[Spice-devel] virt viewer from windows to spice server with tls and certificate file problems (what uri?)
Jodi Curtis
jodi.curtis at gmail.com
Mon Nov 12 14:40:18 PST 2012
Hi I'm going through the process now logging everything I am doing.
The VM does start BTW, the problem is that it cannot open the secure
channel from remote-viewer attempts to connect, with qemu giving those
errors in VM11.log. I will post my new attempt here anyway in a little
while, with a success or failure, I've had some minor issues with the pki
directory, hence removing and and trying again with fully checked
permissions.
Thanks for the help.
On Mon, Nov 12, 2012 at 10:12 PM, David Jaša <djasa at redhat.com> wrote:
> Jodi Curtis píše v Po 12. 11. 2012 v 19:47 +0000:
> > hi
> >
> >
> > sorry I should explain that I used squealer as the server name which
> > matches the hostname, this is aliased to various ip's and domain names
> > in hosts, the usual method, I'll check the local ip is listed in there
> > though,I could try the local ip used to connect .
> >
>
> Well, all of these are side problems as long as your VMs refuse to
> start... Anyway, given that spice knows how to override the CN check
> since its very beginnings (using --spice-host-subject option), this is
> no big deal, it's just more convenient if you don't have to.
>
> >
> > yes the keys were created in the correct directory
>
> and you already stated that.
>
> The error message is pretty clear though: there is either something
> wrong with certificates themselves or qemu can not access them. If you
> can see details of all of them using CLI tools, then the certificates
> should be ok. You could verify that ultimately by trying to run
> minimalistic qemu manually:
>
> $ sudo /usr/bin/kvm -monitor stdio -spice
> tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing
>
> you should see just a message like this:
> QEMU 0.12.1 monitor - type 'help' for more information
> (qemu)
>
> If you see the same error again, there is something wrong with
> certificates themselves. If not, verify that they are accessible to the
> qemu process - note that it may run under different user than root and
> in addition, it may be confined by SELinux or AppArmor. I can't speak
> for AppArmor but for SELinux, you may need to restore context of the
> files (and directories) to make them accessible for qemu.
>
> David
>
> >
> > On Mon, Nov 12, 2012 at 7:42 PM, David Jaša <djasa at redhat.com> wrote:
> > Jodi Curtis píše v Po 12. 11. 2012 v 18:53 +0000:
> > > Hi
> > >
> > >
> > > Package and OS
> > > ------------------------------
> > > Ubuntu 12.10
> > >
> > > qemu-kvm-spice:
> > > Installed: 1.2.0-2012.09-0ubuntu1
> > > Candidate: 1.2.0-2012.09-0ubuntu1
> > > Version table:
> > > *** 1.2.0-2012.09-0ubuntu1 0
> > > 500 http://gb.archive.ubuntu.com/ubuntu/
> > quantal/universe
> > > amd64 Packages
> > > 100 /var/lib/dpkg/status
> > >
> > >
> > > Key Creation
> > >
> > > -------------------------
> > >
> > >
> > > openssl genrsa -des3 -out ca-key.pem 1024
> > > openssl req -new -x509 -days 1095 -key ca-key.pem -out
> > ca-cert.pem
> > > -utf8 -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
> > > openssl genrsa -out server-key.pem 1024
> > > openssl req -new -key server-key.pem -out server-key.csr
> > -utf8 -subj
> > > "/C=IL/L=Raanana/O=Red Hat/CN=my server"
> >
> >
> > (side note here: you can omit C, L and O fields are redundant
> > for uses
> > outside of controlled environments but CN field should contain
> > hostname
> > or IP address of your server so that you don't need to
> > override the host
> > subject)
> >
> > > openssl x509 -req -days 1095 -in server-key.csr -CA
> > ca-cert.pem -CAkey
> > > ca-key.pem -set_serial 01 -out server-cert.pem
> > > openssl rsa -in server-key.pem -out server-key.pem.insecure
> > > mv server-key.pem server-key.pem.secure
> > > mv server-key.pem.insecure server-key.pem
> > >
> >
> >
> > here,
> >
> > >
> > > qemu.conf
> > >
> > > --------------
> > >
> > >
> > > qemu.conf configuration was attempted as default, and
> > specified using
> > > an uncommented path "/etc/pki/libvirt-spice"
> > >
> >
> >
> > here,
> >
> > >
> > > spice_tls = 1
> > >
> > > # default it to keep them in /etc/pki/libvirt-spice. This
> > directory
> > >
> > > # must contain
> > >
> > > ...
