[Spice-devel] virt viewer from windows to spice server with tls and certificate file problems (what uri?)
Jodi Curtis
jodi.curtis at gmail.com
Mon Nov 12 15:33:40 PST 2012
Hi
Copy of attempt so far, hopefully this will be useful to have online, I
will carry on tomorrow!
/etc/hostname
squealer
/etc/hosts
127.0.0.1 localhost squealer squealer.maiakaat.co.uk maiakaat.co.uk
www.maiakaat.co.uk
192.168.2.140 localhost squealer squealer.maiakaat.co.uk maiakaat.co.uk
www.maiakaat.co.uk
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:107::/nonexistent:/bin/false
landscape:x:104:110::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
libvirt-qemu:x:106:106:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
libvirt-dnsmasq:x:107:112:Libvirt
Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
jodic:x:1000:1000:jodic,,,:/home/jodic:/bin/bash
cd /var/lib/libvirt
sudo ls -l
drwx--x--x 2 root root 4096 Oct 6 01:58 boot
drwxr-xr-x 2 root root 4096 Oct 30 21:06 dnsmasq
drwxr-xr-x 2 libvirt-qemu root 4096 Oct 31 06:11 drivers
drwx--x--x 2 root root 4096 Oct 6 01:58 images
drwxr-xr-x 5 libvirt-qemu root 4096 Nov 1 12:56 local
drwxr-xr-x 2 root root 4096 Nov 12 18:03 network
drwxr-x--- 5 libvirt-qemu kvm 4096 Nov 12 18:11 qemu
drwx------ 2 root root 4096 Oct 6 01:58 sanlock
drwxr-xr-x 5 libvirt-qemu root 4096 Oct 31 06:22 shared
#drivers to be forwarded as filesystem element with Windows drivers
#local contains volume pools(2) for VM volumes, and all xml files used to
create VM's volumes and pools.
sudo usermod -a -G root,kvm jodic
chmod 775 /var/lib/libvirt/qemu
#temporary change
#libvirt directory permissions are drwxr-xr-x
sudo mkdir /var/lib/libvirt/pki
sudo mkdir /var/lib/libvirt/pki/libvirt-spice
sudo nano /etc/libvirt/qemu.conf
spice_tls = 1
spice_tls_x509_cert_dir = "/var/lib/libvirt/pki/libvirt-spice"
cd /var/lib/libvirt/pki/libvirt-spice
sudo openssl genrsa -des3 -out ca-key.pem 1024
sudo openssl req -new -x509 -days 750 -key ca-key.pem -out ca-cert.pem
-utf8 -subj "/CN=Self Signed"
sudo openssl genrsa -out server-key.pem 1024
sudo openssl req -new -key server-key.pem -out server-key.csr -utf8 -subj
"/CN=squealer"
sudo openssl x509 req -days 750 -in server-key.csr -CA ca-cert.pem -CAkey
ca-key.pem -set_serial 01 -out server-cert.pem
sudo openssl rsa -in server-key.pem -out server-key.pem.insecure
sudo mv server-key.pem server-key.pem.secure
sudo mv server-key.pem.insecure server-key.pem
sudo chown libvirt-qemu /var/lib/libvirt/pki
sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice
sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-key.pem
sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
#temporary change
sudo chmod 775 /var/lib/libvirt/pki
sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice
sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/server-key.pem
sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
sudo virsh destroy VM11
sudo virsh undefine VM11
sudo shutdown -r now
#don't know how to restart service for re-read of qemu.conf in Ubuntu
#Ubuntu offering 28 updates - none related to virtualization at all
sudo apt-get update
sudo apt-get upgrade
sudo virsh define /var/lib/libvirt/local/xml/default-revision7.xml
#defined VM11
sudo virsh start VM11
#started VM11 23:14 ish UK time
sudo /var/log/libvirt/qemu/qemu.conf
2012-11-12 23:13:44.233+0000: starting up
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin
QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2 -cpu
Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,+cmp_legacy,+3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme
-enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid
35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config -nodefaults -chardev
socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait
-mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime
-no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive
file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback
-device
virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3
-drive
file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough
-device
virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4
-drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device
ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive
file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw
-device
ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1
-netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device
virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3
-chardev pty,id=charserial0 -device
isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0
-spice
port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/var/lib/libvirt/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter
-k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device
virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
char device redirected to /dev/pts/2
((null):8891): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not load
certificates from /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
((null):8891): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not use
private key file
((null):8891): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not use
CA file /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
sudo virsh destroy VM11
#destroyed
$ sudo /usr/bin/kvm-spice -monitor stdio -spice
tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing
#output
QEMU 0.12.0 monitor - type 'help' for more information
(qemu)
"If you see the same error again, there is something wrong with
certificates themselves. If not, verify that they are accessible to the
qemu process - note that it may run under different user than root and
in addition, it may be confined by SELinux or AppArmor. I can't speak
for AppArmor but for SELinux, you may need to restore context of the
files (and directories) to make them accessible for qemu."
