[Spice-devel] virt viewer from windows to spice server with tls and certificate file problems (what uri?)
Jodi Curtis
jodi.curtis at gmail.com
Tue Nov 13 08:26:58 PST 2012
My latest issue is the error spice warning spice channels 1 should be
encrypted, I'm guessing this is an authentication issue with my attempts to
connect?
On Tue, Nov 13, 2012 at 7:37 AM, Jodi Curtis <jodi.curtis at gmail.com> wrote:
> The VM seems to start without complaints after adding the key directory
> after /etc/pki/libvirt-vnc** r, in an identical format within the
> apparmor.d config file
>
> I haven't really slept much so I will check login after sleeping
>
>
> On Mon, Nov 12, 2012 at 11:33 PM, Jodi Curtis <jodi.curtis at gmail.com>wrote:
>
>> Hi
>>
>> Copy of attempt so far, hopefully this will be useful to have online, I
>> will carry on tomorrow!
>>
>> /etc/hostname
>>
>> squealer
>>
>> /etc/hosts
>>
>> 127.0.0.1 localhost squealer squealer.maiakaat.co.uk maiakaat.co.uk
>> www.maiakaat.co.uk
>> 192.168.2.140 localhost squealer squealer.maiakaat.co.uk maiakaat.co.uk
>> www.maiakaat.co.uk
>>
>> cat /etc/passwd
>>
>> root:x:0:0:root:/root:/bin/bash
>> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
>> bin:x:2:2:bin:/bin:/bin/sh
>> sys:x:3:3:sys:/dev:/bin/sh
>> sync:x:4:65534:sync:/bin:/bin/sync
>> games:x:5:60:games:/usr/games:/bin/sh
>> man:x:6:12:man:/var/cache/man:/bin/sh
>> lp:x:7:7:lp:/var/spool/lpd:/bin/sh
>> mail:x:8:8:mail:/var/mail:/bin/sh
>> news:x:9:9:news:/var/spool/news:/bin/sh
>> uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
>> proxy:x:13:13:proxy:/bin:/bin/sh
>> www-data:x:33:33:www-data:/var/www:/bin/sh
>> backup:x:34:34:backup:/var/backups:/bin/sh
>> list:x:38:38:Mailing List Manager:/var/list:/bin/sh
>> irc:x:39:39:ircd:/var/run/ircd:/bin/sh
>> gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
>> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
>> libuuid:x:100:101::/var/lib/libuuid:/bin/sh
>> syslog:x:101:103::/home/syslog:/bin/false
>> messagebus:x:102:105::/var/run/dbus:/bin/false
>> whoopsie:x:103:107::/nonexistent:/bin/false
>> landscape:x:104:110::/var/lib/landscape:/bin/false
>> sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
>> libvirt-qemu:x:106:106:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
>> libvirt-dnsmasq:x:107:112:Libvirt
>> Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
>> jodic:x:1000:1000:jodic,,,:/home/jodic:/bin/bash
>>
>> cd /var/lib/libvirt
>> sudo ls -l
>>
>> drwx--x--x 2 root root 4096 Oct 6 01:58 boot
>> drwxr-xr-x 2 root root 4096 Oct 30 21:06 dnsmasq
>> drwxr-xr-x 2 libvirt-qemu root 4096 Oct 31 06:11 drivers
>> drwx--x--x 2 root root 4096 Oct 6 01:58 images
>> drwxr-xr-x 5 libvirt-qemu root 4096 Nov 1 12:56 local
>> drwxr-xr-x 2 root root 4096 Nov 12 18:03 network
>> drwxr-x--- 5 libvirt-qemu kvm 4096 Nov 12 18:11 qemu
>> drwx------ 2 root root 4096 Oct 6 01:58 sanlock
>> drwxr-xr-x 5 libvirt-qemu root 4096 Oct 31 06:22 shared
>>
>> #drivers to be forwarded as filesystem element with Windows drivers
>> #local contains volume pools(2) for VM volumes, and all xml files used to
>> create VM's volumes and pools.
