I think it is something different but I can't say it for sure unless I
see the exact message...
Jodi Curtis píše v Út 13. 11. 2012 v 16:26 +0000:
> My latest issue is the error spice warning spice channels 1 should be
> encrypted, I'm guessing this is an authentication issue with my
> attempts to connect?
>
> On Tue, Nov 13, 2012 at 7:37 AM, Jodi Curtis <jodi.curtis at gmail.com>
> wrote:
> The VM seems to start without complaints after adding the key
> directory after /etc/pki/libvirt-vnc** r, in an identical
> format within the apparmor.d config file
ubuntu docs should be probably updated about need to copy certs/keys to
the default directory OR need to update apparmor configuration if custom
directory is used.
David
>
> I haven't really slept much so I will check login after
> sleeping
>
>
> On Mon, Nov 12, 2012 at 11:33 PM, Jodi Curtis
> <jodi.curtis at gmail.com> wrote:
> Hi
>
>
> Copy of attempt so far, hopefully this will be useful
> to have online, I will carry on tomorrow!
>
>
> /etc/hostname
>
>
> squealer
>
>
> /etc/hosts
>
>
> 127.0.0.1 localhost squealer squealer.maiakaat.co.uk
> maiakaat.co.uk www.maiakaat.co.uk
> 192.168.2.140 localhost squealer
> squealer.maiakaat.co.uk maiakaat.co.uk
> www.maiakaat.co.uk
>
>
> cat /etc/passwd
>
>
> root:x:0:0:root:/root:/bin/bash
> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
> bin:x:2:2:bin:/bin:/bin/sh
> sys:x:3:3:sys:/dev:/bin/sh
> sync:x:4:65534:sync:/bin:/bin/sync
> games:x:5:60:games:/usr/games:/bin/sh
> man:x:6:12:man:/var/cache/man:/bin/sh
> lp:x:7:7:lp:/var/spool/lpd:/bin/sh
> mail:x:8:8:mail:/var/mail:/bin/sh
> news:x:9:9:news:/var/spool/news:/bin/sh
> uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
> proxy:x:13:13:proxy:/bin:/bin/sh
> www-data:x:33:33:www-data:/var/www:/bin/sh
> backup:x:34:34:backup:/var/backups:/bin/sh
> list:x:38:38:Mailing List Manager:/var/list:/bin/sh
> irc:x:39:39:ircd:/var/run/ircd:/bin/sh
> gnats:x:41:41:Gnats Bug-Reporting System
> (admin):/var/lib/gnats:/bin/sh
> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
> libuuid:x:100:101::/var/lib/libuuid:/bin/sh
> syslog:x:101:103::/home/syslog:/bin/false
> messagebus:x:102:105::/var/run/dbus:/bin/false
> whoopsie:x:103:107::/nonexistent:/bin/false
> landscape:x:104:110::/var/lib/landscape:/bin/false
> sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
> libvirt-qemu:x:106:106:Libvirt
> Qemu,,,:/var/lib/libvirt:/bin/false
> libvirt-dnsmasq:x:107:112:Libvirt
> Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
> jodic:x:1000:1000:jodic,,,:/home/jodic:/bin/bash
>
>
> cd /var/lib/libvirt
> sudo ls -l
>
>
> drwx--x--x 2 root root 4096 Oct 6 01:58 boot
> drwxr-xr-x 2 root root 4096 Oct 30 21:06
> dnsmasq
> drwxr-xr-x 2 libvirt-qemu root 4096 Oct 31 06:11
> drivers
> drwx--x--x 2 root root 4096 Oct 6 01:58
> images
> drwxr-xr-x 5 libvirt-qemu root 4096 Nov 1 12:56 local
> drwxr-xr-x 2 root root 4096 Nov 12 18:03
> network
> drwxr-x--- 5 libvirt-qemu kvm 4096 Nov 12 18:11 qemu
> drwx------ 2 root root 4096 Oct 6 01:58
> sanlock
> drwxr-xr-x 5 libvirt-qemu root 4096 Oct 31 06:22
> shared
>
>
> #drivers to be forwarded as filesystem element with
> Windows drivers
> #local contains volume pools(2) for VM volumes, and
> all xml files used to create VM's volumes and pools.
