[Spice-devel] virt viewer from windows to spice server with tls and certificate file problems (what uri?)

David Jaša djasa at redhat.com
Tue Nov 13 08:58:38 PST 2012


I think it is something different but I can't say it for sure unless I
see the exact message...

Jodi Curtis píše v Út 13. 11. 2012 v 16:26 +0000:
> My latest issue is the error spice warning spice channels 1 should be
> encrypted, I'm guessing this is an authentication issue with my
> attempts to connect?
> 
> On Tue, Nov 13, 2012 at 7:37 AM, Jodi Curtis <jodi.curtis at gmail.com>
> wrote:
>         The VM seems to start without complaints after adding the key
>         directory after /etc/pki/libvirt-vnc** r, in an identical
>         format within the apparmor.d config file

ubuntu docs should be probably updated about need to copy certs/keys to
the default directory OR need to update apparmor configuration if custom
directory is used.

David

>         
>         I haven't really slept much so I will check login after
>         sleeping 
>         
>         
>         On Mon, Nov 12, 2012 at 11:33 PM, Jodi Curtis
>         <jodi.curtis at gmail.com> wrote:
>                 Hi
>                 
>                 
>                 Copy of attempt so far, hopefully this will be useful
>                 to have online, I will carry on tomorrow!
>                 
>                 
>                 /etc/hostname 
>                 
>                 
>                 squealer
>                 
>                 
>                 /etc/hosts
>                 
>                 
>                 127.0.0.1 localhost squealer squealer.maiakaat.co.uk
>                 maiakaat.co.uk www.maiakaat.co.uk
>                 192.168.2.140 localhost squealer
>                 squealer.maiakaat.co.uk maiakaat.co.uk
>                 www.maiakaat.co.uk
>                 
>                 
>                 cat /etc/passwd
>                 
>                 
>                 root:x:0:0:root:/root:/bin/bash
>                 daemon:x:1:1:daemon:/usr/sbin:/bin/sh
>                 bin:x:2:2:bin:/bin:/bin/sh
>                 sys:x:3:3:sys:/dev:/bin/sh
>                 sync:x:4:65534:sync:/bin:/bin/sync
>                 games:x:5:60:games:/usr/games:/bin/sh
>                 man:x:6:12:man:/var/cache/man:/bin/sh
>                 lp:x:7:7:lp:/var/spool/lpd:/bin/sh
>                 mail:x:8:8:mail:/var/mail:/bin/sh
>                 news:x:9:9:news:/var/spool/news:/bin/sh
>                 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
>                 proxy:x:13:13:proxy:/bin:/bin/sh
>                 www-data:x:33:33:www-data:/var/www:/bin/sh
>                 backup:x:34:34:backup:/var/backups:/bin/sh
>                 list:x:38:38:Mailing List Manager:/var/list:/bin/sh
>                 irc:x:39:39:ircd:/var/run/ircd:/bin/sh
>                 gnats:x:41:41:Gnats Bug-Reporting System
>                 (admin):/var/lib/gnats:/bin/sh
>                 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
>                 libuuid:x:100:101::/var/lib/libuuid:/bin/sh
>                 syslog:x:101:103::/home/syslog:/bin/false
>                 messagebus:x:102:105::/var/run/dbus:/bin/false
>                 whoopsie:x:103:107::/nonexistent:/bin/false
>                 landscape:x:104:110::/var/lib/landscape:/bin/false
>                 sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
>                 libvirt-qemu:x:106:106:Libvirt
>                 Qemu,,,:/var/lib/libvirt:/bin/false
>                 libvirt-dnsmasq:x:107:112:Libvirt
>                 Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
>                 jodic:x:1000:1000:jodic,,,:/home/jodic:/bin/bash
>                 
>                 
>                 cd /var/lib/libvirt
>                 sudo ls -l
>                 
>                 
>                 drwx--x--x 2 root         root 4096 Oct  6 01:58 boot
>                 drwxr-xr-x 2 root         root 4096 Oct 30 21:06
>                 dnsmasq
>                 drwxr-xr-x 2 libvirt-qemu root 4096 Oct 31 06:11
>                 drivers
>                 drwx--x--x 2 root         root 4096 Oct  6 01:58
>                 images
>                 drwxr-xr-x 5 libvirt-qemu root 4096 Nov  1 12:56 local
>                 drwxr-xr-x 2 root         root 4096 Nov 12 18:03
>                 network
>                 drwxr-x--- 5 libvirt-qemu kvm  4096 Nov 12 18:11 qemu
>                 drwx------ 2 root         root 4096 Oct  6 01:58
>                 sanlock
>                 drwxr-xr-x 5 libvirt-qemu root 4096 Oct 31 06:22
>                 shared
>                 
>                 
>                 #drivers to be forwarded as filesystem element with
>                 Windows drivers
>                 #local contains volume pools(2) for VM volumes, and
>                 all xml files used to create VM's volumes and pools.