>>
>> sudo usermod -a -G root,kvm jodic
>>
>> chmod 775 /var/lib/libvirt/qemu
>> #temporary change
>>
>> #libvirt directory permissions are drwxr-xr-x
>>
>> sudo mkdir /var/lib/libvirt/pki
>> sudo mkdir /var/lib/libvirt/pki/libvirt-spice
>>
>> sudo nano /etc/libvirt/qemu.conf
>>
>> spice_tls = 1
>> spice_tls_x509_cert_dir = "/var/lib/libvirt/pki/libvirt-spice"
>>
>> cd /var/lib/libvirt/pki/libvirt-spice
>>
>> sudo openssl genrsa -des3 -out ca-key.pem 1024
>> sudo openssl req -new -x509 -days 750 -key ca-key.pem -out ca-cert.pem
>> -utf8 -subj "/CN=Self Signed"
>> sudo openssl genrsa -out server-key.pem 1024
>> sudo openssl req -new -key server-key.pem -out server-key.csr -utf8 -subj
>> "/CN=squealer"
>> sudo openssl x509 req -days 750 -in server-key.csr -CA ca-cert.pem -CAkey
>> ca-key.pem -set_serial 01 -out server-cert.pem
>> sudo openssl rsa -in server-key.pem -out server-key.pem.insecure
>> sudo mv server-key.pem server-key.pem.secure
>> sudo mv server-key.pem.insecure server-key.pem
>>
>> sudo chown libvirt-qemu /var/lib/libvirt/pki
>> sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice
>> sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-key.pem
>> sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
>> sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
>>
>> #temporary change
>> sudo chmod 775 /var/lib/libvirt/pki
>> sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice
>> sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/server-key.pem
>> sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
>> sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
>>
>> sudo virsh destroy VM11
>> sudo virsh undefine VM11
>>
>> sudo shutdown -r now
>> #don't know how to restart service for re-read of qemu.conf in Ubuntu
>>
>> #Ubuntu offering 28 updates - none related to virtualization at all
>>
>> sudo apt-get update
>> sudo apt-get upgrade
>>
>> sudo virsh define /var/lib/libvirt/local/xml/default-revision7.xml
>>
>> #defined VM11
>>
>> sudo virsh start VM11
>>
>> #started VM11 23:14 ish UK time
>>
>> sudo /var/log/libvirt/qemu/qemu.conf
>>
>> 2012-11-12 23:13:44.233+0000: starting up
>> LC_ALL=C
>> PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin
>> QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2 -cpu
>> Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,+cmp_legacy,+3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme
>> -enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid
>> 35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config -nodefaults -chardev
>> socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait
>> -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime
>> -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive
>> file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback
>> -device
>> virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3
>> -drive
>> file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough
>> -device
>> virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4
>> -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device
>> ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive
>> file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw
>> -device
>> ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1
>> -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device
>> virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3
>> -chardev pty,id=charserial0 -device
>> isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0
>> -spice
>> port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/var/lib/libvirt/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter
>> -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device
>> virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
>> char device redirected to /dev/pts/2
>> ((null):8891): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not
>> load certificates from /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
>> ((null):8891): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not use
>> private key file
>> ((null):8891): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not use
>> CA file /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
>>
>> sudo virsh destroy VM11
>>
>> #destroyed
>>
>> $ sudo /usr/bin/kvm-spice -monitor stdio -spice
>> tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing
>>
>>
>> #output
>>
>> QEMU 0.12.0 monitor - type 'help' for more information
>> (qemu)
>>
>> "If you see the same error again, there is something wrong with
>> certificates themselves. If not, verify that they are accessible to the
>> qemu process - note that it may run under different user than root and
>> in addition, it may be confined by SELinux or AppArmor. I can't speak
>> for AppArmor but for SELinux, you may need to restore context of the
>> files (and directories) to make them accessible for qemu."
>>
>> I'll begin looking at the permissions and security tomorrow, although its
>> stretching my
>> knowledge of Linux here, I guess the only way to learn is to do though.