I'll begin looking at the permissions and security tomorrow, although its
stretching my
knowledge of Linux here, I guess the only way to learn is to do though.
I will likely set up my vm's without security for now (they are local only)
to have something I can dev on etc
These are nfs (if the passthrough bug in ubuntu kvm-spice doesn't affect
the passthrough of a logical volume to the guest, repos (source code),
build and dev desktop
Thanks again for all the help
On Mon, Nov 12, 2012 at 10:40 PM, Jodi Curtis <jodi.curtis at gmail.com> wrote:
> Hi I'm going through the process now logging everything I am doing.
>
> The VM does start BTW, the problem is that it cannot open the secure
> channel from remote-viewer attempts to connect, with qemu giving those
> errors in VM11.log. I will post my new attempt here anyway in a little
> while, with a success or failure, I've had some minor issues with the pki
> directory, hence removing and and trying again with fully checked
> permissions.
>
> Thanks for the help.
>
>
> On Mon, Nov 12, 2012 at 10:12 PM, David Jaša <djasa at redhat.com> wrote:
>
>> Jodi Curtis píše v Po 12. 11. 2012 v 19:47 +0000:
>> > hi
>> >
>> >
>> > sorry I should explain that I used squealer as the server name which
>> > matches the hostname, this is aliased to various ip's and domain names
>> > in hosts, the usual method, I'll check the local ip is listed in there
>> > though,I could try the local ip used to connect .
>> >
>>
>> Well, all of these are side problems as long as your VMs refuse to
>> start... Anyway, given that spice knows how to override the CN check
>> since its very beginnings (using --spice-host-subject option), this is
>> no big deal, it's just more convenient if you don't have to.
>>
>> >
>> > yes the keys were created in the correct directory
>>
>> and you already stated that.
>>
>> The error message is pretty clear though: there is either something
>> wrong with certificates themselves or qemu can not access them. If you
>> can see details of all of them using CLI tools, then the certificates
>> should be ok. You could verify that ultimately by trying to run
>> minimalistic qemu manually:
>>
>> $ sudo /usr/bin/kvm -monitor stdio -spice
>> tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing
>>
>> you should see just a message like this:
>> QEMU 0.12.1 monitor - type 'help' for more information
>> (qemu)
>>
>> If you see the same error again, there is something wrong with
>> certificates themselves. If not, verify that they are accessible to the
>> qemu process - note that it may run under different user than root and
>> in addition, it may be confined by SELinux or AppArmor. I can't speak
>> for AppArmor but for SELinux, you may need to restore context of the
>> files (and directories) to make them accessible for qemu.
>>
>> David
>>
>> >
>> > On Mon, Nov 12, 2012 at 7:42 PM, David Jaša <djasa at redhat.com> wrote:
>> > Jodi Curtis píše v Po 12. 11. 2012 v 18:53 +0000:
>> > > Hi
>> > >
>> > >
>> > > Package and OS
>> > > ------------------------------
>> > > Ubuntu 12.10
>> > >
>> > > qemu-kvm-spice:
>> > > Installed: 1.2.0-2012.09-0ubuntu1
>> > > Candidate: 1.2.0-2012.09-0ubuntu1
>> > > Version table:
>> > > *** 1.2.0-2012.09-0ubuntu1 0
>> > > 500 http://gb.archive.ubuntu.com/ubuntu/
>> > quantal/universe
>> > > amd64 Packages
>> > > 100 /var/lib/dpkg/status
>> > >
>> > >
>> > > Key Creation
>> > >
>> > > -------------------------
>> > >
>> > >
>> > > openssl genrsa -des3 -out ca-key.pem 1024
>> > > openssl req -new -x509 -days 1095 -key ca-key.pem -out
>> > ca-cert.pem
>> > > -utf8 -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
>> > > openssl genrsa -out server-key.pem 1024
>> > > openssl req -new -key server-key.pem -out server-key.csr
>> > -utf8 -subj
>> > > "/C=IL/L=Raanana/O=Red Hat/CN=my server"
>> >
>> >
>> > (side note here: you can omit C, L and O fields are redundant
>> > for uses
>> > outside of controlled environments but CN field should contain
>> > hostname
>> > or IP address of your server so that you don't need to
>> > override the host
>> > subject)
>> >
>> > > openssl x509 -req -days 1095 -in server-key.csr -CA
>> > ca-cert.pem -CAkey
>> > > ca-key.pem -set_serial 01 -out server-cert.pem
>> > > openssl rsa -in server-key.pem -out server-key.pem.insecure
>> > > mv server-key.pem server-key.pem.secure
>> > > mv server-key.pem.insecure server-key.pem
>> > >
>> >
>> >
>> > here,
>> >
>> > >
>> > > qemu.conf
>> > >
>> > > --------------
>> > >
>> > >
>> > > qemu.conf configuration was attempted as default, and
>> > specified using
>> > > an uncommented path "/etc/pki/libvirt-spice"
>> > >
>> >
>> >
>> > here,
>> >
>> > >
>> > > spice_tls = 1
>> > >
>> > > # default it to keep them in /etc/pki/libvirt-spice. This
>> > directory
>> > >
>> > > # must contain
>> > >
>> > > ...