>                 
>                 
>                 sudo usermod -a -G root,kvm jodic
>                 
>                 
>                 chmod 775 /var/lib/libvirt/qemu
>                 #temporary change
>                 
>                 
>                 #libvirt directory permissions are drwxr-xr-x
>                 
>                 
>                 sudo mkdir /var/lib/libvirt/pki
>                 sudo mkdir /var/lib/libvirt/pki/libvirt-spice
>                 
>                 
>                 sudo nano /etc/libvirt/qemu.conf
>                 
>                 
>                 spice_tls = 1
>                 spice_tls_x509_cert_dir =
>                 "/var/lib/libvirt/pki/libvirt-spice"
>                 
>                 
>                 cd /var/lib/libvirt/pki/libvirt-spice
>                 
>                 
>                 sudo openssl genrsa -des3 -out ca-key.pem 1024
>                 sudo openssl req -new -x509 -days 750 -key ca-key.pem
>                 -out ca-cert.pem -utf8 -subj "/CN=Self Signed"
>                 sudo openssl genrsa -out server-key.pem 1024
>                 sudo openssl req -new -key server-key.pem -out
>                 server-key.csr -utf8 -subj "/CN=squealer"
>                 sudo openssl x509 req -days 750 -in server-key.csr -CA
>                 ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out
>                 server-cert.pem
>                 sudo openssl rsa -in server-key.pem -out
>                 server-key.pem.insecure
>                 sudo mv server-key.pem server-key.pem.secure
>                 sudo mv server-key.pem.insecure server-key.pem
>                 
>                 
>                 sudo chown libvirt-qemu /var/lib/libvirt/pki
>                 sudo chown
>                 libvirt-qemu /var/lib/libvirt/pki/libvirt-spice
>                 sudo chown
>                 libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-key.pem
>                 sudo chown
>                 libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
>                 sudo chown
>                 libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
>                 
>                 
>                 #temporary change
>                 sudo chmod 775 /var/lib/libvirt/pki
>                 sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice
>                 sudo chmod
>                 775 /var/lib/libvirt/pki/libvirt-spice/server-key.pem
>                 sudo chmod
>                 775 /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
>                 sudo chmod
>                 775 /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
>                 
>                 
>                 sudo virsh destroy VM11
>                 sudo virsh undefine VM11
>                 
>                 
>                 sudo shutdown -r now
>                 #don't know how to restart service for re-read of
>                 qemu.conf in Ubuntu
>                 
>                 
>                 #Ubuntu offering 28 updates - none related to
>                 virtualization at all
>                 
>                 
>                 sudo apt-get update
>                 sudo apt-get upgrade
>                 
>                 
>                 sudo virsh
>                 define /var/lib/libvirt/local/xml/default-revision7.xml
>                 
>                 
>                 #defined VM11
>                 
>                 
>                 sudo virsh start VM11
>                 
>                 
>                 #started VM11    23:14 ish UK time
>                 
>                 
>                 sudo /var/log/libvirt/qemu/qemu.conf
>                 
>                 
>                 2012-11-12 23:13:44.233+0000: starting up
>                 LC_ALL=C
>                 PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2 -cpu Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,+cmp_legacy,+3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme -enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid 35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3 -drive file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4 -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1 -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -spice port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/var/lib/libvirt/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
>                 char device redirected to /dev/pts/2
>                 ((null):8891): Spice-Warning **:
>                 reds.c:3307:reds_init_ssl: Could not load certificates
>                 from /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
>                 ((null):8891): Spice-Warning **:
>                 reds.c:3317:reds_init_ssl: Could not use private key
>                 file
>                 ((null):8891): Spice-Warning **:
>                 reds.c:3325:reds_init_ssl: Could not use CA
>                 file /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
>                 
>                 
>                 sudo virsh destroy VM11
>                 
>                 
>                 #destroyed
>                 
>                 
>                 $ sudo /usr/bin/kvm-spice -monitor stdio -spice
>                 tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing
>                 
>                 
>                 
>                 
>                 #output
>                 
>                 
>                 QEMU 0.12.0 monitor - type 'help' for more information
>                 (qemu)
>                 
>                 
>                 "If you see the same error again, there is something
>                 wrong with
>                 certificates themselves. If not, verify that they are
>                 accessible to the
>                 qemu process - note that it may run under different
>                 user than root and
>                 in addition, it may be confined by SELinux or
>                 AppArmor. I can't speak
>                 for AppArmor but for SELinux, you may need to restore
>                 context of the
>                 files (and directories) to make them accessible for
>                 qemu."