>>
>> I will likely set up my vm's without security for now (they are local
>> only) to have something I can dev on etc
>> These are nfs (if the passthrough bug in ubuntu kvm-spice doesn't affect
>> the passthrough of a logical volume to the guest, repos (source code),
>> build and dev desktop
>>
>> Thanks again for all the help
>>
>>
>> On Mon, Nov 12, 2012 at 10:40 PM, Jodi Curtis <jodi.curtis at gmail.com>wrote:
>>
>>> Hi I'm going through the process now logging everything I am doing.
>>>
>>> The VM does start BTW, the problem is that it cannot open the secure
>>> channel from remote-viewer attempts to connect, with qemu giving those
>>> errors in VM11.log. I will post my new attempt here anyway in a little
>>> while, with a success or failure, I've had some minor issues with the pki
>>> directory, hence removing and and trying again with fully checked
>>> permissions.
>>>
>>> Thanks for the help.
>>>
>>>
>>> On Mon, Nov 12, 2012 at 10:12 PM, David Jaša <djasa at redhat.com> wrote:
>>>
>>>> Jodi Curtis píše v Po 12. 11. 2012 v 19:47 +0000:
>>>> > hi
>>>> >
>>>> >
>>>> > sorry I should explain that I used squealer as the server name which
>>>> > matches the hostname, this is aliased to various ip's and domain names
>>>> > in hosts, the usual method, I'll check the local ip is listed in there
>>>> > though,I could try the local ip used to connect .
>>>> >
>>>>
>>>> Well, all of these are side problems as long as your VMs refuse to
>>>> start... Anyway, given that spice knows how to override the CN check
>>>> since its very beginnings (using --spice-host-subject option), this is
>>>> no big deal, it's just more convenient if you don't have to.
>>>>
>>>> >
>>>> > yes the keys were created in the correct directory
>>>>
>>>> and you already stated that.
>>>>
>>>> The error message is pretty clear though: there is either something
>>>> wrong with certificates themselves or qemu can not access them. If you
>>>> can see details of all of them using CLI tools, then the certificates
>>>> should be ok. You could verify that ultimately by trying to run
>>>> minimalistic qemu manually:
>>>>
>>>> $ sudo /usr/bin/kvm -monitor stdio -spice
>>>> tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing
>>>>
>>>> you should see just a message like this:
>>>> QEMU 0.12.1 monitor - type 'help' for more information
>>>> (qemu)
>>>>
>>>> If you see the same error again, there is something wrong with
>>>> certificates themselves. If not, verify that they are accessible to the
>>>> qemu process - note that it may run under different user than root and
>>>> in addition, it may be confined by SELinux or AppArmor. I can't speak
>>>> for AppArmor but for SELinux, you may need to restore context of the
>>>> files (and directories) to make them accessible for qemu.
>>>>
>>>> David
>>>>
>>>> >
>>>> > On Mon, Nov 12, 2012 at 7:42 PM, David Jaša <djasa at redhat.com> wrote:
>>>> > Jodi Curtis píše v Po 12. 11. 2012 v 18:53 +0000:
>>>> > > Hi
>>>> > >
>>>> > >
>>>> > > Package and OS
>>>> > > ------------------------------
>>>> > > Ubuntu 12.10
>>>> > >
>>>> > > qemu-kvm-spice:
>>>> > > Installed: 1.2.0-2012.09-0ubuntu1
>>>> > > Candidate: 1.2.0-2012.09-0ubuntu1
>>>> > > Version table:
>>>> > > *** 1.2.0-2012.09-0ubuntu1 0
>>>> > > 500 http://gb.archive.ubuntu.com/ubuntu/
>>>> > quantal/universe
>>>> > > amd64 Packages
>>>> > > 100 /var/lib/dpkg/status
>>>> > >
>>>> > >
>>>> > > Key Creation
>>>> > >
>>>> > > -------------------------
>>>> > >
>>>> > >
>>>> > > openssl genrsa -des3 -out ca-key.pem 1024
>>>> > > openssl req -new -x509 -days 1095 -key ca-key.pem -out
>>>> > ca-cert.pem
>>>> > > -utf8 -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
>>>> > > openssl genrsa -out server-key.pem 1024
>>>> > > openssl req -new -key server-key.pem -out server-key.csr
>>>> > -utf8 -subj
>>>> > > "/C=IL/L=Raanana/O=Red Hat/CN=my server"
>>>> >
>>>> >
>>>> > (side note here: you can omit C, L and O fields are redundant
>>>> > for uses
>>>> > outside of controlled environments but CN field should contain
>>>> > hostname
>>>> > or IP address of your server so that you don't need to
>>>> > override the host
>>>> > subject)
>>>> >
>>>> > > openssl x509 -req -days 1095 -in server-key.csr -CA
>>>> > ca-cert.pem -CAkey
>>>> > > ca-key.pem -set_serial 01 -out server-cert.pem