>
>
> sudo usermod -a -G root,kvm jodic
>
>
> chmod 775 /var/lib/libvirt/qemu
> #temporary change
>
>
> #libvirt directory permissions are drwxr-xr-x
>
>
> sudo mkdir /var/lib/libvirt/pki
> sudo mkdir /var/lib/libvirt/pki/libvirt-spice
>
>
> sudo nano /etc/libvirt/qemu.conf
>
>
> spice_tls = 1
> spice_tls_x509_cert_dir =
> "/var/lib/libvirt/pki/libvirt-spice"
>
>
> cd /var/lib/libvirt/pki/libvirt-spice
>
>
> sudo openssl genrsa -des3 -out ca-key.pem 1024
> sudo openssl req -new -x509 -days 750 -key ca-key.pem
> -out ca-cert.pem -utf8 -subj "/CN=Self Signed"
> sudo openssl genrsa -out server-key.pem 1024
> sudo openssl req -new -key server-key.pem -out
> server-key.csr -utf8 -subj "/CN=squealer"
> sudo openssl x509 req -days 750 -in server-key.csr -CA
> ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out
> server-cert.pem
> sudo openssl rsa -in server-key.pem -out
> server-key.pem.insecure
> sudo mv server-key.pem server-key.pem.secure
> sudo mv server-key.pem.insecure server-key.pem
>
>
> sudo chown libvirt-qemu /var/lib/libvirt/pki
> sudo chown
> libvirt-qemu /var/lib/libvirt/pki/libvirt-spice
> sudo chown
> libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-key.pem
> sudo chown
> libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
> sudo chown
> libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
>
>
> #temporary change
> sudo chmod 775 /var/lib/libvirt/pki
> sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice
> sudo chmod
> 775 /var/lib/libvirt/pki/libvirt-spice/server-key.pem
> sudo chmod
> 775 /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
> sudo chmod
> 775 /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
>
>
> sudo virsh destroy VM11
> sudo virsh undefine VM11
>
>
> sudo shutdown -r now
> #don't know how to restart service for re-read of
> qemu.conf in Ubuntu
>
>
> #Ubuntu offering 28 updates - none related to
> virtualization at all
>
>
> sudo apt-get update
> sudo apt-get upgrade
>
>
> sudo virsh
> define /var/lib/libvirt/local/xml/default-revision7.xml
>
>
> #defined VM11
>
>
> sudo virsh start VM11
>
>
> #started VM11 23:14 ish UK time
>
>
> sudo /var/log/libvirt/qemu/qemu.conf
>
>
> 2012-11-12 23:13:44.233+0000: starting up
> LC_ALL=C
> PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2 -cpu Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,+cmp_legacy,+3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme -enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid 35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3 -drive file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4 -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1 -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -spice port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/var/lib/libvirt/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
> char device redirected to /dev/pts/2
> ((null):8891): Spice-Warning **:
> reds.c:3307:reds_init_ssl: Could not load certificates
> from /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
> ((null):8891): Spice-Warning **:
> reds.c:3317:reds_init_ssl: Could not use private key
> file
> ((null):8891): Spice-Warning **:
> reds.c:3325:reds_init_ssl: Could not use CA
> file /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
>
>
> sudo virsh destroy VM11
>
>
> #destroyed
>
>
> $ sudo /usr/bin/kvm-spice -monitor stdio -spice
> tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing
>
>
>
>
> #output
>
>
> QEMU 0.12.0 monitor - type 'help' for more information
> (qemu)
>
>
> "If you see the same error again, there is something
> wrong with
> certificates themselves. If not, verify that they are
> accessible to the
> qemu process - note that it may run under different
> user than root and
> in addition, it may be confined by SELinux or
> AppArmor. I can't speak
> for AppArmor but for SELinux, you may need to restore
> context of the
> files (and directories) to make them accessible for
> qemu."
>
>
> I'll begin looking at the permissions and security
> tomorrow, although its stretching my
> knowledge of Linux here, I guess the only way to learn
> is to do though.
>
>
> I will likely set up my vm's without security for now
> (they are local only) to have something I can dev on
> etc
> These are nfs (if the passthrough bug in ubuntu
> kvm-spice doesn't affect the passthrough of a logical
> volume to the guest, repos (source code), build and
> dev desktop
>
>
> Thanks again for all the help
>
>
> On Mon, Nov 12, 2012 at 10:40 PM, Jodi Curtis
> <jodi.curtis at gmail.com> wrote:
> Hi I'm going through the process now logging
> everything I am doing.
