntu 12.10<br>
> ><br>
> > qemu-kvm-spice:<br>
> > Installed: 1.2.0-2012.09-0ubuntu1<br>
> > Candidate: 1.2.0-2012.09-0ubuntu1<br>
> > Version table:<br>
> > *** 1.2.0-2012.09-0ubuntu1 0<br>
> > 500 <a href="http://gb.archive.ubuntu.com/ubuntu/" target="_blank">http://gb.archive.ubuntu.com/ubuntu/</a><br>
> quantal/universe<br>
> > amd64 Packages<br>
> > 100 /var/lib/dpkg/status<br>
> ><br>
> ><br>
> > Key Creation<br>
> ><br>
> > -------------------------<br>
> ><br>
> ><br>
> > openssl genrsa -des3 -out ca-key.pem 1024<br>
> > openssl req -new -x509 -days 1095 -key ca-key.pem -out<br>
> ca-cert.pem<br>
> > -utf8 -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"<br>
> > openssl genrsa -out server-key.pem 1024<br>
> > openssl req -new -key server-key.pem -out server-key.csr<br>
> -utf8 -subj<br>
> > "/C=IL/L=Raanana/O=Red Hat/CN=my server"<br>
><br>
><br>
> (side note here: you can omit C, L and O fields are redundant<br>
> for uses<br>
> outside of controlled environments but CN field should contain<br>
> hostname<br>
> or IP address of your server so that you don't need to<br>
> override the host<br>
> subject)<br>
><br>
> > openssl x509 -req -days 1095 -in server-key.csr -CA<br>
> ca-cert.pem -CAkey<br>
> > ca-key.pem -set_serial 01 -out server-cert.pem<br>
> > openssl rsa -in server-key.pem -out server-key.pem.insecure<br>
> > mv server-key.pem server-key.pem.secure<br>
> > mv server-key.pem.insecure server-key.pem<br>
> ><br>
><br>
><br>
> here,<br>
><br>
> ><br>
> > qemu.conf<br>
> ><br>
> > --------------<br>
> ><br>
> ><br>
> > qemu.conf configuration was attempted as default, and<br>
> specified using<br>
> > an uncommented path "/etc/pki/libvirt-spice"<br>
> ><br>
><br>
><br>
> here,<br>
><br>
> ><br>
> > spice_tls = 1<br>
> ><br>
> > # default it to keep them in /etc/pki/libvirt-spice. This<br>
> directory<br>
> ><br>
> > # must contain<br>
> ><br>
> > ...<br>
> ><br>
> > #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" (using<br>
> the default<br>
> > path)<br>
> ><br>
> > spice_tls_x509_cert_dir =<br>
> "/etc/pki/libvirt-spice" (specifiying the<br>
> > path directly)<br>
> ><br>
><br>
><br>
> and here are the key points. Did you copy the<br>
> {ca,server}-{key,cert}.pem<br>
> files to /etc/pki/libvirt-spice?<br>
><br>
> David<br>
><br>
> ><br>
> > Permissions<br>
> ><br>
> > -------------<br>
> ><br>
> > Permissions were tested set as default (assumed root or my<br>
> account)<br>
> > and<br>
> ><br>
> > sudo chown libvirt-qemu /etc/pki/libvirt-spice/<br>
> ><br>
> > sudo chown libvirt-qemu /etc/pki/libvirt-spice/<filenames of<br>
> files><br>
> ><br>
> ><br>
> ><br>
> > Error Reported<br>
> > -------------------------<br>
> ><br>
> ><br>
> > sudo nano /var/log/libvirt/qemu/VM11.log<br>
> ><br>
> ><br>
> > qemu: terminating on signal 15 from pid 1417<br>
> > 2012-11-12 18:11:24.586+0000: shutting down<br>
> > 2012-11-12 18:11:29.698+0000: starting up<br>
> > LC_ALL=C<br>
> ><br>
> PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin<br>
> > QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2<br>
> -cpu<br>
> > Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,<br>
> +cmp_legacy,<br>
> > +3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme<br>
> -enable-kvm -m<br>
> > 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid<br>
> > 35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config<br>