>>>> > > openssl rsa -in server-key.pem -out server-key.pem.insecure
>>>> > > mv server-key.pem server-key.pem.secure
>>>> > > mv server-key.pem.insecure server-key.pem
>>>> > >
>>>> >
>>>> >
>>>> > here,
>>>> >
>>>> > >
>>>> > > qemu.conf
>>>> > >
>>>> > > --------------
>>>> > >
>>>> > >
>>>> > > qemu.conf configuration was attempted as default, and
>>>> > specified using
>>>> > > an uncommented path "/etc/pki/libvirt-spice"
>>>> > >
>>>> >
>>>> >
>>>> > here,
>>>> >
>>>> > >
>>>> > > spice_tls = 1
>>>> > >
>>>> > > # default it to keep them in /etc/pki/libvirt-spice. This
>>>> > directory
>>>> > >
>>>> > > # must contain
>>>> > >
>>>> > > ...
>>>> > >
>>>> > > #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" (using
>>>> > the default
>>>> > > path)
>>>> > >
>>>> > > spice_tls_x509_cert_dir =
>>>> > "/etc/pki/libvirt-spice" (specifiying the
>>>> > > path directly)
>>>> > >
>>>> >
>>>> >
>>>> > and here are the key points. Did you copy the
>>>> > {ca,server}-{key,cert}.pem
>>>> > files to /etc/pki/libvirt-spice?
>>>> >
>>>> > David
>>>> >
>>>> > >
>>>> > > Permissions
>>>> > >
>>>> > > -------------
>>>> > >
>>>> > > Permissions were tested set as default (assumed root or my
>>>> > account)
>>>> > > and
>>>> > >
>>>> > > sudo chown libvirt-qemu /etc/pki/libvirt-spice/
>>>> > >
>>>> > > sudo chown libvirt-qemu /etc/pki/libvirt-spice/<filenames of
>>>> > files>
>>>> > >
>>>> > >
>>>> > >
>>>> > > Error Reported
>>>> > > -------------------------
>>>> > >
>>>> > >
>>>> > > sudo nano /var/log/libvirt/qemu/VM11.log
>>>> > >
>>>> > >
>>>> > > qemu: terminating on signal 15 from pid 1417
>>>> > > 2012-11-12 18:11:24.586+0000: shutting down
>>>> > > 2012-11-12 18:11:29.698+0000: starting up
>>>> > > LC_ALL=C
>>>> > >
>>>> >
>>>> PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin
>>>> > > QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2
>>>> > -cpu
>>>> > > Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,
>>>> > +cmp_legacy,
>>>> > > +3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme
>>>> > -enable-kvm -m
>>>> > > 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid
>>>> > > 35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config
>>>> > -nodefaults
>>>> > > -chardev
>>>> > >
>>>> >
>>>> socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait
>>>> -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime
>>>> -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive
>>>> file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback
>>>> -device
>>>> virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3
>>>> -drive
>>>> file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough
>>>> -device
>>>> virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4
>>>> -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device
>>>> ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive
>>>> file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw
>>>> -device
>>>> ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1
>>>> -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device
>>>> virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3
>>>> -chardev pty,id=charserial0 -device
>>>> isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0
>>>> -spice
>>>> port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter
>>>> -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device
>>>> virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
>>>> > > char device redirected to /dev/pts/1
>>>> > > ((null):1916): Spice-Warning **: reds.c:3307:reds_init_ssl:
>>>> > Could not
>>>> > > load certificates
>>>> > from /etc/pki/libvirt-spice/server-cert.pem
>>>> > > ((null):1916): Spice-Warning **: reds.c:3317:reds_init_ssl:
>>>> > Could not
>>>> > > use private key file
>>>> > > ((null):1916): Spice-Warning **: reds.c:3325:reds_init_ssl:
>>>> > Could not
>>>> > > use CA file /etc/pki/libvirt-spice/ca-cert.pem
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > Certificates
>>>> > > --------------------
>>>> > > I was able to open and read the files using the various
>>>> > commands
>>>> > > similar to sudo openssl x509 -noout -text -in ca-cert.pem
>>>> > >
>>>> > >
>>>> > > I did wonder if it is rejecting the CA as some security
>>>> > feature, I
>>>> > > hope this is of use.