>> > >
>> > > #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" (using
>> > the default
>> > > path)
>> > >
>> > > spice_tls_x509_cert_dir =
>> > "/etc/pki/libvirt-spice" (specifiying the
>> > > path directly)
>> > >
>> >
>> >
>> > and here are the key points. Did you copy the
>> > {ca,server}-{key,cert}.pem
>> > files to /etc/pki/libvirt-spice?
>> >
>> > David
>> >
>> > >
>> > > Permissions
>> > >
>> > > -------------
>> > >
>> > > Permissions were tested set as default (assumed root or my
>> > account)
>> > > and
>> > >
>> > > sudo chown libvirt-qemu /etc/pki/libvirt-spice/
>> > >
>> > > sudo chown libvirt-qemu /etc/pki/libvirt-spice/<filenames of
>> > files>
>> > >
>> > >
>> > >
>> > > Error Reported
>> > > -------------------------
>> > >
>> > >
>> > > sudo nano /var/log/libvirt/qemu/VM11.log
>> > >
>> > >
>> > > qemu: terminating on signal 15 from pid 1417
>> > > 2012-11-12 18:11:24.586+0000: shutting down
>> > > 2012-11-12 18:11:29.698+0000: starting up
>> > > LC_ALL=C
>> > >
>> >
>> PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin
>> > > QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2
>> > -cpu
>> > > Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,
>> > +cmp_legacy,
>> > > +3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme
>> > -enable-kvm -m
>> > > 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid
>> > > 35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config
>> > -nodefaults
>> > > -chardev
>> > >
>> >
>> socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait
>> -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime
>> -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive
>> file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback
>> -device
>> virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3
>> -drive
>> file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough
>> -device
>> virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4
>> -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device
>> ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive
>> file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw
>> -device
>> ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1
>> -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device
>> virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3
>> -chardev pty,id=charserial0 -device
>> isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0
>> -spice
>> port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter
>> -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device
>> virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
>> > > char device redirected to /dev/pts/1
>> > > ((null):1916): Spice-Warning **: reds.c:3307:reds_init_ssl:
>> > Could not
>> > > load certificates
>> > from /etc/pki/libvirt-spice/server-cert.pem
>> > > ((null):1916): Spice-Warning **: reds.c:3317:reds_init_ssl:
>> > Could not
>> > > use private key file
>> > > ((null):1916): Spice-Warning **: reds.c:3325:reds_init_ssl:
>> > Could not
>> > > use CA file /etc/pki/libvirt-spice/ca-cert.pem
>> > >
>> > >
>> > >
>> > >
>> > > Certificates
>> > > --------------------
>> > > I was able to open and read the files using the various
>> > commands
>> > > similar to sudo openssl x509 -noout -text -in ca-cert.pem
>> > >
>> > >
>> > > I did wonder if it is rejecting the CA as some security
>> > feature, I
>> > > hope this is of use.