>                 
>                 
>                 I'll begin looking at the permissions and security
>                 tomorrow, although its stretching my
>                 knowledge of Linux here, I guess the only way to learn
>                 is to do though.
>                 
>                 
>                 I will likely set up my vm's without security for now
>                 (they are local only) to have something I can dev on
>                 etc
>                 These are nfs (if the passthrough bug in ubuntu
>                 kvm-spice doesn't affect the passthrough of a logical
>                 volume to the guest, repos (source code), build and
>                 dev desktop
>                 
>                 
>                 Thanks again for all the help
>                 
>                 
>                 On Mon, Nov 12, 2012 at 10:40 PM, Jodi Curtis
>                 <jodi.curtis at gmail.com> wrote:
>                         Hi I'm going through the process now logging
>                         everything I am doing.
>                         
>                         
>                         The VM does start BTW, the problem is that it
>                         cannot open the secure channel from
>                         remote-viewer attempts to connect, with qemu
>                         giving those errors in VM11.log. I will post
>                         my new attempt here anyway in a little while,
>                         with a success or failure, I've had some minor
>                         issues with the pki directory, hence removing
>                         and and trying again with fully checked
>                         permissions.
>                         
>                         Thanks for the help.
>                         
>                         
>                         On Mon, Nov 12, 2012 at 10:12 PM, David Jaša
>                         <djasa at redhat.com> wrote:
>                                 Jodi Curtis píše v Po 12. 11. 2012 v
>                                 19:47 +0000:
>                                 > hi
>                                 >
>                                 >
>                                 > sorry I should explain that I used
>                                 squealer as the server name which
>                                 > matches the hostname, this is
>                                 aliased to various ip's and domain
>                                 names
>                                 > in hosts, the usual method, I'll
>                                 check the local ip is listed in there
>                                 > though,I could try the local ip used
>                                 to connect .
>                                 >
>                                 
>                                 
>                                 Well, all of these are side problems
>                                 as long as your VMs refuse to
>                                 start... Anyway, given that spice
>                                 knows how to override the CN check
>                                 since its very beginnings (using
>                                 --spice-host-subject option), this is
>                                 no big deal, it's just more convenient
>                                 if you don't have to.
>                                 
>                                 >
>                                 > yes the keys were created in the
>                                 correct directory
>                                 
>                                 
>                                 and you already stated that.
>                                 
>                                 The error message is pretty clear
>                                 though: there is either something
>                                 wrong with certificates themselves or
>                                 qemu can not access them. If you
>                                 can see details of all of them using
>                                 CLI tools, then the certificates
>                                 should be ok. You could verify that
>                                 ultimately by trying to run
>                                 minimalistic qemu manually:
>                                 
>                                 $ sudo /usr/bin/kvm -monitor stdio
>                                 -spice
>                                 tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing
>                                 
>                                 you should see just a message like
>                                 this:
>                                 QEMU 0.12.1 monitor - type 'help' for
>                                 more information
>                                 (qemu)
>                                 
>                                 If you see the same error again, there
>                                 is something wrong with
>                                 certificates themselves. If not,
>                                 verify that they are accessible to the
>                                 qemu process - note that it may run
>                                 under different user than root and
>                                 in addition, it may be confined by
>                                 SELinux or AppArmor. I can't speak
>                                 for AppArmor but for SELinux, you may
>                                 need to restore context of the
>                                 files (and directories) to make them
>                                 accessible for qemu.
>                                 
>                                 David
>                                 
>                                 >
>                                 > On Mon, Nov 12, 2012 at 7:42 PM,
>                                 David Jaša <djasa at redhat.com> wrote:
>                                 >         Jodi Curtis píše v Po 12.