>>>> > > I chose libvirt-qemu, as this is the account closed to the
>>>> > Red
>>>> > > Hat/Fedora account name used "qemu"
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > Creation
>>>> > > ---------------
>>>> > >
>>>> > >
>>>> > > creation was via an XML definition followed by calling virsh
>>>> > define
>>>> > > <path>, virsh start VM11
>>>> > >
>>>> > >
>>>> > > I have tried to keep most files inside the libvirt tree to
>>>> > try to
>>>> > > avoid permission errors, the configuration has two volume
>>>> > pools,
>>>> > > specified inside /var/lib/libvirt/local/<pool-name> (which
>>>> > are mounted
>>>> > > to other drives, and operate without problem)
>>>> > >
>>>> > >
>>>> > > The volumes used are vmdk volumes (for performance reasons)
>>>> > one inside
>>>> > > each pool, for fixed allocation and sparse type allocation),
>>>> > not that
>>>> > > this matters but it gives you an idea of what the setup is
>>>> > like.
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > Location content
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > jodic at squealer:/etc/pki/libvirt-spice$ dir
>>>> > > ca-cert.pem server-cert.pem server-key.pem
>>>> > > ca-key.pem server-key.csr server-key.pem.secure
>>>> > >
>>>> > >
>>>> > > I could try using a location without the qemu tree to try to
>>>> > rule out
>>>> > > some permission problems. I'll go through it again in a
>>>> > little bit
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > On Mon, Nov 12, 2012 at 6:11 PM, David Jaša
>>>> > <djasa at redhat.com> wrote:
>>>> > > Before reporting a bug, could we rule out
>>>> > misconfiguration
>>>> > > possiblity
>>>> > > entirely?
>>>> > >
>>>> > > 1) do you use libvirt?
>>>> > > 2) if so, do you use system session or per-user
>>>> > session?
>>>> > > 3) could you look at qemu command line? If you use
>>>> > libvirt,
>>>> > > you'll find it in /var/log/libvirt/qemu/VM_NAME.log
>>>> > > 4) at the libvirt command file, is there '...
>>>> > > -spice ...,x509-(dir|ca...|server),... ' entry?
>>>> > > 5) if the x509 directive is x509-dir, does "qemu-kvm
>>>> > -spice
>>>> > > tls-port=12345,x509-dir=DIR,disable-ticketing"
>>>> > command throw
>>>> > > the same error?
>>>> > > (the same goes for per-file x509 options)
>>>> > > 6) if it is indeed a problem, is it permission issue
>>>> > or are
>>>> > > the files empty or are they invalid?
>>>> > >
>>>> > > (...)
>>>> > >
>>>> > > David
>>>> > >
>>>> > >
>>>> > > Jodi Curtis píše v Po 12. 11. 2012 v 17:55 +0000:
>>>> > > > Hi
>>>> > > >
>>>> > > >
>>>> > > > I've used the directory correctly on qemu.conf,
>>>> > I've seen
>>>> > > these
>>>> > > > problems relating to Red Hat/oVirt, where it
>>>> > wasn't set
>>>> > > despite being
>>>> > > > set in qemu.conf, so I will probably file a bug
>>>> > report with
>>>> > > Ubuntu on
>>>> > > > this one.
