[Spice-devel] virt viewer from windows to spice server with tls and certificate file problems (what uri?)
Jodi Curtis
jodi.curtis at gmail.com
Mon Nov 12 10:53:57 PST 2012
Hi
Package and OS
------------------------------
Ubuntu 12.10
qemu-kvm-spice:
Installed: 1.2.0-2012.09-0ubuntu1
Candidate: 1.2.0-2012.09-0ubuntu1
Version table:
*** 1.2.0-2012.09-0ubuntu1 0
500 http://gb.archive.ubuntu.com/ubuntu/ quantal/universe amd64
Packages
100 /var/lib/dpkg/status
Key Creation
-------------------------
openssl genrsa -des3 -out ca-key.pem 1024
openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem -utf8
-subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
openssl genrsa -out server-key.pem 1024
openssl req -new -key server-key.pem -out server-key.csr -utf8 -subj
"/C=IL/L=Raanana/O=Red Hat/CN=my server"
openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey
ca-key.pem -set_serial 01 -out server-cert.pem
openssl rsa -in server-key.pem -out server-key.pem.insecure
mv server-key.pem server-key.pem.secure
mv server-key.pem.insecure server-key.pem
qemu.conf
--------------
qemu.conf configuration was attempted as default, and specified using an
uncommented path "/etc/pki/libvirt-spice"
spice_tls = 1
# default it to keep them in /etc/pki/libvirt-spice. This directory
# must contain
...
#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" (using the default path)
spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" (specifiying the path
directly)
Permissions
-------------
Permissions were tested set as default (assumed root or my account) and
sudo chown libvirt-qemu /etc/pki/libvirt-spice/
sudo chown libvirt-qemu /etc/pki/libvirt-spice/<filenames of files>
Error Reported
-------------------------
sudo nano /var/log/libvirt/qemu/VM11.log
qemu: terminating on signal 15 from pid 1417
2012-11-12 18:11:24.586+0000: shutting down
2012-11-12 18:11:29.698+0000: starting up
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin
QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2 -cpu
Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,+cmp_legacy,+3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme
-enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid
35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config -nodefaults -chardev
socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait
-mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime
-no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive
file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback
-device
virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3
-drive
file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough
-device
virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4
-drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device
ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive
file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw
-device
ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1
-netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device
virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3
-chardev pty,id=charserial0 -device
isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0
-spice
port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter
-k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device
virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
char device redirected to /dev/pts/1
((null):1916): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not load
certificates from /etc/pki/libvirt-spice/server-cert.pem
((null):1916): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not use
private key file
((null):1916): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not use
CA file /etc/pki/libvirt-spice/ca-cert.pem
Certificates
--------------------
I was able to open and read the files using the various commands similar
to sudo openssl x509 -noout -text -in ca-cert.pem
I did wonder if it is rejecting the CA as some security feature, I hope
this is of use.
I chose libvirt-qemu, as this is the account closed to the Red Hat/Fedora
account name used "qemu"
Creation
---------------
creation was via an XML definition followed by calling virsh define <path>,
virsh start VM11
I have tried to keep most files inside the libvirt tree to try to avoid
permission errors, the configuration has two volume pools, specified inside
/var/lib/libvirt/local/<pool-name> (which are mounted to other drives, and
operate without problem)
The volumes used are vmdk volumes (for performance reasons) one inside each
pool, for fixed allocation and sparse type allocation), not that this
matters but it gives you an idea of what the setup is like.
Location content
jodic at squealer:/etc/pki/libvirt-spice$ dir
ca-cert.pem server-cert.pem server-key.pem
ca-key.pem server-key.csr server-key.pem.secure
I could try using a location without the qemu tree to try to rule out some
permission problems. I'll go through it again in a little bit
On Mon, Nov 12, 2012 at 6:11 PM, David Jaša <djasa at redhat.com> wrote:
> Before reporting a bug, could we rule out misconfiguration possiblity
> entirely?
>
> 1) do you use libvirt?
> 2) if so, do you use system session or per-user session?
> 3) could you look at qemu command line? If you use libvirt, you'll find it
> in /var/log/libvirt/qemu/VM_NAME.log
> 4) at the libvirt command file, is there '... -spice
> ...,x509-(dir|ca...|server),... ' entry?
> 5) if the x509 directive is x509-dir, does "qemu-kvm -spice
> tls-port=12345,x509-dir=DIR,disable-ticketing" command throw the same error?