> > >
> > > #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" (using
> > the default
> > > path)
> > >
> > > spice_tls_x509_cert_dir =
> > "/etc/pki/libvirt-spice" (specifiying the
> > > path directly)
> > >
> >
> >
> > and here are the key points. Did you copy the
> > {ca,server}-{key,cert}.pem
> > files to /etc/pki/libvirt-spice?
> >
> > David
> >
> > >
> > > Permissions
> > >
> > > -------------
> > >
> > > Permissions were tested set as default (assumed root or my
> > account)
> > > and
> > >
> > > sudo chown libvirt-qemu /etc/pki/libvirt-spice/
> > >
> > > sudo chown libvirt-qemu /etc/pki/libvirt-spice/<filenames of
> > files>
> > >
> > >
> > >
> > > Error Reported
> > > -------------------------
> > >
> > >
> > > sudo nano /var/log/libvirt/qemu/VM11.log
> > >
> > >
> > > qemu: terminating on signal 15 from pid 1417
> > > 2012-11-12 18:11:24.586+0000: shutting down
> > > 2012-11-12 18:11:29.698+0000: starting up
> > > LC_ALL=C
> > >
> > PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin
> > > QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2
> > -cpu
> > > Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,
> > +cmp_legacy,
> > > +3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme
> > -enable-kvm -m
> > > 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid
> > > 35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config
> > -nodefaults
> > > -chardev
> > >
> >
> socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait
> -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime
> -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive
> file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback
> -device
> virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3
> -drive
> file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough
> -device
> virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4
> -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device
> ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive
> file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw
> -device
> ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1
> -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device
> virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3
> -chardev pty,id=charserial0 -device
> isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0
> -spice
> port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter
> -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device
> virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
> > > char device redirected to /dev/pts/1
> > > ((null):1916): Spice-Warning **: reds.c:3307:reds_init_ssl:
> > Could not
> > > load certificates
> > from /etc/pki/libvirt-spice/server-cert.pem
> > > ((null):1916): Spice-Warning **: reds.c:3317:reds_init_ssl:
> > Could not
> > > use private key file
> > > ((null):1916): Spice-Warning **: reds.c:3325:reds_init_ssl:
> > Could not
> > > use CA file /etc/pki/libvirt-spice/ca-cert.pem
> > >
> > >
> > >
> > >
> > > Certificates
> > > --------------------
> > > I was able to open and read the files using the various
> > commands
> > > similar to sudo openssl x509 -noout -text -in ca-cert.pem
> > >
> > >
> > > I did wonder if it is rejecting the CA as some security
> > feature, I
> > > hope this is of use.
> > > I chose libvirt-qemu, as this is the account closed to the
> > Red
> > > Hat/Fedora account name used "qemu"
> > >
> > >
> > >
> > >
> > > Creation
> > > ---------------
> > >
> > >
> > > creation was via an XML definition followed by calling virsh
> > define
> > > <path>, virsh start VM11
> > >
> > >
> > > I have tried to keep most files inside the libvirt tree to
> > try to
> > > avoid permission errors, the configuration has two volume
> > pools,
> > > specified inside /var/lib/libvirt/local/<pool-name> (which
> > are mounted
> > > to other drives, and operate without problem)
> > >
> > >
> > > The volumes used are vmdk volumes (for performance reasons)
> > one inside
> > > each pool, for fixed allocation and sparse type allocation),
> > not that
> > > this matters but it gives you an idea of what the setup is
> > like.