>                                 11. 2012 v 18:53 +0000:
>                                 >         > Hi
>                                 >         >
>                                 >         >
>                                 >         > Package and OS
>                                 >         >
>                                 ------------------------------
>                                 >         > Ubuntu 12.10
>                                 >         >
>                                 >         > qemu-kvm-spice:
>                                 >         >   Installed:
>                                 1.2.0-2012.09-0ubuntu1
>                                 >         >   Candidate:
>                                 1.2.0-2012.09-0ubuntu1
>                                 >         >   Version table:
>                                 >         >  ***
>                                 1.2.0-2012.09-0ubuntu1 0
>                                 >         >         500
>                                 http://gb.archive.ubuntu.com/ubuntu/
>                                 >         quantal/universe
>                                 >         > amd64 Packages
>                                 >         >
>                                 100 /var/lib/dpkg/status
>                                 >         >
>                                 >         >
>                                 >         > Key Creation
>                                 >         >
>                                 >         > -------------------------
>                                 >         >
>                                 >         >
>                                 >         > openssl genrsa -des3 -out
>                                 ca-key.pem 1024
>                                 >         > openssl req -new -x509
>                                 -days 1095 -key ca-key.pem -out
>                                 >         ca-cert.pem
>                                 >         > -utf8 -subj
>                                 "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
>                                 >         > openssl genrsa -out
>                                 server-key.pem 1024
>                                 >         > openssl req -new -key
>                                 server-key.pem -out server-key.csr
>                                 >         -utf8 -subj
>                                 >         > "/C=IL/L=Raanana/O=Red
>                                 Hat/CN=my server"
>                                 >
>                                 >
>                                 >         (side note here: you can
>                                 omit C, L and O fields are redundant
>                                 >         for uses
>                                 >         outside of controlled
>                                 environments but CN field should
>                                 contain
>                                 >         hostname
>                                 >         or IP address of your server
>                                 so that you don't need to
>                                 >         override the host
>                                 >         subject)
>                                 >
>                                 >         > openssl x509 -req -days
>                                 1095 -in server-key.csr -CA
>                                 >         ca-cert.pem -CAkey
>                                 >         > ca-key.pem -set_serial 01
>                                 -out server-cert.pem
>                                 >         > openssl rsa -in
>                                 server-key.pem -out
>                                 server-key.pem.insecure
>                                 >         > mv server-key.pem
>                                 server-key.pem.secure
>                                 >         > mv server-key.pem.insecure
>                                 server-key.pem
>                                 >         >
>                                 >
>                                 >
>                                 >         here,
>                                 >
>                                 >         >
>                                 >         > qemu.conf
>                                 >         >
>                                 >         > --------------
>                                 >         >
>                                 >         >
>                                 >         > qemu.conf configuration
>                                 was attempted as default, and
>                                 >         specified using
>                                 >         > an uncommented path
>                                 "/etc/pki/libvirt-spice"
>                                 >         >
>                                 >
>                                 >
>                                 >         here,
>                                 >
>                                 >         >
>                                 >         > spice_tls = 1
>                                 >         >
>                                 >         > # default it to keep them
>                                 in /etc/pki/libvirt-spice. This
>                                 >         directory
>                                 >         >
>                                 >         > # must contain
>                                 >         >
>                                 >         > ...
>                                 >         >
>                                 >         > #spice_tls_x509_cert_dir =
>                                 "/etc/pki/libvirt-spice" (using
>                                 >         the default
>                                 >         > path)
>                                 >         >
>                                 >         > spice_tls_x509_cert_dir =
>                                 >
>                                 "/etc/pki/libvirt-spice" (specifiying
>                                 the
>                                 >         > path directly)
>                                 >         >
>                                 >
>                                 >
>                                 >         and here are the key points.
>                                 Did you copy the
>                                 >         {ca,server}-{key,cert}.pem
>                                 >         files
>                                 to /etc/pki/libvirt-spice?
