[Spice-devel] virt viewer from windows to spice server with tls and certificate file problems (what uri?)
Jodi Curtis
jodi.curtis at gmail.com
Mon Nov 12 23:37:46 PST 2012
The VM seems to start without complaints after adding the key directory
after /etc/pki/libvirt-vnc** r, in an identical format within the
apparmor.d config file
I haven't really slept much so I will check login after sleeping
On Mon, Nov 12, 2012 at 11:33 PM, Jodi Curtis <jodi.curtis at gmail.com> wrote:
> Hi
>
> Copy of attempt so far, hopefully this will be useful to have online, I
> will carry on tomorrow!
>
> /etc/hostname
>
> squealer
>
> /etc/hosts
>
> 127.0.0.1 localhost squealer squealer.maiakaat.co.uk maiakaat.co.uk
> www.maiakaat.co.uk
> 192.168.2.140 localhost squealer squealer.maiakaat.co.uk maiakaat.co.uk
> www.maiakaat.co.uk
>
> cat /etc/passwd
>
> root:x:0:0:root:/root:/bin/bash
> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
> bin:x:2:2:bin:/bin:/bin/sh
> sys:x:3:3:sys:/dev:/bin/sh
> sync:x:4:65534:sync:/bin:/bin/sync
> games:x:5:60:games:/usr/games:/bin/sh
> man:x:6:12:man:/var/cache/man:/bin/sh
> lp:x:7:7:lp:/var/spool/lpd:/bin/sh
> mail:x:8:8:mail:/var/mail:/bin/sh
> news:x:9:9:news:/var/spool/news:/bin/sh
> uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
> proxy:x:13:13:proxy:/bin:/bin/sh
> www-data:x:33:33:www-data:/var/www:/bin/sh
> backup:x:34:34:backup:/var/backups:/bin/sh
> list:x:38:38:Mailing List Manager:/var/list:/bin/sh
> irc:x:39:39:ircd:/var/run/ircd:/bin/sh
> gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
> libuuid:x:100:101::/var/lib/libuuid:/bin/sh
> syslog:x:101:103::/home/syslog:/bin/false
> messagebus:x:102:105::/var/run/dbus:/bin/false
> whoopsie:x:103:107::/nonexistent:/bin/false
> landscape:x:104:110::/var/lib/landscape:/bin/false
> sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
> libvirt-qemu:x:106:106:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
> libvirt-dnsmasq:x:107:112:Libvirt
> Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
> jodic:x:1000:1000:jodic,,,:/home/jodic:/bin/bash
>
> cd /var/lib/libvirt
> sudo ls -l
>
> drwx--x--x 2 root root 4096 Oct 6 01:58 boot
> drwxr-xr-x 2 root root 4096 Oct 30 21:06 dnsmasq
> drwxr-xr-x 2 libvirt-qemu root 4096 Oct 31 06:11 drivers
> drwx--x--x 2 root root 4096 Oct 6 01:58 images
> drwxr-xr-x 5 libvirt-qemu root 4096 Nov 1 12:56 local
> drwxr-xr-x 2 root root 4096 Nov 12 18:03 network
> drwxr-x--- 5 libvirt-qemu kvm 4096 Nov 12 18:11 qemu
> drwx------ 2 root root 4096 Oct 6 01:58 sanlock
> drwxr-xr-x 5 libvirt-qemu root 4096 Oct 31 06:22 shared
>
> #drivers to be forwarded as filesystem element with Windows drivers
> #local contains volume pools(2) for VM volumes, and all xml files used to
> create VM's volumes and pools.