> > >
> > >
> > >
> > >
> > >
> > >
> > > Location content
> > >
> > >
> > >
> > >
> > > jodic at squealer:/etc/pki/libvirt-spice$ dir
> > > ca-cert.pem server-cert.pem server-key.pem
> > > ca-key.pem server-key.csr server-key.pem.secure
> > >
> > >
> > > I could try using a location without the qemu tree to try to
> > rule out
> > > some permission problems. I'll go through it again in a
> > little bit
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Mon, Nov 12, 2012 at 6:11 PM, David Jaša
> > <djasa at redhat.com> wrote:
> > > Before reporting a bug, could we rule out
> > misconfiguration
> > > possiblity
> > > entirely?
> > >
> > > 1) do you use libvirt?
> > > 2) if so, do you use system session or per-user
> > session?
> > > 3) could you look at qemu command line? If you use
> > libvirt,
> > > you'll find it in /var/log/libvirt/qemu/VM_NAME.log
> > > 4) at the libvirt command file, is there '...
> > > -spice ...,x509-(dir|ca...|server),... ' entry?
> > > 5) if the x509 directive is x509-dir, does "qemu-kvm
> > -spice
> > > tls-port=12345,x509-dir=DIR,disable-ticketing"
> > command throw
> > > the same error?
> > > (the same goes for per-file x509 options)
> > > 6) if it is indeed a problem, is it permission issue
> > or are
> > > the files empty or are they invalid?
> > >
> > > (...)
> > >
> > > David
> > >
> > >
> > > Jodi Curtis píše v Po 12. 11. 2012 v 17:55 +0000:
> > > > Hi
> > > >
> > > >
> > > > I've used the directory correctly on qemu.conf,
> > I've seen
> > > these
> > > > problems relating to Red Hat/oVirt, where it
> > wasn't set
> > > despite being
> > > > set in qemu.conf, so I will probably file a bug
> > report with
> > > Ubuntu on
> > > > this one.
> > > >
> > > >
> > > > The red-hat solution isn't valid for Ubuntu.
> > > >
> > > >
> > > > Thanks
> > > >
> > > > On Mon, Nov 12, 2012 at 5:49 PM, David Jaša
> > > <djasa at redhat.com> wrote:
> > > > Jodi Curtis píše v Po 12. 11. 2012 v 17:31
> > +0000:
> > > > > Hi
> > > > >
> > > > >
> > > > > Thanks, I found the method in the end,
> > my current
> > > problem is
> > > > related
> > > > > to a problem with Ubuntu/SSL/Spice, so
> > not really
> > > your
> > > > software, I
> > > > > have asked for help from a Linux admin,
> > but its
> > > detailed
> > > > below for the
> > > > > record, I've gone through the key making
> > proces
> > > twice, and
> > > > rebooted,
> > > > > obviously paths have been checked and
> > qemu.conf
> > > has been set
> > > > as
> > > > > required
> > > > >
> > > > >
> > > > > ((null):2176): Spice-Warning **:
> > > reds.c:3307:reds_init_ssl:
> > > > Could not
> > > > > load certificates from server-cert.pem
> > > > > ((null):2176): Spice-Warning **:
> > > reds.c:3317:reds_init_ssl:
> > > > Could not
> > > > > use private key file
> > > > > ((null):2176): Spice-Warning **:
> > > reds.c:3325:reds_init_ssl:
> > > > Could not
> > > > > use CA file
> > > >
> > > >
> > > > Assuming that your cert/key files are
> > correct and in
> > > place,
> > > > this looks
> > > > like incorrect x509-dir option of qemu cli
> > or
> > > > spice_tls_x509_cert_dir
> > > > directive of /etc/libvirt/qemu.conf
> > pointing to a
> > > wrong
> > > > directory. Just
> > > > a configuration issue.