>>>> > > >
>>>> > > >
>>>> > > > The red-hat solution isn't valid for Ubuntu.
>>>> > > >
>>>> > > >
>>>> > > > Thanks
>>>> > > >
>>>> > > > On Mon, Nov 12, 2012 at 5:49 PM, David Jaša
>>>> > > <djasa at redhat.com> wrote:
>>>> > > > Jodi Curtis píše v Po 12. 11. 2012 v 17:31
>>>> > +0000:
>>>> > > > > Hi
>>>> > > > >
>>>> > > > >
>>>> > > > > Thanks, I found the method in the end,
>>>> > my current
>>>> > > problem is
>>>> > > > related
>>>> > > > > to a problem with Ubuntu/SSL/Spice, so
>>>> > not really
>>>> > > your
>>>> > > > software, I
>>>> > > > > have asked for help from a Linux admin,
>>>> > but its
>>>> > > detailed
>>>> > > > below for the
>>>> > > > > record, I've gone through the key making
>>>> > proces
>>>> > > twice, and
>>>> > > > rebooted,
>>>> > > > > obviously paths have been checked and
>>>> > qemu.conf
>>>> > > has been set
>>>> > > > as
>>>> > > > > required
>>>> > > > >
>>>> > > > >
>>>> > > > > ((null):2176): Spice-Warning **:
>>>> > > reds.c:3307:reds_init_ssl:
>>>> > > > Could not
>>>> > > > > load certificates from server-cert.pem
>>>> > > > > ((null):2176): Spice-Warning **:
>>>> > > reds.c:3317:reds_init_ssl:
>>>> > > > Could not
>>>> > > > > use private key file
>>>> > > > > ((null):2176): Spice-Warning **:
>>>> > > reds.c:3325:reds_init_ssl:
>>>> > > > Could not
>>>> > > > > use CA file
>>>> > > >
>>>> > > >
>>>> > > > Assuming that your cert/key files are
>>>> > correct and in
>>>> > > place,
>>>> > > > this looks
>>>> > > > like incorrect x509-dir option of qemu cli
>>>> > or
>>>> > > > spice_tls_x509_cert_dir
>>>> > > > directive of /etc/libvirt/qemu.conf
>>>> > pointing to a
>>>> > > wrong
>>>> > > > directory. Just
>>>> > > > a configuration issue.
>>>> > > >
>>>> > > > David
>>>> > > >
>>>> > > > >
>>>> > > > >
>>>> > > > > There is very little obvious on the
>>>> > internet, so
>>>> > > am trying
>>>> > > > to identify
>>>> > > > > if its a common SSL or config problem,
>>>> > or if I
>>>> > > should file a
>>>> > > > bug
>>>> > > > > report with Ubuntu kvm-spice
>>>> > > > >
>>>> > > > >
>>>> > > > > Jodi
>>>> > > > >
>>>> > > > >
>>>> > > > > On Mon, Nov 12, 2012 at 12:12 PM, David
>>>> > Jaša
>>>> > > > <djasa at redhat.com> wrote:
>>>> > > > > Hi Jodi,
>>>> > > > >
>>>> > > > > You can find full tls-enabled
>>>> > > remote-viewer
>>>> > > > invocation in this
>>>> > > > > oVirt
>>>> > > > > wiki page:
>>>> > > > >
>>>> > > >
>>>> > >
>>>> >
>>>> http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal
>>>> > > > >
>>>> > > > > David
>>>> > > > >
>>>> > > > >
>>>> > > > > Jodi Curtis píše v Ne 11. 11.