>
> sudo usermod -a -G root,kvm jodic
>
> chmod 775 /var/lib/libvirt/qemu
> #temporary change
>
> #libvirt directory permissions are drwxr-xr-x
>
> sudo mkdir /var/lib/libvirt/pki
> sudo mkdir /var/lib/libvirt/pki/libvirt-spice
>
> sudo nano /etc/libvirt/qemu.conf
>
> spice_tls = 1
> spice_tls_x509_cert_dir = "/var/lib/libvirt/pki/libvirt-spice"
>
> cd /var/lib/libvirt/pki/libvirt-spice
>
> sudo openssl genrsa -des3 -out ca-key.pem 1024
> sudo openssl req -new -x509 -days 750 -key ca-key.pem -out ca-cert.pem
> -utf8 -subj "/CN=Self Signed"
> sudo openssl genrsa -out server-key.pem 1024
> sudo openssl req -new -key server-key.pem -out server-key.csr -utf8 -subj
> "/CN=squealer"
> sudo openssl x509 req -days 750 -in server-key.csr -CA ca-cert.pem -CAkey
> ca-key.pem -set_serial 01 -out server-cert.pem
> sudo openssl rsa -in server-key.pem -out server-key.pem.insecure
> sudo mv server-key.pem server-key.pem.secure
> sudo mv server-key.pem.insecure server-key.pem
>
> sudo chown libvirt-qemu /var/lib/libvirt/pki
> sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice
> sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-key.pem
> sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
> sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
>
> #temporary change
> sudo chmod 775 /var/lib/libvirt/pki
> sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice
> sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/server-key.pem
> sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
> sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
>
> sudo virsh destroy VM11
> sudo virsh undefine VM11
>
> sudo shutdown -r now
> #don't know how to restart service for re-read of qemu.conf in Ubuntu
>
> #Ubuntu offering 28 updates - none related to virtualization at all
>
> sudo apt-get update
> sudo apt-get upgrade
>
> sudo virsh define /var/lib/libvirt/local/xml/default-revision7.xml
>
> #defined VM11
>
> sudo virsh start VM11
>
> #started VM11 23:14 ish UK time
>
> sudo /var/log/libvirt/qemu/qemu.conf
>
> 2012-11-12 23:13:44.233+0000: starting up
> LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin
> QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2 -cpu
> Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,+cmp_legacy,+3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme
> -enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid
> 35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config -nodefaults -chardev
> socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait
> -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime
> -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive
> file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback
> -device
> virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3
> -drive
> file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough
> -device
> virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4
> -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device
> ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive
> file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw
> -device
> ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1
> -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device
> virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3
> -chardev pty,id=charserial0 -device
> isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0
> -spice
> port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/var/lib/libvirt/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter
> -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device
> virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
> char device redirected to /dev/pts/2
> ((null):8891): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not load
> certificates from /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
> ((null):8891): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not use
> private key file
> ((null):8891): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not use
> CA file /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
>
> sudo virsh destroy VM11
>
> #destroyed
>
> $ sudo /usr/bin/kvm-spice -monitor stdio -spice
> tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing
>
>
> #output
>
> QEMU 0.12.0 monitor - type 'help' for more information
> (qemu)
>
> "If you see the same error again, there is something wrong with
> certificates themselves. If not, verify that they are accessible to the
> qemu process - note that it may run under different user than root and
> in addition, it may be confined by SELinux or AppArmor. I can't speak
> for AppArmor but for SELinux, you may need to restore context of the
> files (and directories) to make them accessible for qemu."
>
> I'll begin looking at the permissions and security tomorrow, although its
> stretching my
> knowledge of Linux here, I guess the only way to learn is to do though.
>
> I will likely set up my vm's without security for now (they are local
> only) to have something I can dev on etc
> These are nfs (if the passthrough bug in ubuntu kvm-spice doesn't affect
> the passthrough of a logical volume to the guest, repos (source code),
> build and dev desktop
>
> Thanks again for all the help
>
>
> On Mon, Nov 12, 2012 at 10:40 PM, Jodi Curtis <jodi.curtis at gmail.com>wrote:
>
>> Hi I'm going through the process now logging everything I am doing.
>>
>> The VM does start BTW, the problem is that it cannot open the secure
>> channel from remote-viewer attempts to connect, with qemu giving those
>> errors in VM11.log. I will post my new attempt here anyway in a little
>> while, with a success or failure, I've had some minor issues with the pki
>> directory, hence removing and and trying again with fully checked
>> permissions.
>>
>> Thanks for the help.
>>
>>
>> On Mon, Nov 12, 2012 at 10:12 PM, David Jaša <djasa at redhat.com> wrote:
>>
>>> Jodi Curtis píše v Po 12. 11. 2012 v 19:47 +0000:
>>> > hi
>>> >
>>> >
>>> > sorry I should explain that I used squealer as the server name which
>>> > matches the hostname, this is aliased to various ip's and domain names
>>> > in hosts, the usual method, I'll check the local ip is listed in there
>>> > though,I could try the local ip used to connect .