>                                 >
>                                 >         David
>                                 >
>                                 >         >
>                                 >         > Permissions
>                                 >         >
>                                 >         > -------------
>                                 >         >
>                                 >         > Permissions were tested
>                                 set as default (assumed root or my
>                                 >         account)
>                                 >         > and
>                                 >         >
>                                 >         > sudo chown
>                                 libvirt-qemu /etc/pki/libvirt-spice/
>                                 >         >
>                                 >         > sudo chown
>                                 libvirt-qemu /etc/pki/libvirt-spice/<filenames of
>                                 >         files>
>                                 >         >
>                                 >         >
>                                 >         >
>                                 >         > Error Reported
>                                 >         > -------------------------
>                                 >         >
>                                 >         >
>                                 >         > sudo
>                                 nano /var/log/libvirt/qemu/VM11.log
>                                 >         >
>                                 >         >
>                                 >         > qemu: terminating on
>                                 signal 15 from pid 1417
>                                 >         > 2012-11-12 18:11:24.586
>                                 +0000: shutting down
>                                 >         > 2012-11-12 18:11:29.698
>                                 +0000: starting up
>                                 >         > LC_ALL=C
>                                 >         >
>                                 >
>                                 PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin
>                                 >         >
>                                 QEMU_AUDIO_DRV=spice /usr/bin/kvm
>                                 -name VM11 -S -M pc-1.2
>                                 >         -cpu
>                                 >         > Opteron_G3,+ibs,+osvw,
>                                 +3dnowprefetch,+cr8legacy,+extapic,
>                                 >         +cmp_legacy,
>                                 >         > +3dnow,+3dnowext,+pdpe1gb,
>                                 +fxsr_opt,+mmxext,+ht,+vme
>                                 >         -enable-kvm -m
>                                 >         > 2048 -smp
>                                 1,sockets=1,cores=1,threads=1 -uuid
>                                 >         >
>                                 35a6984d-0b77-da48-770e-a8fb0c7c284d
>                                 -no-user-config
>                                 >         -nodefaults
>                                 >         > -chardev
>                                 >         >
>                                 >
>                                 socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3 -drive file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4 -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1 -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -spice port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
>                                 >         > char device redirected
>                                 to /dev/pts/1
>                                 >         > ((null):1916):
>                                 Spice-Warning **:
>                                 reds.c:3307:reds_init_ssl:
>                                 >         Could not
>                                 >         > load certificates
>                                 >
>                                 from /etc/pki/libvirt-spice/server-cert.pem
>                                 >         > ((null):1916):
>                                 Spice-Warning **:
>                                 reds.c:3317:reds_init_ssl:
>                                 >         Could not
>                                 >         > use private key file
>                                 >         > ((null):1916):
>                                 Spice-Warning **:
>                                 reds.c:3325:reds_init_ssl:
>                                 >         Could not
>                                 >         > use CA
>                                 file /etc/pki/libvirt-spice/ca-cert.pem
>                                 >         >
>                                 >         >
>                                 >         >
>                                 >         >
>                                 >         > Certificates
>                                 >         > --------------------
>                                 >         > I was able to open and
>                                 read the files using the various
>                                 >         commands
>                                 >         > similar to sudo openssl
>                                 x509 -noout -text -in ca-cert.pem
>                                 >         >
>                                 >         >
>                                 >         > I did wonder if it is
>                                 rejecting the CA as some security
>                                 >         feature, I
>                                 >         > hope this is of use.
>                                 >         > I chose libvirt-qemu, as
>                                 this is the account closed to the
>                                 >         Red
>                                 >         > Hat/Fedora account name
>                                 used "qemu"
>                                 >         >
>                                 >         >
>                                 >         >
>                                 >         >
>                                 >         > Creation
>                                 >         > ---------------
>                                 >         >
>                                 >         >
>                                 >         > creation was via an XML
>                                 definition followed by calling virsh
>                                 >         define
>                                 >         > <path>, virsh start VM11
>                                 >         >
>                                 >         >
>                                 >         > I have tried to keep most
>                                 files inside the libvirt tree to
>                                 >         try to
>                                 >         > avoid permission errors,
>                                 the configuration has two volume
>                                 >         pools,
>                                 >         > specified
>                                 inside /var/lib/libvirt/local/<pool-name> (which
>                                 >         are mounted
>                                 >         > to other drives, and
>                                 operate without problem)
>                                 >         >
>                                 >         >
>                                 >         > The volumes used are vmdk
>                                 volumes (for performance reasons)
>                                 >         one inside
>                                 >         > each pool, for fixed
>                                 allocation and sparse type
>                                 allocation),
>                                 >         not that
>                                 >         > this matters but it gives
>                                 you an idea of what the setup is
>                                 >         like.
>                                 >         >
>                                 >         >
>                                 >         >
>                                 >         >
>                                 >         >
>                                 >         >
>                                 >         > Location content
>                                 >         >
>                                 >         >
>                                 >         >
>                                 >         >
>                                 >         >
>                                 jodic at squealer:/etc/pki/libvirt-spice$
>                                 dir
>                                 >         > ca-cert.pem
>                                  server-cert.pem  server-key.pem
>                                 >         > ca-key.pem
>                                 server-key.csr   server-key.pem.secure
>                                 >         >
>                                 >         >
>                                 >         > I could try using a
>                                 location without the qemu tree to try
>                                 to
>                                 >         rule out
>                                 >         > some permission problems.
>                                 I'll go through it again in a
>                                 >         little bit
>                                 >         >
>                                 >         >
>                                 >         >
>                                 >         >
>                                 >         >
>                                 >         >
>                                 >         > On Mon, Nov 12, 2012 at
>                                 6:11 PM, David Jaša
>                                 >         <djasa at redhat.com> wrote:
>                                 >         >         Before reporting a
>                                 bug, could we rule out
>                                 >         misconfiguration
>                                 >         >         possiblity
>                                 >         >         entirely?