> > > >
> > > > David
> > > >
> > > > >
> > > > >
> > > > > There is very little obvious on the
> > internet, so
> > > am trying
> > > > to identify
> > > > > if its a common SSL or config problem,
> > or if I
> > > should file a
> > > > bug
> > > > > report with Ubuntu kvm-spice
> > > > >
> > > > >
> > > > > Jodi
> > > > >
> > > > >
> > > > > On Mon, Nov 12, 2012 at 12:12 PM, David
> > Jaša
> > > > <djasa at redhat.com> wrote:
> > > > > Hi Jodi,
> > > > >
> > > > > You can find full tls-enabled
> > > remote-viewer
> > > > invocation in this
> > > > > oVirt
> > > > > wiki page:
> > > > >
> > > >
> > >
> >
> http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal
> > > > >
> > > > > David
> > > > >
> > > > >
> > > > > Jodi Curtis píše v Ne 11. 11.
> > 2012 v 23:28
> > > +0000:
> > > > > > Hi
> > > > > >
> > > > > >
> > > > > > I'm having trouble connecting
> > to a spice
> > > server
> > > > with tls
> > > > > enabled
> > > > > > through virt-viewer on
> > windows, I have
> > > tls
> > > > configured and a
> > > > > > ca-cert.pem file, but I don't
> > know where
> > > to put
> > > > it, or what
> > > > > to use
> > > > > >
> > > > > >
> > > > > > I have tried various
> > combinations of
> > > > > spice://192.168.2.140:590x
> > > > > >
> > > > > >
> > > > > > I have tried adding +ssh or
> > +tls, I have
> > > tried
> > > > adding the
> > > > > ca-cert.pem
> > > > > > file to the location used by
> > the spicec
> > > page that
> > > > covers how
> > > > > to set up
> > > > > > tls, and I have tried adding
> > my username
> > > before
> > > > the IP.
> > > > > >
> > > > > > I have tried connecting to
> > both ports.
> > > > > >
> > > > > >
> > > > > > Any help on what it should be,
> > or if
> > > there is an
> > > > alternative
> > > > > to
> > > > > > virt-viewer on windows that I
> > need to
> > > use for the
> > > > secure
> > > > > connection.
> > > > > >
> > > > > >
> > > > > > Thanks
> > > > >
> > > > > >
> > > _______________________________________________
> > > > > > Spice-devel mailing list
> > > > > >
> > Spice-devel at lists.freedesktop.org
> > > > > >
> > > >
> > >
> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
> > > > >
> > > > > --
> > > > >
> > > > > David Jaša, RHCE
> > > > >
> > > > > SPICE QE based in Brno
> > > > > GPG Key: 22C33E24
> > > > > Fingerprint: 513A 060B D1B4 2A72
> > 7F0D 0278
> > > B125 CD00
> > > > 22C3 3E24
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > _______________________________________________
> > > > > Spice-devel mailing list
> > > > > Spice-devel at lists.freedesktop.org
> > > > >
> > >
> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
> > > >
> > > > --
> > > >
> > > > David Jaša, RHCE
> > > >
> > > > SPICE QE based in Brno
> > > > GPG Key: 22C33E24
> > > > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278
> > B125 CD00
> > > 22C3 3E24
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > > --
> > >
> > > David Jaša, RHCE
> > >
> > > SPICE QE based in Brno
> > > GPG Key: 22C33E24
> > > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00
> > 22C3 3E24
> > >
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Spice-devel mailing list
> > > Spice-devel at lists.freedesktop.org
> > > http://lists.freedesktop.org/mailman/listinfo/spice-devel
> >
> > --
> >
> > David Jaša, RHCE
> >
> > SPICE QE based in Brno
> > GPG Key: 22C33E24
> > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Spice-devel mailing list
> > Spice-devel at lists.freedesktop.org
> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>
> --
>
> David Jaša, RHCE
>
> SPICE QE based in Brno
> GPG Key: 22C33E24
> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20121112/b3ab389a/attachment-0001.html>
More information about the Spice-devel
mailing list