>>> >
>>>
>>> Well, all of these are side problems as long as your VMs refuse to
>>> start... Anyway, given that spice knows how to override the CN check
>>> since its very beginnings (using --spice-host-subject option), this is
>>> no big deal, it's just more convenient if you don't have to.
>>>
>>> >
>>> > yes the keys were created in the correct directory
>>>
>>> and you already stated that.
>>>
>>> The error message is pretty clear though: there is either something
>>> wrong with certificates themselves or qemu can not access them. If you
>>> can see details of all of them using CLI tools, then the certificates
>>> should be ok. You could verify that ultimately by trying to run
>>> minimalistic qemu manually:
>>>
>>> $ sudo /usr/bin/kvm -monitor stdio -spice
>>> tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing
>>>
>>> you should see just a message like this:
>>> QEMU 0.12.1 monitor - type 'help' for more information
>>> (qemu)
>>>
>>> If you see the same error again, there is something wrong with
>>> certificates themselves. If not, verify that they are accessible to the
>>> qemu process - note that it may run under different user than root and
>>> in addition, it may be confined by SELinux or AppArmor. I can't speak
>>> for AppArmor but for SELinux, you may need to restore context of the
>>> files (and directories) to make them accessible for qemu.
>>>
>>> David
>>>
>>> >
>>> > On Mon, Nov 12, 2012 at 7:42 PM, David Jaša <djasa at redhat.com> wrote:
>>> > Jodi Curtis píše v Po 12. 11. 2012 v 18:53 +0000:
>>> > > Hi
>>> > >
>>> > >
>>> > > Package and OS
>>> > > ------------------------------
>>> > > Ubuntu 12.10
>>> > >
>>> > > qemu-kvm-spice:
>>> > > Installed: 1.2.0-2012.09-0ubuntu1
>>> > > Candidate: 1.2.0-2012.09-0ubuntu1
>>> > > Version table:
>>> > > *** 1.2.0-2012.09-0ubuntu1 0
>>> > > 500 http://gb.archive.ubuntu.com/ubuntu/
>>> > quantal/universe
>>> > > amd64 Packages
>>> > > 100 /var/lib/dpkg/status
>>> > >
>>> > >
>>> > > Key Creation
>>> > >
>>> > > -------------------------
>>> > >
>>> > >
>>> > > openssl genrsa -des3 -out ca-key.pem 1024
>>> > > openssl req -new -x509 -days 1095 -key ca-key.pem -out
>>> > ca-cert.pem
>>> > > -utf8 -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
>>> > > openssl genrsa -out server-key.pem 1024
>>> > > openssl req -new -key server-key.pem -out server-key.csr
>>> > -utf8 -subj
>>> > > "/C=IL/L=Raanana/O=Red Hat/CN=my server"
>>> >
>>> >
>>> > (side note here: you can omit C, L and O fields are redundant
>>> > for uses
>>> > outside of controlled environments but CN field should contain
>>> > hostname
>>> > or IP address of your server so that you don't need to
>>> > override the host
>>> > subject)
>>> >
>>> > > openssl x509 -req -days 1095 -in server-key.csr -CA
>>> > ca-cert.pem -CAkey
>>> > > ca-key.pem -set_serial 01 -out server-cert.pem
>>> > > openssl rsa -in server-key.pem -out server-key.pem.insecure
>>> > > mv server-key.pem server-key.pem.secure
>>> > > mv server-key.pem.insecure server-key.pem
>>> > >
>>> >
>>> >
>>> > here,
>>> >
>>> > >
>>> > > qemu.conf
>>> > >
>>> > > --------------
>>> > >
>>> > >
>>> > > qemu.conf configuration was attempted as default, and
>>> > specified using
>>> > > an uncommented path "/etc/pki/libvirt-spice"
>>> > >
>>> >
>>> >
>>> > here,
>>> >
>>> > >
>>> > > spice_tls = 1
>>> > >
>>> > > # default it to keep them in /etc/pki/libvirt-spice. This
>>> > directory
>>> > >
>>> > > # must contain
>>> > >
>>> > > ...
>>> > >
>>> > > #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" (using
>>> > the default
>>> > > path)
>>> > >
>>> > > spice_tls_x509_cert_dir =
>>> > "/etc/pki/libvirt-spice" (specifiying the
>>> > > path directly)
>>> > >
>>> >
>>> >
>>> > and here are the key points. Did you copy the
>>> > {ca,server}-{key,cert}.pem
>>> > files to /etc/pki/libvirt-spice?