>                                 >         >
>                                 >         >         1) do you use
>                                 libvirt?
>                                 >         >         2) if so, do you
>                                 use system session or per-user
>                                 >         session?
>                                 >         >         3) could you look
>                                 at qemu command line? If you use
>                                 >         libvirt,
>                                 >         >         you'll find it
>                                 in /var/log/libvirt/qemu/VM_NAME.log
>                                 >         >         4) at the libvirt
>                                 command file, is there '...
>                                 >         >
>                                 -spice ...,x509-(dir|ca...|server),...
>                                 ' entry?
>                                 >         >         5) if the x509
>                                 directive is x509-dir, does "qemu-kvm
>                                 >         -spice
>                                 >         >
>                                 tls-port=12345,x509-dir=DIR,disable-ticketing"
>                                 >         command throw
>                                 >         >         the same error?
>                                 >         >            (the same goes
>                                 for per-file x509 options)
>                                 >         >         6) if it is indeed
>                                 a problem, is it permission issue
>                                 >         or are
>                                 >         >         the files empty or
>                                 are they invalid?
>                                 >         >
>                                 >         >         (...)
>                                 >         >
>                                 >         >         David
>                                 >         >
>                                 >         >
>                                 >         >         Jodi Curtis píše v
>                                 Po 12. 11. 2012 v 17:55 +0000:
>                                 >         >         > Hi
>                                 >         >         >
>                                 >         >         >
>                                 >         >         > I've used the
>                                 directory correctly on qemu.conf,
>                                 >         I've seen
>                                 >         >         these
>                                 >         >         > problems
>                                 relating to Red Hat/oVirt, where it
>                                 >         wasn't set
>                                 >         >         despite being
>                                 >         >         > set in
>                                 qemu.conf, so I will probably file a
>                                 bug
>                                 >         report with
>                                 >         >         Ubuntu on
>                                 >         >         > this one.
>                                 >         >         >
>                                 >         >         >
>                                 >         >         > The red-hat
>                                 solution isn't valid for Ubuntu.
>                                 >         >         >
>                                 >         >         >
>                                 >         >         > Thanks
>                                 >         >         >
>                                 >         >         > On Mon, Nov 12,
>                                 2012 at 5:49 PM, David Jaša
>                                 >         >         <djasa at redhat.com>
>                                 wrote:
>                                 >         >         >         Jodi
>                                 Curtis píše v Po 12. 11. 2012 v 17:31
>                                 >         +0000:
>                                 >         >         >         > Hi
>                                 >         >         >         >
>                                 >         >         >         >
>                                 >         >         >         >
>                                 Thanks, I found the method in the end,
>                                 >         my current
>                                 >         >         problem is
>                                 >         >         >         related
>                                 >         >         >         > to a
>                                 problem with Ubuntu/SSL/Spice, so
>                                 >         not really
>                                 >         >         your
>                                 >         >         >
>                                 software, I
>                                 >         >         >         > have
>                                 asked for help from a Linux admin,
>                                 >         but its
>                                 >         >         detailed
>                                 >         >         >         below
>                                 for the
>                                 >         >         >         >
>                                 record, I've gone through the key
>                                 making
>                                 >         proces
>                                 >         >         twice, and
>                                 >         >         >
>                                 rebooted,
>                                 >         >         >         >
>                                 obviously paths have been checked and
>                                 >         qemu.conf
>                                 >         >         has been set
>                                 >         >         >         as
>                                 >         >         >         >
>                                 required
>                                 >         >         >         >
>                                 >         >         >         >
>                                 >         >         >         >
>                                 ((null):2176): Spice-Warning **:
>                                 >         >
>                                 reds.c:3307:reds_init_ssl:
>                                 >         >         >         Could
>                                 not
>                                 >         >         >         > load
>                                 certificates from server-cert.pem
>                                 >         >         >         >
>                                 ((null):2176): Spice-Warning **:
>                                 >         >
>                                 reds.c:3317:reds_init_ssl:
>                                 >         >         >         Could
>                                 not
>                                 >         >         >         > use
>                                 private key file
>                                 >         >         >         >
>                                 ((null):2176): Spice-Warning **:
>                                 >         >
>                                 reds.c:3325:reds_init_ssl:
>                                 >         >         >         Could
>                                 not
>                                 >         >         >         > use CA
>                                 file
>                                 >         >         >
>                                 >         >         >
>                                 >         >         >         Assuming
>                                 that your cert/key files are
>                                 >         correct and in
>                                 >         >         place,
>                                 >         >         >         this
>                                 looks
>                                 >         >         >         like
>                                 incorrect x509-dir option of qemu cli
>                                 >         or
>                                 >         >         >
>                                 spice_tls_x509_cert_dir
>                                 >         >         >
>                                 directive of /etc/libvirt/qemu.conf
>                                 >         pointing to a
>                                 >         >         wrong
>                                 >         >         >
>                                 directory. Just
>                                 >         >         >         a
>                                 configuration issue.