> -nodefaults<br>
> > -chardev<br>
> ><br>
> socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3 -drive file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4 -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1 -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -spice port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5<br>
> > char device redirected to /dev/pts/1<br>
> > ((null):1916): Spice-Warning **: reds.c:3307:reds_init_ssl:<br>
> Could not<br>
> > load certificates<br>
> from /etc/pki/libvirt-spice/server-cert.pem<br>
> > ((null):1916): Spice-Warning **: reds.c:3317:reds_init_ssl:<br>
> Could not<br>
> > use private key file<br>
> > ((null):1916): Spice-Warning **: reds.c:3325:reds_init_ssl:<br>
> Could not<br>
> > use CA file /etc/pki/libvirt-spice/ca-cert.pem<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > Certificates<br>
> > --------------------<br>
> > I was able to open and read the files using the various<br>
> commands<br>
> > similar to sudo openssl x509 -noout -text -in ca-cert.pem<br>
> ><br>
> ><br>
> > I did wonder if it is rejecting the CA as some security<br>
> feature, I<br>
> > hope this is of use.<br>
> > I chose libvirt-qemu, as this is the account closed to the<br>
> Red<br>
> > Hat/Fedora account name used "qemu"<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > Creation<br>
> > ---------------<br>
> ><br>
> ><br>
> > creation was via an XML definition followed by calling virsh<br>
> define<br>
> > <path>, virsh start VM11<br>
> ><br>
> ><br>
> > I have tried to keep most files inside the libvirt tree to<br>
> try to<br>
> > avoid permission errors, the configuration has two volume<br>
> pools,<br>
> > specified inside /var/lib/libvirt/local/<pool-name> (which<br>
> are mounted<br>
> > to other drives, and operate without problem)<br>
> ><br>
> ><br>
> > The volumes used are vmdk volumes (for performance reasons)<br>
> one inside<br>
> > each pool, for fixed allocation and sparse type allocation),<br>
> not that<br>
> > this matters but it gives you an idea of what the setup is<br>
> like.<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > Location content<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > jodic@squealer:/etc/pki/libvirt-spice$ dir<br>
> > ca-cert.pem server-cert.pem server-key.pem<br>
> > ca-key.pem server-key.csr server-key.pem.secure<br>
> ><br>
> ><br>
> > I could try using a location without the qemu tree to try to<br>
> rule out<br>
> > some permission problems. I'll go through it again in a<br>
> little bit<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > On Mon, Nov 12, 2012 at 6:11 PM, David Jaša<br>
> <<a href="mailto:djasa@redhat.com">djasa@redhat.com</a>> wrote:<br>
> > Before reporting a bug, could we rule out<br>
> misconfiguration<br>
> > possiblity<br>
> > entirely?<br>
> ><br>
> > 1) do you use libvirt?<br>
> > 2) if so, do you use system session or per-user<br>
> session?<br>
> > 3) could you look at qemu command line? If you use<br>
> libvirt,<br>
> > you'll find it in /var/log/libvirt/qemu/VM_NAME.log<br>
> > 4) at the libvirt command file, is there '...<br>
> > -spice ...,x509-(dir|ca...|server),... ' entry?<br>
> > 5) if the x509 directive is x509-dir, does "qemu-kvm<br>
> -spice<br>
> > tls-port=12345,x509-dir=DIR,disable-ticketing"<br>
> command throw<br>
> > the same error?<br>
> > (the same goes for per-file x509 options)<br>