>> > > I chose libvirt-qemu, as this is the account closed to the
>> > Red
>> > > Hat/Fedora account name used "qemu"
>> > >
>> > >
>> > >
>> > >
>> > > Creation
>> > > ---------------
>> > >
>> > >
>> > > creation was via an XML definition followed by calling virsh
>> > define
>> > > <path>, virsh start VM11
>> > >
>> > >
>> > > I have tried to keep most files inside the libvirt tree to
>> > try to
>> > > avoid permission errors, the configuration has two volume
>> > pools,
>> > > specified inside /var/lib/libvirt/local/<pool-name> (which
>> > are mounted
>> > > to other drives, and operate without problem)
>> > >
>> > >
>> > > The volumes used are vmdk volumes (for performance reasons)
>> > one inside
>> > > each pool, for fixed allocation and sparse type allocation),
>> > not that
>> > > this matters but it gives you an idea of what the setup is
>> > like.
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > Location content
>> > >
>> > >
>> > >
>> > >
>> > > jodic at squealer:/etc/pki/libvirt-spice$ dir
>> > > ca-cert.pem server-cert.pem server-key.pem
>> > > ca-key.pem server-key.csr server-key.pem.secure
>> > >
>> > >
>> > > I could try using a location without the qemu tree to try to
>> > rule out
>> > > some permission problems. I'll go through it again in a
>> > little bit
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > On Mon, Nov 12, 2012 at 6:11 PM, David Jaša
>> > <djasa at redhat.com> wrote:
>> > > Before reporting a bug, could we rule out
>> > misconfiguration
>> > > possiblity
>> > > entirely?
>> > >
>> > > 1) do you use libvirt?
>> > > 2) if so, do you use system session or per-user
>> > session?
>> > > 3) could you look at qemu command line? If you use
>> > libvirt,
>> > > you'll find it in /var/log/libvirt/qemu/VM_NAME.log
>> > > 4) at the libvirt command file, is there '...
>> > > -spice ...,x509-(dir|ca...|server),... ' entry?
>> > > 5) if the x509 directive is x509-dir, does "qemu-kvm
>> > -spice
>> > > tls-port=12345,x509-dir=DIR,disable-ticketing"
>> > command throw
>> > > the same error?
>> > > (the same goes for per-file x509 options)
>> > > 6) if it is indeed a problem, is it permission issue
>> > or are
>> > > the files empty or are they invalid?
>> > >
>> > > (...)
>> > >
>> > > David
>> > >
>> > >
>> > > Jodi Curtis píše v Po 12. 11. 2012 v 17:55 +0000:
>> > > > Hi
>> > > >
>> > > >
>> > > > I've used the directory correctly on qemu.conf,
>> > I've seen
>> > > these
>> > > > problems relating to Red Hat/oVirt, where it
>> > wasn't set
>> > > despite being
>> > > > set in qemu.conf, so I will probably file a bug
>> > report with
>> > > Ubuntu on
>> > > > this one.
>> > > >
>> > > >
>> > > > The red-hat solution isn't valid for Ubuntu.
>> > > >
>> > > >
>> > > > Thanks
>> > > >
>> > > > On Mon, Nov 12, 2012 at 5:49 PM, David Jaša
>> > > <djasa at redhat.com> wrote:
>> > > > Jodi Curtis píše v Po 12. 11. 2012 v 17:31
>> > +0000:
>> > > > > Hi
>> > > > >
>> > > > >
>> > > > > Thanks, I found the method in the end,
>> > my current
>> > > problem is
>> > > > related
>> > > > > to a problem with Ubuntu/SSL/Spice, so
>> > not really
>> > > your
>> > > > software, I
>> > > > > have asked for help from a Linux admin,
>> > but its
>> > > detailed
>> > > > below for the
>> > > > > record, I've gone through the key making
>> > proces
>> > > twice, and
>> > > > rebooted,
>> > > > > obviously paths have been checked and
>> > qemu.conf
>> > > has been set
>> > > > as
>> > > > > required
>> > > > >
>> > > > >
>> > > > > ((null):2176): Spice-Warning **:
>> > > reds.c:3307:reds_init_ssl:
>> > > > Could not
>> > > > > load certificates from server-cert.pem
>> > > > > ((null):2176): Spice-Warning **:
>> > > reds.c:3317:reds_init_ssl:
>> > > > Could not
>> > > > > use private key file
>> > > > > ((null):2176): Spice-Warning **:
>> > > reds.c:3325:reds_init_ssl:
>> > > > Could not
>> > > > > use CA file
>> > > >
>> > > >
>> > > > Assuming that your cert/key files are
>> > correct and in
>> > > place,
>> > > > this looks
>> > > > like incorrect x509-dir option of qemu cli
>> > or
>> > > > spice_tls_x509_cert_dir
>> > > > directive of /etc/libvirt/qemu.conf
>> > pointing to a
>> > > wrong
>> > > > directory. Just
>> > > > a configuration issue.
