[Spice-devel] virt viewer from windows to spice server with tls and certificate file problems (what uri?)

David Jaša djasa at redhat.com
Mon Nov 12 11:42:39 PST 2012


Jodi Curtis píše v Po 12. 11. 2012 v 18:53 +0000:
> Hi
> 
> 
> Package and OS
> ------------------------------
> Ubuntu 12.10
> 
> qemu-kvm-spice:
>   Installed: 1.2.0-2012.09-0ubuntu1
>   Candidate: 1.2.0-2012.09-0ubuntu1
>   Version table:
>  *** 1.2.0-2012.09-0ubuntu1 0
>         500 http://gb.archive.ubuntu.com/ubuntu/ quantal/universe
> amd64 Packages
>         100 /var/lib/dpkg/status
> 
> 
> Key Creation
> 
> -------------------------
> 
> 
> openssl genrsa -des3 -out ca-key.pem 1024
> openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem
> -utf8 -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
> openssl genrsa -out server-key.pem 1024
> openssl req -new -key server-key.pem -out server-key.csr -utf8 -subj
> "/C=IL/L=Raanana/O=Red Hat/CN=my server"

(side note here: you can omit C, L and O fields are redundant for uses
outside of controlled environments but CN field should contain hostname
or IP address of your server so that you don't need to override the host
subject)

> openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey
> ca-key.pem -set_serial 01 -out server-cert.pem
> openssl rsa -in server-key.pem -out server-key.pem.insecure
> mv server-key.pem server-key.pem.secure
> mv server-key.pem.insecure server-key.pem
> 

here,

> 
> qemu.conf
> 
> --------------
> 
> 
> qemu.conf configuration was attempted as default, and specified using
> an uncommented path "/etc/pki/libvirt-spice"
> 

here,

> 
> spice_tls = 1
> 
> # default it to keep them in /etc/pki/libvirt-spice. This directory
> 
> # must contain
> 
> ...
> 
> #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" (using the default
> path)
> 
> spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" (specifiying the
> path directly)
> 

and here are the key points. Did you copy the {ca,server}-{key,cert}.pem
files to /etc/pki/libvirt-spice?