> > 6) if it is indeed a problem, is it permission issue<br>
> or are<br>
> > the files empty or are they invalid?<br>
> ><br>
> > (...)<br>
> ><br>
> > David<br>
> ><br>
> ><br>
> > Jodi Curtis píše v Po 12. 11. 2012 v 17:55 +0000:<br>
> > > Hi<br>
> > ><br>
> > ><br>
> > > I've used the directory correctly on qemu.conf,<br>
> I've seen<br>
> > these<br>
> > > problems relating to Red Hat/oVirt, where it<br>
> wasn't set<br>
> > despite being<br>
> > > set in qemu.conf, so I will probably file a bug<br>
> report with<br>
> > Ubuntu on<br>
> > > this one.<br>
> > ><br>
> > ><br>
> > > The red-hat solution isn't valid for Ubuntu.<br>
> > ><br>
> > ><br>
> > > Thanks<br>
> > ><br>
> > > On Mon, Nov 12, 2012 at 5:49 PM, David Jaša<br>
> > <<a href="mailto:djasa@redhat.com">djasa@redhat.com</a>> wrote:<br>
> > > Jodi Curtis píše v Po 12. 11. 2012 v 17:31<br>
> +0000:<br>
> > > > Hi<br>
> > > ><br>
> > > ><br>
> > > > Thanks, I found the method in the end,<br>
> my current<br>
> > problem is<br>
> > > related<br>
> > > > to a problem with Ubuntu/SSL/Spice, so<br>
> not really<br>
> > your<br>
> > > software, I<br>
> > > > have asked for help from a Linux admin,<br>
> but its<br>
> > detailed<br>
> > > below for the<br>
> > > > record, I've gone through the key making<br>
> proces<br>
> > twice, and<br>
> > > rebooted,<br>
> > > > obviously paths have been checked and<br>
> qemu.conf<br>
> > has been set<br>
> > > as<br>
> > > > required<br>
> > > ><br>
> > > ><br>
> > > > ((null):2176): Spice-Warning **:<br>
> > reds.c:3307:reds_init_ssl:<br>
> > > Could not<br>
> > > > load certificates from server-cert.pem<br>
> > > > ((null):2176): Spice-Warning **:<br>
> > reds.c:3317:reds_init_ssl:<br>
> > > Could not<br>
> > > > use private key file<br>
> > > > ((null):2176): Spice-Warning **:<br>
> > reds.c:3325:reds_init_ssl:<br>
> > > Could not<br>
> > > > use CA file<br>
> > ><br>
> > ><br>
> > > Assuming that your cert/key files are<br>
> correct and in<br>
> > place,<br>
> > > this looks<br>
> > > like incorrect x509-dir option of qemu cli<br>
> or<br>
> > > spice_tls_x509_cert_dir<br>
> > > directive of /etc/libvirt/qemu.conf<br>
> pointing to a<br>
> > wrong<br>
> > > directory. Just<br>
> > > a configuration issue.<br>
> > ><br>
> > > David<br>
> > ><br>
> > > ><br>
> > > ><br>
> > > > There is very little obvious on the<br>
> internet, so<br>
> > am trying<br>
> > > to identify<br>
> > > > if its a common SSL or config problem,<br>
> or if I<br>
> > should file a<br>
> > > bug<br>
> > > > report with Ubuntu kvm-spice<br>
> > > ><br>
> > > ><br>
> > > > Jodi<br>
> > > ><br>
> > > ><br>
> > > > On Mon, Nov 12, 2012 at 12:12 PM, David<br>
> Jaša<br>
> > > <<a href="mailto:djasa@redhat.com">djasa@redhat.com</a>> wrote:<br>
> > > > Hi Jodi,<br>
> > > ><br>
> > > > You can find full tls-enabled<br>
> > remote-viewer<br>
> > > invocation in this<br>
> > > > oVirt<br>
> > > > wiki page:<br>
> > > ><br>
> > ><br>
> ><br>
> <a href="http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal" target="_blank">http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal</a><br>
> > > ><br>
> > > > David<br>
> > > ><br>
> > > ><br>
> > > > Jodi Curtis píše v Ne 11. 11.<br>
> 2012 v 23:28<br>
> > +0000:<br>
> > > > > Hi<br>
> > > > ><br>
> > > > ><br>
> > > > > I'm having trouble connecting<br>
> to a spice<br>
> > server<br>
> > > with tls<br>
> > > > enabled<br>