>>>> > 2012 v 23:28
>>>> > > +0000:
>>>> > > > > > Hi
>>>> > > > > >
>>>> > > > > >
>>>> > > > > > I'm having trouble connecting
>>>> > to a spice
>>>> > > server
>>>> > > > with tls
>>>> > > > > enabled
>>>> > > > > > through virt-viewer on
>>>> > windows, I have
>>>> > > tls
>>>> > > > configured and a
>>>> > > > > > ca-cert.pem file, but I don't
>>>> > know where
>>>> > > to put
>>>> > > > it, or what
>>>> > > > > to use
>>>> > > > > >
>>>> > > > > >
>>>> > > > > > I have tried various
>>>> > combinations of
>>>> > > > > spice://192.168.2.140:590x
>>>> > > > > >
>>>> > > > > >
>>>> > > > > > I have tried adding +ssh or
>>>> > +tls, I have
>>>> > > tried
>>>> > > > adding the
>>>> > > > > ca-cert.pem
>>>> > > > > > file to the location used by
>>>> > the spicec
>>>> > > page that
>>>> > > > covers how
>>>> > > > > to set up
>>>> > > > > > tls, and I have tried adding
>>>> > my username
>>>> > > before
>>>> > > > the IP.
>>>> > > > > >
>>>> > > > > > I have tried connecting to
>>>> > both ports.
>>>> > > > > >
>>>> > > > > >
>>>> > > > > > Any help on what it should be,
>>>> > or if
>>>> > > there is an
>>>> > > > alternative
>>>> > > > > to
>>>> > > > > > virt-viewer on windows that I
>>>> > need to
>>>> > > use for the
>>>> > > > secure
>>>> > > > > connection.
>>>> > > > > >
>>>> > > > > >
>>>> > > > > > Thanks
>>>> > > > >
>>>> > > > > >
>>>> > > _______________________________________________
>>>> > > > > > Spice-devel mailing list
>>>> > > > > >
>>>> > Spice-devel at lists.freedesktop.org
>>>> > > > > >
>>>> > > >
>>>> > >
>>>> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>> > > > >
>>>> > > > > --
>>>> > > > >
>>>> > > > > David Jaša, RHCE
>>>> > > > >
>>>> > > > > SPICE QE based in Brno
>>>> > > > > GPG Key: 22C33E24
>>>> > > > > Fingerprint: 513A 060B D1B4 2A72
>>>> > 7F0D 0278
>>>> > > B125 CD00
>>>> > > > 22C3 3E24
>>>> > > > >
>>>> > > > >
>>>> > > > >
>>>> > > > >
>>>> > > > >
>>>> > > > >
>>>> > _______________________________________________
>>>> > > > > Spice-devel mailing list
>>>> > > > > Spice-devel at lists.freedesktop.org
>>>> > > > >
>>>> > >
>>>> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>> > > >
>>>> > > > --
>>>> > > >
>>>> > > > David Jaša, RHCE
>>>> > > >
>>>> > > > SPICE QE based in Brno
>>>> > > > GPG Key: 22C33E24
>>>> > > > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278
>>>> > B125 CD00
>>>> > > 22C3 3E24
>>>> > > >
>>>> > > >
>>>> > > >
>>>> > > >
>>>> > > >
>>>> > > >
>>>> > >
>>>> > > --
>>>> > >
>>>> > > David Jaša, RHCE
>>>> > >
>>>> > > SPICE QE based in Brno
>>>> > > GPG Key: 22C33E24
>>>> > > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00
>>>> > 22C3 3E24
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > _______________________________________________
>>>> > > Spice-devel mailing list
>>>> > > Spice-devel at lists.freedesktop.org
>>>> > > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>> >
>>>> > --
>>>> >
>>>> > David Jaša, RHCE
>>>> >
>>>> > SPICE QE based in Brno
>>>> > GPG Key: 22C33E24
>>>> > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > Spice-devel mailing list
>>>> > Spice-devel at lists.freedesktop.org
>>>> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>
>>>> --
>>>>
>>>> David Jaša, RHCE
>>>>
>>>> SPICE QE based in Brno
>>>> GPG Key: 22C33E24
>>>> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>>>>
>>>>
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20121113/2f9b93cb/attachment-0001.html>
More information about the Spice-devel
mailing list