David

> 
> Permissions
> 
> -------------
> 
> Permissions were tested set as default (assumed root or my account)
> and
> 
> sudo chown libvirt-qemu /etc/pki/libvirt-spice/
> 
> sudo chown libvirt-qemu /etc/pki/libvirt-spice/<filenames of files>
> 
> 
> 
> Error Reported
> -------------------------
> 
> 
> sudo nano /var/log/libvirt/qemu/VM11.log
> 
> 
> qemu: terminating on signal 15 from pid 1417
> 2012-11-12 18:11:24.586+0000: shutting down
> 2012-11-12 18:11:29.698+0000: starting up
> LC_ALL=C
> PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin
> QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2 -cpu
> Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,+cmp_legacy,
> +3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme -enable-kvm -m
> 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid
> 35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config -nodefaults
> -chardev
> socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3 -drive file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4 -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1 -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -spice port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
> char device redirected to /dev/pts/1
> ((null):1916): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not
> load certificates from /etc/pki/libvirt-spice/server-cert.pem
> ((null):1916): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not
> use private key file
> ((null):1916): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not
> use CA file /etc/pki/libvirt-spice/ca-cert.pem
> 
> 
> 
> 
> Certificates
> --------------------
> I was able to open and read the files using the various commands
> similar to sudo openssl x509 -noout -text -in ca-cert.pem
> 
> 
> I did wonder if it is rejecting the CA as some security feature, I
> hope this is of use.
> I chose libvirt-qemu, as this is the account closed to the Red
> Hat/Fedora account name used "qemu"
> 
> 
> 
> 
> Creation
> ---------------
> 
> 
> creation was via an XML definition followed by calling virsh define
> <path>, virsh start VM11
> 
> 
> I have tried to keep most files inside the libvirt tree to try to
> avoid permission errors, the configuration has two volume pools,
> specified inside /var/lib/libvirt/local/<pool-name> (which are mounted
> to other drives, and operate without problem)
> 
> 
> The volumes used are vmdk volumes (for performance reasons) one inside
> each pool, for fixed allocation and sparse type allocation), not that
> this matters but it gives you an idea of what the setup is like.
> 
> 
> 
> 
> 
> 
> Location content
> 
> 
> 
> 
> jodic at squealer:/etc/pki/libvirt-spice$ dir
> ca-cert.pem  server-cert.pem  server-key.pem
> ca-key.pem   server-key.csr   server-key.pem.secure
> 
> 
> I could try using a location without the qemu tree to try to rule out
> some permission problems. I'll go through it again in a little bit
> 
> 
> 
> 
> 
> 
> On Mon, Nov 12, 2012 at 6:11 PM, David Jaša <djasa at redhat.com> wrote:
>         Before reporting a bug, could we rule out misconfiguration
>         possiblity
>         entirely?
>         
>         1) do you use libvirt?
>         2) if so, do you use system session or per-user session?
>         3) could you look at qemu command line? If you use libvirt,
>         you'll find it in /var/log/libvirt/qemu/VM_NAME.log
>         4) at the libvirt command file, is there '...
>         -spice ...,x509-(dir|ca...|server),... ' entry?
>         5) if the x509 directive is x509-dir, does "qemu-kvm -spice
>         tls-port=12345,x509-dir=DIR,disable-ticketing" command throw
>         the same error?
>            (the same goes for per-file x509 options)
>         6) if it is indeed a problem, is it permission issue or are
>         the files empty or are they invalid?
>         
>         (...)
>         
>         David
>         
>         
>         Jodi Curtis píše v Po 12. 11. 2012 v 17:55 +0000:
>         > Hi
>         >
>         >
>         > I've used the directory correctly on qemu.conf, I've seen
>         these
>         > problems relating to Red Hat/oVirt, where it wasn't set
>         despite being
>         > set in qemu.conf, so I will probably file a bug report with
>         Ubuntu on
>         > this one.
>         >
>         >
>         > The red-hat solution isn't valid for Ubuntu.
>         >
>         >
>         > Thanks
>         >
>         > On Mon, Nov 12, 2012 at 5:49 PM, David Jaša
>         <djasa at redhat.com> wrote:
>         >         Jodi Curtis píše v Po 12. 11. 2012 v 17:31 +0000:
>         >         > Hi
>         >         >
>         >         >
>         >         > Thanks, I found the method in the end, my current
>         problem is
>         >         related
>         >         > to a problem with Ubuntu/SSL/Spice, so not really
>         your
>         >         software, I
>         >         > have asked for help from a Linux admin, but its
>         detailed
>         >         below for the
>         >         > record, I've gone through the key making proces
>         twice, and
>         >         rebooted,
>         >         > obviously paths have been checked and qemu.conf
>         has been set
>         >         as
>         >         > required
>         >         >
>         >         >
>         >         > ((null):2176): Spice-Warning **:
>         reds.c:3307:reds_init_ssl:
>         >         Could not
>         >         > load certificates from server-cert.pem
>         >         > ((null):2176): Spice-Warning **:
>         reds.c:3317:reds_init_ssl:
>         >         Could not
>         >         > use private key file
>         >         > ((null):2176): Spice-Warning **:
>         reds.c:3325:reds_init_ssl:
>         >         Could not
>         >         > use CA file
>         >
>         >
>         >         Assuming that your cert/key files are correct and in
>         place,
>         >         this looks
>         >         like incorrect x509-dir option of qemu cli or
>         >         spice_tls_x509_cert_dir
>         >         directive of /etc/libvirt/qemu.conf pointing to a
>         wrong
>         >         directory. Just
>         >         a configuration issue.
>         >
>         >         David
>         >
>         >         >
>         >         >
>         >         > There is very little obvious on the internet, so
>         am trying
>         >         to identify
>         >         > if its a common SSL or config problem, or if I
>         should file a
>         >         bug
>         >         > report with Ubuntu kvm-spice
>         >         >
>         >         >
>         >         > Jodi
>         >         >
>         >         >
>         >         > On Mon, Nov 12, 2012 at 12:12 PM, David Jaša
>         >         <djasa at redhat.com> wrote:
>         >         >         Hi Jodi,
>         >         >
>         >         >         You can find full tls-enabled
>         remote-viewer
>         >         invocation in this
>         >         >         oVirt
>         >         >         wiki page:
>         >         >
>         >
>         http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal
>         >         >
>         >         >         David
>         >         >
>         >         >
>         >         >         Jodi Curtis píše v Ne 11. 11. 2012 v 23:28
>         +0000:
>         >         >         > Hi
>         >         >         >
>         >         >         >
>         >         >         > I'm having trouble connecting to a spice
>         server
>         >         with tls
>         >         >         enabled
>         >         >         > through virt-viewer on windows, I have
>         tls
>         >         configured and a
>         >         >         > ca-cert.pem file, but I don't know where
>         to put
>         >         it, or what
>         >         >         to use
>         >         >         >
>         >         >         >
>         >         >         > I have tried various combinations of
>         >         >         spice://192.168.2.140:590x
>         >         >         >
>         >         >         >
>         >         >         > I have tried adding +ssh or +tls, I have
>         tried
>         >         adding the
>         >         >         ca-cert.pem
>         >         >         > file to the location used by the spicec
>         page that
>         >         covers how
>         >         >         to set up
>         >         >         > tls, and I have tried adding my username
>         before
>         >         the IP.
>         >         >         >
>         >         >         > I have tried connecting to both ports.
>         >         >         >
>         >         >         >
>         >         >         > Any help on what it should be, or if
>         there is an
>         >         alternative
>         >         >         to
>         >         >         > virt-viewer on windows that I need to
>         use for the
>         >         secure
>         >         >         connection.
>         >         >         >
>         >         >         >
>         >         >         > Thanks
>         >         >
>         >         >         >
>         _______________________________________________
>         >         >         > Spice-devel mailing list
>         >         >         > Spice-devel at lists.freedesktop.org
>         >         >         >
>         >
>         http://lists.freedesktop.org/mailman/listinfo/spice-devel
>         >         >
>         >         >         --
>         >         >
>         >         >         David Jaša, RHCE
>         >         >
>         >         >         SPICE QE based in Brno
>         >         >         GPG Key:     22C33E24
>         >         >         Fingerprint: 513A 060B D1B4 2A72 7F0D 0278
>         B125 CD00
>         >         22C3 3E24
>         >         >
>         >         >
>         >         >
>         >         >
>         >         >
>         >         > _______________________________________________
>         >         > Spice-devel mailing list
>         >         > Spice-devel at lists.freedesktop.org
>         >         >
>         http://lists.freedesktop.org/mailman/listinfo/spice-devel
>         >
>         >         --
>         >
>         >         David Jaša, RHCE
>         >
>         >         SPICE QE based in Brno
>         >         GPG Key:     22C33E24
>         >         Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00
>         22C3 3E24
>         >
>         >
>         >
>         >
>         >
>         >
>         
>         --
>         
>         David Jaša, RHCE
>         
>         SPICE QE based in Brno
>         GPG Key:     22C33E24
>         Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>         
>         
>         
>         
> 
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel

-- 

David Jaša, RHCE

SPICE QE based in Brno
GPG Key:     22C33E24 
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24





More information about the Spice-devel mailing list