> > > > > through virt-viewer on<br>
> windows, I have<br>
> > tls<br>
> > > configured and a<br>
> > > > > ca-cert.pem file, but I don't<br>
> know where<br>
> > to put<br>
> > > it, or what<br>
> > > > to use<br>
> > > > ><br>
> > > > ><br>
> > > > > I have tried various<br>
> combinations of<br>
> > > > spice://192.168.2.140:590x<br>
> > > > ><br>
> > > > ><br>
> > > > > I have tried adding +ssh or<br>
> +tls, I have<br>
> > tried<br>
> > > adding the<br>
> > > > ca-cert.pem<br>
> > > > > file to the location used by<br>
> the spicec<br>
> > page that<br>
> > > covers how<br>
> > > > to set up<br>
> > > > > tls, and I have tried adding<br>
> my username<br>
> > before<br>
> > > the IP.<br>
> > > > ><br>
> > > > > I have tried connecting to<br>
> both ports.<br>
> > > > ><br>
> > > > ><br>
> > > > > Any help on what it should be,<br>
> or if<br>
> > there is an<br>
> > > alternative<br>
> > > > to<br>
> > > > > virt-viewer on windows that I<br>
> need to<br>
> > use for the<br>
> > > secure<br>
> > > > connection.<br>
> > > > ><br>
> > > > ><br>
> > > > > Thanks<br>
> > > ><br>
> > > > ><br>
> > _______________________________________________<br>
> > > > > Spice-devel mailing list<br>
> > > > ><br>
> <a href="mailto:Spice-devel@lists.freedesktop.org">Spice-devel@lists.freedesktop.org</a><br>
> > > > ><br>
> > ><br>
> ><br>
> <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a><br>
> > > ><br>
> > > > --<br>
> > > ><br>
> > > > David Jaša, RHCE<br>
> > > ><br>
> > > > SPICE QE based in Brno<br>
> > > > GPG Key: 22C33E24<br>
> > > > Fingerprint: 513A 060B D1B4 2A72<br>
> 7F0D 0278<br>
> > B125 CD00<br>
> > > 22C3 3E24<br>
> > > ><br>
> > > ><br>
> > > ><br>
> > > ><br>
> > > ><br>
> > > ><br>
> _______________________________________________<br>
> > > > Spice-devel mailing list<br>
> > > > <a href="mailto:Spice-devel@lists.freedesktop.org">Spice-devel@lists.freedesktop.org</a><br>
> > > ><br>
> ><br>
> <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a><br>
> > ><br>
> > > --<br>
> > ><br>
> > > David Jaša, RHCE<br>
> > ><br>
> > > SPICE QE based in Brno<br>
> > > GPG Key: 22C33E24<br>
> > > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278<br>
> B125 CD00<br>
> > 22C3 3E24<br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> ><br>
> > --<br>
> ><br>
> > David Jaša, RHCE<br>
> ><br>
> > SPICE QE based in Brno<br>
> > GPG Key: 22C33E24<br>
> > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00<br>
> 22C3 3E24<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > Spice-devel mailing list<br>
> > <a href="mailto:Spice-devel@lists.freedesktop.org">Spice-devel@lists.freedesktop.org</a><br>
> > <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a><br>
><br>
> --<br>
><br>
> David Jaša, RHCE<br>
><br>
> SPICE QE based in Brno<br>
> GPG Key: 22C33E24<br>
> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24<br>
><br>
><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Spice-devel mailing list<br>
> <a href="mailto:Spice-devel@lists.freedesktop.org">Spice-devel@lists.freedesktop.org</a><br>
> <a href="http://lists.freedesktop.org/mailman/listinfo/spice-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/spice-devel</a><br>
<br>
--<br>
<br>
David Jaša, RHCE<br>
<br>
SPICE QE based in Brno<br>
GPG Key: 22C33E24<br>
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24<br>
<br>
<br>
<br>
</div></div></blockquote></div><br></div>