>                                 >         >         >
>                                 >         >         >         David
>                                 >         >         >
>                                 >         >         >         >
>                                 >         >         >         >
>                                 >         >         >         > There
>                                 is very little obvious on the
>                                 >         internet, so
>                                 >         >         am trying
>                                 >         >         >         to
>                                 identify
>                                 >         >         >         > if its
>                                 a common SSL or config problem,
>                                 >         or if I
>                                 >         >         should file a
>                                 >         >         >         bug
>                                 >         >         >         > report
>                                 with Ubuntu kvm-spice
>                                 >         >         >         >
>                                 >         >         >         >
>                                 >         >         >         > Jodi
>                                 >         >         >         >
>                                 >         >         >         >
>                                 >         >         >         > On
>                                 Mon, Nov 12, 2012 at 12:12 PM, David
>                                 >         Jaša
>                                 >         >         >
>                                 <djasa at redhat.com> wrote:
>                                 >         >         >         >
>                                 Hi Jodi,
>                                 >         >         >         >
>                                 >         >         >         >
>                                 You can find full tls-enabled
>                                 >         >         remote-viewer
>                                 >         >         >
>                                 invocation in this
>                                 >         >         >         >
>                                 oVirt
>                                 >         >         >         >
>                                 wiki page:
>                                 >         >         >         >
>                                 >         >         >
>                                 >         >
>                                 >
>                                 http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal
>                                 >         >         >         >
>                                 >         >         >         >
>                                 David
>                                 >         >         >         >
>                                 >         >         >         >
>                                 >         >         >         >
>                                 Jodi Curtis píše v Ne 11. 11.
>                                 >         2012 v 23:28
>                                 >         >         +0000:
>                                 >         >         >         >
>                                 > Hi
>                                 >         >         >         >
>                                 >
>                                 >         >         >         >
>                                 >
>                                 >         >         >         >
>                                 > I'm having trouble connecting
>                                 >         to a spice
>                                 >         >         server
>                                 >         >         >         with tls
>                                 >         >         >         >
>                                 enabled
>                                 >         >         >         >
>                                 > through virt-viewer on
>                                 >         windows, I have
>                                 >         >         tls
>                                 >         >         >
>                                 configured and a
>                                 >         >         >         >
>                                 > ca-cert.pem file, but I don't
>                                 >         know where
>                                 >         >         to put
>                                 >         >         >         it, or
>                                 what
>                                 >         >         >         >
>                                 to use
>                                 >         >         >         >
>                                 >
>                                 >         >         >         >
>                                 >
>                                 >         >         >         >
>                                 > I have tried various
>                                 >         combinations of
>                                 >         >         >         >
>                                 spice://192.168.2.140:590x
>                                 >         >         >         >
>                                 >
>                                 >         >         >         >
>                                 >
>                                 >         >         >         >
>                                 > I have tried adding +ssh or
>                                 >         +tls, I have
>                                 >         >         tried
>                                 >         >         >         adding
>                                 the
>                                 >         >         >         >
>                                 ca-cert.pem
>                                 >         >         >         >
>                                 > file to the location used by
>                                 >         the spicec
>                                 >         >         page that
>                                 >         >         >         covers
>                                 how
>                                 >         >         >         >
>                                 to set up
>                                 >         >         >         >
>                                 > tls, and I have tried adding
>                                 >         my username
>                                 >         >         before
>                                 >         >         >         the IP.
>                                 >         >         >         >
>                                 >
>                                 >         >         >         >
>                                 > I have tried connecting to
>                                 >         both ports.
>                                 >         >         >         >
>                                 >
>                                 >         >         >         >
>                                 >
>                                 >         >         >         >
>                                 > Any help on what it should be,
>                                 >         or if
>                                 >         >         there is an
>                                 >         >         >
>                                 alternative
>                                 >         >         >         >
>                                 to
>                                 >         >         >         >
>                                 > virt-viewer on windows that I
>                                 >         need to
>                                 >         >         use for the
>                                 >         >         >         secure
>                                 >         >         >         >
>                                 connection.