>>> >
>>> > David
>>> >
>>> > >
>>> > > Permissions
>>> > >
>>> > > -------------
>>> > >
>>> > > Permissions were tested set as default (assumed root or my
>>> > account)
>>> > > and
>>> > >
>>> > > sudo chown libvirt-qemu /etc/pki/libvirt-spice/
>>> > >
>>> > > sudo chown libvirt-qemu /etc/pki/libvirt-spice/<filenames of
>>> > files>
>>> > >
>>> > >
>>> > >
>>> > > Error Reported
>>> > > -------------------------
>>> > >
>>> > >
>>> > > sudo nano /var/log/libvirt/qemu/VM11.log
>>> > >
>>> > >
>>> > > qemu: terminating on signal 15 from pid 1417
>>> > > 2012-11-12 18:11:24.586+0000: shutting down
>>> > > 2012-11-12 18:11:29.698+0000: starting up
>>> > > LC_ALL=C
>>> > >
>>> >
>>> PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin
>>> > > QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2
>>> > -cpu
>>> > > Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,
>>> > +cmp_legacy,
>>> > > +3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme
>>> > -enable-kvm -m
>>> > > 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid
>>> > > 35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config
>>> > -nodefaults
>>> > > -chardev
>>> > >
>>> >
>>> socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait
>>> -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime
>>> -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive
>>> file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback
>>> -device
>>> virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3
>>> -drive
>>> file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough
>>> -device
>>> virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4
>>> -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device
>>> ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive
>>> file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw
>>> -device
>>> ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1
>>> -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device
>>> virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3
>>> -chardev pty,id=charserial0 -device
>>> isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0
>>> -spice
>>> port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter
>>> -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device
>>> virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
>>> > > char device redirected to /dev/pts/1
>>> > > ((null):1916): Spice-Warning **: reds.c:3307:reds_init_ssl:
>>> > Could not
>>> > > load certificates
>>> > from /etc/pki/libvirt-spice/server-cert.pem
>>> > > ((null):1916): Spice-Warning **: reds.c:3317:reds_init_ssl:
>>> > Could not
>>> > > use private key file
>>> > > ((null):1916): Spice-Warning **: reds.c:3325:reds_init_ssl:
>>> > Could not
>>> > > use CA file /etc/pki/libvirt-spice/ca-cert.pem
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > Certificates
>>> > > --------------------
>>> > > I was able to open and read the files using the various
>>> > commands
>>> > > similar to sudo openssl x509 -noout -text -in ca-cert.pem
>>> > >
>>> > >
>>> > > I did wonder if it is rejecting the CA as some security
>>> > feature, I
>>> > > hope this is of use.
>>> > > I chose libvirt-qemu, as this is the account closed to the
>>> > Red
>>> > > Hat/Fedora account name used "qemu"
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > Creation
>>> > > ---------------
>>> > >
>>> > >
>>> > > creation was via an XML definition followed by calling virsh
>>> > define
>>> > > <path>, virsh start VM11
>>> > >
>>> > >
>>> > > I have tried to keep most files inside the libvirt tree to
>>> > try to
>>> > > avoid permission errors, the configuration has two volume
>>> > pools,
>>> > > specified inside /var/lib/libvirt/local/<pool-name> (which
>>> > are mounted
>>> > > to other drives, and operate without problem)
>>> > >
>>> > >
>>> > > The volumes used are vmdk volumes (for performance reasons)
>>> > one inside
>>> > > each pool, for fixed allocation and sparse type allocation),
>>> > not that
>>> > > this matters but it gives you an idea of what the setup is
>>> > like.
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > Location content
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > jodic at squealer:/etc/pki/libvirt-spice$ dir
>>> > > ca-cert.pem server-cert.pem server-key.pem
>>> > > ca-key.pem server-key.csr server-key.pem.secure
>>> > >
>>> > >
>>> > > I could try using a location without the qemu tree to try to
>>> > rule out
>>> > > some permission problems. I'll go through it again in a
>>> > little bit
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > On Mon, Nov 12, 2012 at 6:11 PM, David Jaša
>>> > <djasa at redhat.com> wrote:
>>> > > Before reporting a bug, could we rule out
>>> > misconfiguration
>>> > > possiblity
>>> > > entirely?