> (the same goes for per-file x509 options)
> 6) if it is indeed a problem, is it permission issue or are the files
> empty or are they invalid?
>
> (...)
>
> David
>
>
> Jodi Curtis píše v Po 12. 11. 2012 v 17:55 +0000:
> > Hi
> >
> >
> > I've used the directory correctly on qemu.conf, I've seen these
> > problems relating to Red Hat/oVirt, where it wasn't set despite being
> > set in qemu.conf, so I will probably file a bug report with Ubuntu on
> > this one.
> >
> >
> > The red-hat solution isn't valid for Ubuntu.
> >
> >
> > Thanks
> >
> > On Mon, Nov 12, 2012 at 5:49 PM, David Jaša <djasa at redhat.com> wrote:
> > Jodi Curtis píše v Po 12. 11. 2012 v 17:31 +0000:
> > > Hi
> > >
> > >
> > > Thanks, I found the method in the end, my current problem is
> > related
> > > to a problem with Ubuntu/SSL/Spice, so not really your
> > software, I
> > > have asked for help from a Linux admin, but its detailed
> > below for the
> > > record, I've gone through the key making proces twice, and
> > rebooted,
> > > obviously paths have been checked and qemu.conf has been set
> > as
> > > required
> > >
> > >
> > > ((null):2176): Spice-Warning **: reds.c:3307:reds_init_ssl:
> > Could not
> > > load certificates from server-cert.pem
> > > ((null):2176): Spice-Warning **: reds.c:3317:reds_init_ssl:
> > Could not
> > > use private key file
> > > ((null):2176): Spice-Warning **: reds.c:3325:reds_init_ssl:
> > Could not
> > > use CA file
> >
> >
> > Assuming that your cert/key files are correct and in place,
> > this looks
> > like incorrect x509-dir option of qemu cli or
> > spice_tls_x509_cert_dir
> > directive of /etc/libvirt/qemu.conf pointing to a wrong
> > directory. Just
> > a configuration issue.
> >
> > David
> >
> > >
> > >
> > > There is very little obvious on the internet, so am trying
> > to identify
> > > if its a common SSL or config problem, or if I should file a
> > bug
> > > report with Ubuntu kvm-spice
> > >
> > >
> > > Jodi
> > >
> > >
> > > On Mon, Nov 12, 2012 at 12:12 PM, David Jaša
> > <djasa at redhat.com> wrote:
> > > Hi Jodi,
> > >
> > > You can find full tls-enabled remote-viewer
> > invocation in this
> > > oVirt
> > > wiki page:
> > >
> >
> http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal
> > >
> > > David
> > >
> > >
> > > Jodi Curtis píše v Ne 11. 11. 2012 v 23:28 +0000:
> > > > Hi
> > > >
> > > >
> > > > I'm having trouble connecting to a spice server
> > with tls
> > > enabled
> > > > through virt-viewer on windows, I have tls
> > configured and a
> > > > ca-cert.pem file, but I don't know where to put
> > it, or what
> > > to use
> > > >
> > > >
> > > > I have tried various combinations of
> > > spice://192.168.2.140:590x
> > > >
> > > >
> > > > I have tried adding +ssh or +tls, I have tried
> > adding the
> > > ca-cert.pem
> > > > file to the location used by the spicec page that
> > covers how
> > > to set up
> > > > tls, and I have tried adding my username before
> > the IP.
> > > >
> > > > I have tried connecting to both ports.
> > > >
> > > >
> > > > Any help on what it should be, or if there is an
> > alternative
> > > to
> > > > virt-viewer on windows that I need to use for the
> > secure
> > > connection.
> > > >
> > > >
> > > > Thanks
> > >
> > > > _______________________________________________
> > > > Spice-devel mailing list
> > > > Spice-devel at lists.freedesktop.org
> > > >
> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
> > >
> > > --
> > >
> > > David Jaša, RHCE
> > >
> > > SPICE QE based in Brno
> > > GPG Key: 22C33E24
> > > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00
> > 22C3 3E24
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Spice-devel mailing list
> > > Spice-devel at lists.freedesktop.org
> > > http://lists.freedesktop.org/mailman/listinfo/spice-devel
> >
> > --
> >
> > David Jaša, RHCE
> >
> > SPICE QE based in Brno
> > GPG Key: 22C33E24
> > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
> >
> >
> >
> >
> >
> >
>
> --
>
> David Jaša, RHCE
>
> SPICE QE based in Brno
> GPG Key: 22C33E24
> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20121112/15230e88/attachment-0001.html>
More information about the Spice-devel
mailing list