>                                 >         >         >         >
>                                 >
>                                 >         >         >         >
>                                 >
>                                 >         >         >         >
>                                 > Thanks
>                                 >         >         >         >
>                                 >         >         >         >
>                                 >
>                                 >         >
>                                 _______________________________________________
>                                 >         >         >         >
>                                 > Spice-devel mailing list
>                                 >         >         >         >
>                                 >
>                                 >
>                                 Spice-devel at lists.freedesktop.org
>                                 >         >         >         >
>                                 >
>                                 >         >         >
>                                 >         >
>                                 >
>                                 http://lists.freedesktop.org/mailman/listinfo/spice-devel
>                                 >         >         >         >
>                                 >         >         >         >
>                                 --
>                                 >         >         >         >
>                                 >         >         >         >
>                                 David Jaša, RHCE
>                                 >         >         >         >
>                                 >         >         >         >
>                                 SPICE QE based in Brno
>                                 >         >         >         >
>                                 GPG Key:     22C33E24
>                                 >         >         >         >
>                                 Fingerprint: 513A 060B D1B4 2A72
>                                 >         7F0D 0278
>                                 >         >         B125 CD00
>                                 >         >         >         22C3
>                                 3E24
>                                 >         >         >         >
>                                 >         >         >         >
>                                 >         >         >         >
>                                 >         >         >         >
>                                 >         >         >         >
>                                 >         >         >         >
>                                 >
>                                 _______________________________________________
>                                 >         >         >         >
>                                 Spice-devel mailing list
>                                 >         >         >         >
>                                 Spice-devel at lists.freedesktop.org
>                                 >         >         >         >
>                                 >         >
>                                 >
>                                 http://lists.freedesktop.org/mailman/listinfo/spice-devel
>                                 >         >         >
>                                 >         >         >         --
>                                 >         >         >
>                                 >         >         >         David
>                                 Jaša, RHCE
>                                 >         >         >
>                                 >         >         >         SPICE QE
>                                 based in Brno
>                                 >         >         >         GPG Key:
>                                 22C33E24
>                                 >         >         >
>                                 Fingerprint: 513A 060B D1B4 2A72 7F0D
>                                 0278
>                                 >         B125 CD00
>                                 >         >         22C3 3E24
>                                 >         >         >
>                                 >         >         >
>                                 >         >         >
>                                 >         >         >
>                                 >         >         >
>                                 >         >         >
>                                 >         >
>                                 >         >         --
>                                 >         >
>                                 >         >         David Jaša, RHCE
>                                 >         >
>                                 >         >         SPICE QE based in
>                                 Brno
>                                 >         >         GPG Key:
>                                 22C33E24
>                                 >         >         Fingerprint: 513A
>                                 060B D1B4 2A72 7F0D 0278 B125 CD00
>                                 >         22C3 3E24
>                                 >         >
>                                 >         >
>                                 >         >
>                                 >         >
>                                 >         >
>                                 >         >
>                                 >         >
>                                 _______________________________________________
>                                 >         > Spice-devel mailing list
>                                 >         >
>                                 Spice-devel at lists.freedesktop.org
>                                 >         >
>                                 http://lists.freedesktop.org/mailman/listinfo/spice-devel
>                                 >
>                                 >         --
>                                 >
>                                 >         David Jaša, RHCE
>                                 >
>                                 >         SPICE QE based in Brno
>                                 >         GPG Key:     22C33E24
>                                 >         Fingerprint: 513A 060B D1B4
>                                 2A72 7F0D 0278 B125 CD00 22C3 3E24
>                                 >
>                                 >
>                                 >
>                                 >
>                                 >
>                                 >
>                                 >
>                                 _______________________________________________
>                                 > Spice-devel mailing list
>                                 > Spice-devel at lists.freedesktop.org
>                                 >
>                                 http://lists.freedesktop.org/mailman/listinfo/spice-devel
>                                 
>                                 --
>                                 
>                                 David Jaša, RHCE
>                                 
>                                 SPICE QE based in Brno
>                                 GPG Key:     22C33E24
>                                 Fingerprint: 513A 060B D1B4 2A72 7F0D
>                                 0278 B125 CD00 22C3 3E24
>                                 
>                                 
>                                 
>                                 
>                         
>                         
>                 
>                 
>         
>         
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel

-- 

David Jaša, RHCE

SPICE QE based in Brno
GPG Key:     22C33E24 
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24





More information about the Spice-devel mailing list