>>> > >
>>> > > 1) do you use libvirt?
>>> > > 2) if so, do you use system session or per-user
>>> > session?
>>> > > 3) could you look at qemu command line? If you use
>>> > libvirt,
>>> > > you'll find it in /var/log/libvirt/qemu/VM_NAME.log
>>> > > 4) at the libvirt command file, is there '...
>>> > > -spice ...,x509-(dir|ca...|server),... ' entry?
>>> > > 5) if the x509 directive is x509-dir, does "qemu-kvm
>>> > -spice
>>> > > tls-port=12345,x509-dir=DIR,disable-ticketing"
>>> > command throw
>>> > > the same error?
>>> > > (the same goes for per-file x509 options)
>>> > > 6) if it is indeed a problem, is it permission issue
>>> > or are
>>> > > the files empty or are they invalid?
>>> > >
>>> > > (...)
>>> > >
>>> > > David
>>> > >
>>> > >
>>> > > Jodi Curtis píše v Po 12. 11. 2012 v 17:55 +0000:
>>> > > > Hi
>>> > > >
>>> > > >
>>> > > > I've used the directory correctly on qemu.conf,
>>> > I've seen
>>> > > these
>>> > > > problems relating to Red Hat/oVirt, where it
>>> > wasn't set
>>> > > despite being
>>> > > > set in qemu.conf, so I will probably file a bug
>>> > report with
>>> > > Ubuntu on
>>> > > > this one.
>>> > > >
>>> > > >
>>> > > > The red-hat solution isn't valid for Ubuntu.
>>> > > >
>>> > > >
>>> > > > Thanks
>>> > > >
>>> > > > On Mon, Nov 12, 2012 at 5:49 PM, David Jaša
>>> > > <djasa at redhat.com> wrote:
>>> > > > Jodi Curtis píše v Po 12. 11. 2012 v 17:31
>>> > +0000:
>>> > > > > Hi
>>> > > > >
>>> > > > >
>>> > > > > Thanks, I found the method in the end,
>>> > my current
>>> > > problem is
>>> > > > related
>>> > > > > to a problem with Ubuntu/SSL/Spice, so
>>> > not really
>>> > > your
>>> > > > software, I
>>> > > > > have asked for help from a Linux admin,
>>> > but its
>>> > > detailed
>>> > > > below for the
>>> > > > > record, I've gone through the key making
>>> > proces
>>> > > twice, and
>>> > > > rebooted,
>>> > > > > obviously paths have been checked and
>>> > qemu.conf
>>> > > has been set
>>> > > > as
>>> > > > > required
>>> > > > >
>>> > > > >
>>> > > > > ((null):2176): Spice-Warning **:
>>> > > reds.c:3307:reds_init_ssl:
>>> > > > Could not
>>> > > > > load certificates from server-cert.pem
>>> > > > > ((null):2176): Spice-Warning **:
>>> > > reds.c:3317:reds_init_ssl:
>>> > > > Could not
>>> > > > > use private key file
>>> > > > > ((null):2176): Spice-Warning **:
>>> > > reds.c:3325:reds_init_ssl:
>>> > > > Could not
>>> > > > > use CA file
>>> > > >
>>> > > >
>>> > > > Assuming that your cert/key files are
>>> > correct and in
>>> > > place,
>>> > > > this looks
>>> > > > like incorrect x509-dir option of qemu cli
>>> > or
>>> > > > spice_tls_x509_cert_dir
>>> > > > directive of /etc/libvirt/qemu.conf
>>> > pointing to a
>>> > > wrong
>>> > > > directory. Just
>>> > > > a configuration issue.
>>> > > >
>>> > > > David
>>> > > >
>>> > > > >
>>> > > > >
>>> > > > > There is very little obvious on the
>>> > internet, so
>>> > > am trying
>>> > > > to identify
>>> > > > > if its a common SSL or config problem,
>>> > or if I
>>> > > should file a
>>> > > > bug
>>> > > > > report with Ubuntu kvm-spice
>>> > > > >
>>> > > > >
>>> > > > > Jodi
>>> > > > >
>>> > > > >
>>> > > > > On Mon, Nov 12, 2012 at 12:12 PM, David
>>> > Jaša
>>> > > > <djasa at redhat.com> wrote:
>>> > > > > Hi Jodi,
>>> > > > >
>>> > > > > You can find full tls-enabled
>>> > > remote-viewer
>>> > > > invocation in this
>>> > > > > oVirt
>>> > > > > wiki page:
>>> > > > >
>>> > > >
>>> > >
>>> >
>>> http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal
>>> > > > >
>>> > > > > David
>>> > > > >
>>> > > > >
>>> > > > > Jodi Curtis píše v Ne 11. 11.