>> > > >
>> > > > David
>> > > >
>> > > > >
>> > > > >
>> > > > > There is very little obvious on the
>> > internet, so
>> > > am trying
>> > > > to identify
>> > > > > if its a common SSL or config problem,
>> > or if I
>> > > should file a
>> > > > bug
>> > > > > report with Ubuntu kvm-spice
>> > > > >
>> > > > >
>> > > > > Jodi
>> > > > >
>> > > > >
>> > > > > On Mon, Nov 12, 2012 at 12:12 PM, David
>> > Jaša
>> > > > <djasa at redhat.com> wrote:
>> > > > > Hi Jodi,
>> > > > >
>> > > > > You can find full tls-enabled
>> > > remote-viewer
>> > > > invocation in this
>> > > > > oVirt
>> > > > > wiki page:
>> > > > >
>> > > >
>> > >
>> >
>> http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal
>> > > > >
>> > > > > David
>> > > > >
>> > > > >
>> > > > > Jodi Curtis píše v Ne 11. 11.
>> > 2012 v 23:28
>> > > +0000:
>> > > > > > Hi
>> > > > > >
>> > > > > >
>> > > > > > I'm having trouble connecting
>> > to a spice
>> > > server
>> > > > with tls
>> > > > > enabled
>> > > > > > through virt-viewer on
>> > windows, I have
>> > > tls
>> > > > configured and a
>> > > > > > ca-cert.pem file, but I don't
>> > know where
>> > > to put
>> > > > it, or what
>> > > > > to use
>> > > > > >
>> > > > > >
>> > > > > > I have tried various
>> > combinations of
>> > > > > spice://192.168.2.140:590x
>> > > > > >
>> > > > > >
>> > > > > > I have tried adding +ssh or
>> > +tls, I have
>> > > tried
>> > > > adding the
>> > > > > ca-cert.pem
>> > > > > > file to the location used by
>> > the spicec
>> > > page that
>> > > > covers how
>> > > > > to set up
>> > > > > > tls, and I have tried adding
>> > my username
>> > > before
>> > > > the IP.
>> > > > > >
>> > > > > > I have tried connecting to
>> > both ports.
>> > > > > >
>> > > > > >
>> > > > > > Any help on what it should be,
>> > or if
>> > > there is an
>> > > > alternative
>> > > > > to
>> > > > > > virt-viewer on windows that I
>> > need to
>> > > use for the
>> > > > secure
>> > > > > connection.
>> > > > > >
>> > > > > >
>> > > > > > Thanks
>> > > > >
>> > > > > >
>> > > _______________________________________________
>> > > > > > Spice-devel mailing list
>> > > > > >
>> > Spice-devel at lists.freedesktop.org
>> > > > > >
>> > > >
>> > >
>> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>> > > > >
>> > > > > --
>> > > > >
>> > > > > David Jaša, RHCE
>> > > > >
>> > > > > SPICE QE based in Brno
>> > > > > GPG Key: 22C33E24
>> > > > > Fingerprint: 513A 060B D1B4 2A72
>> > 7F0D 0278
>> > > B125 CD00
>> > > > 22C3 3E24
>> > > > >
>> > > > >
>> > > > >
>> > > > >
>> > > > >
>> > > > >
>> > _______________________________________________
>> > > > > Spice-devel mailing list
>> > > > > Spice-devel at lists.freedesktop.org
>> > > > >
>> > >
>> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>> > > >
>> > > > --
>> > > >
>> > > > David Jaša, RHCE
>> > > >
>> > > > SPICE QE based in Brno
>> > > > GPG Key: 22C33E24
>> > > > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278
>> > B125 CD00
>> > > 22C3 3E24
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > >
>> > > --
>> > >
>> > > David Jaša, RHCE
>> > >
>> > > SPICE QE based in Brno
>> > > GPG Key: 22C33E24
>> > > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00
>> > 22C3 3E24
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > _______________________________________________
>> > > Spice-devel mailing list
>> > > Spice-devel at lists.freedesktop.org
>> > > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>> >
>> > --
>> >
>> > David Jaša, RHCE
>> >
>> > SPICE QE based in Brno
>> > GPG Key: 22C33E24
>> > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>> >
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Spice-devel mailing list
>> > Spice-devel at lists.freedesktop.org
>> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>
>> --
>>
>> David Jaša, RHCE
>>
>> SPICE QE based in Brno
>> GPG Key: 22C33E24
>> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20121112/dd8ae9fa/attachment-0001.html>
More information about the Spice-devel
mailing list