>>> > 2012 v 23:28
>>> > > +0000:
>>> > > > > > Hi
>>> > > > > >
>>> > > > > >
>>> > > > > > I'm having trouble connecting
>>> > to a spice
>>> > > server
>>> > > > with tls
>>> > > > > enabled
>>> > > > > > through virt-viewer on
>>> > windows, I have
>>> > > tls
>>> > > > configured and a
>>> > > > > > ca-cert.pem file, but I don't
>>> > know where
>>> > > to put
>>> > > > it, or what
>>> > > > > to use
>>> > > > > >
>>> > > > > >
>>> > > > > > I have tried various
>>> > combinations of
>>> > > > > spice://192.168.2.140:590x
>>> > > > > >
>>> > > > > >
>>> > > > > > I have tried adding +ssh or
>>> > +tls, I have
>>> > > tried
>>> > > > adding the
>>> > > > > ca-cert.pem
>>> > > > > > file to the location used by
>>> > the spicec
>>> > > page that
>>> > > > covers how
>>> > > > > to set up
>>> > > > > > tls, and I have tried adding
>>> > my username
>>> > > before
>>> > > > the IP.
>>> > > > > >
>>> > > > > > I have tried connecting to
>>> > both ports.
>>> > > > > >
>>> > > > > >
>>> > > > > > Any help on what it should be,
>>> > or if
>>> > > there is an
>>> > > > alternative
>>> > > > > to
>>> > > > > > virt-viewer on windows that I
>>> > need to
>>> > > use for the
>>> > > > secure
>>> > > > > connection.
>>> > > > > >
>>> > > > > >
>>> > > > > > Thanks
>>> > > > >
>>> > > > > >
>>> > > _______________________________________________
>>> > > > > > Spice-devel mailing list
>>> > > > > >
>>> > Spice-devel at lists.freedesktop.org
>>> > > > > >
>>> > > >
>>> > >
>>> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>> > > > >
>>> > > > > --
>>> > > > >
>>> > > > > David Jaša, RHCE
>>> > > > >
>>> > > > > SPICE QE based in Brno
>>> > > > > GPG Key: 22C33E24
>>> > > > > Fingerprint: 513A 060B D1B4 2A72
>>> > 7F0D 0278
>>> > > B125 CD00
>>> > > > 22C3 3E24
>>> > > > >
>>> > > > >
>>> > > > >
>>> > > > >
>>> > > > >
>>> > > > >
>>> > _______________________________________________
>>> > > > > Spice-devel mailing list
>>> > > > > Spice-devel at lists.freedesktop.org
>>> > > > >
>>> > >
>>> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>> > > >
>>> > > > --
>>> > > >
>>> > > > David Jaša, RHCE
>>> > > >
>>> > > > SPICE QE based in Brno
>>> > > > GPG Key: 22C33E24
>>> > > > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278
>>> > B125 CD00
>>> > > 22C3 3E24
>>> > > >
>>> > > >
>>> > > >
>>> > > >
>>> > > >
>>> > > >
>>> > >
>>> > > --
>>> > >
>>> > > David Jaša, RHCE
>>> > >
>>> > > SPICE QE based in Brno
>>> > > GPG Key: 22C33E24
>>> > > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00
>>> > 22C3 3E24
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > _______________________________________________
>>> > > Spice-devel mailing list
>>> > > Spice-devel at lists.freedesktop.org
>>> > > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>> >
>>> > --
>>> >
>>> > David Jaša, RHCE
>>> >
>>> > SPICE QE based in Brno
>>> > GPG Key: 22C33E24
>>> > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Spice-devel mailing list
>>> > Spice-devel at lists.freedesktop.org
>>> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>
>>> --
>>>
>>> David Jaša, RHCE
>>>
>>> SPICE QE based in Brno
>>> GPG Key: 22C33E24
>>> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>>>
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20121113/bf62245f/attachment-0001.html>
More information about the Spice-devel
mailing list