>
>
> The VM does start BTW, the problem is that it
> cannot open the secure channel from
> remote-viewer attempts to connect, with qemu
> giving those errors in VM11.log. I will post
> my new attempt here anyway in a little while,
> with a success or failure, I've had some minor
> issues with the pki directory, hence removing
> and and trying again with fully checked
> permissions.
>
> Thanks for the help.
>
>
> On Mon, Nov 12, 2012 at 10:12 PM, David Jaša
> <djasa at redhat.com> wrote:
> Jodi Curtis píše v Po 12. 11. 2012 v
> 19:47 +0000:
> > hi
> >
> >
> > sorry I should explain that I used
> squealer as the server name which
> > matches the hostname, this is
> aliased to various ip's and domain
> names
> > in hosts, the usual method, I'll
> check the local ip is listed in there
> > though,I could try the local ip used
> to connect .
> >
>
>
> Well, all of these are side problems
> as long as your VMs refuse to
> start... Anyway, given that spice
> knows how to override the CN check
> since its very beginnings (using
> --spice-host-subject option), this is
> no big deal, it's just more convenient
> if you don't have to.
>
> >
> > yes the keys were created in the
> correct directory
>
>
> and you already stated that.
>
> The error message is pretty clear
> though: there is either something
> wrong with certificates themselves or
> qemu can not access them. If you
> can see details of all of them using
> CLI tools, then the certificates
> should be ok. You could verify that
> ultimately by trying to run
> minimalistic qemu manually:
>
> $ sudo /usr/bin/kvm -monitor stdio
> -spice
> tls-port=5800,x509-dir=/etc/pki/libvirt-spice,disable-ticketing
>
> you should see just a message like
> this:
> QEMU 0.12.1 monitor - type 'help' for
> more information
> (qemu)
>
> If you see the same error again, there
> is something wrong with
> certificates themselves. If not,
> verify that they are accessible to the
> qemu process - note that it may run
> under different user than root and
> in addition, it may be confined by
> SELinux or AppArmor. I can't speak
> for AppArmor but for SELinux, you may
> need to restore context of the
> files (and directories) to make them
> accessible for qemu.
>
> David
>
> >
> > On Mon, Nov 12, 2012 at 7:42 PM,
> David Jaša <djasa at redhat.com> wrote:
> > Jodi Curtis píše v Po 12.
> 11. 2012 v 18:53 +0000:
> > > Hi
> > >
> > >
> > > Package and OS
> > >
> ------------------------------
> > > Ubuntu 12.10
> > >
> > > qemu-kvm-spice:
> > > Installed:
> 1.2.0-2012.09-0ubuntu1
> > > Candidate:
> 1.2.0-2012.09-0ubuntu1
> > > Version table:
> > > ***
> 1.2.0-2012.09-0ubuntu1 0
> > > 500
> http://gb.archive.ubuntu.com/ubuntu/
> > quantal/universe
> > > amd64 Packages
> > >
> 100 /var/lib/dpkg/status
> > >
> > >
> > > Key Creation
> > >
> > > -------------------------
> > >
> > >
> > > openssl genrsa -des3 -out
> ca-key.pem 1024
> > > openssl req -new -x509
> -days 1095 -key ca-key.pem -out
> > ca-cert.pem
> > > -utf8 -subj
> "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
> > > openssl genrsa -out
> server-key.pem 1024
> > > openssl req -new -key
> server-key.pem -out server-key.csr
> > -utf8 -subj
> > > "/C=IL/L=Raanana/O=Red
> Hat/CN=my server"
> >
> >
> > (side note here: you can
> omit C, L and O fields are redundant
> > for uses
> > outside of controlled
> environments but CN field should
> contain
> > hostname
> > or IP address of your server
> so that you don't need to
> > override the host
> > subject)
> >
> > > openssl x509 -req -days
> 1095 -in server-key.csr -CA
> > ca-cert.pem -CAkey
> > > ca-key.pem -set_serial 01
> -out server-cert.pem
> > > openssl rsa -in
> server-key.pem -out
> server-key.pem.insecure
> > > mv server-key.pem
> server-key.pem.secure
> > > mv server-key.pem.insecure
> server-key.pem
> > >
> >
> >
> > here,
> >
> > >
> > > qemu.conf
> > >
> > > --------------
> > >
> > >
> > > qemu.conf configuration
> was attempted as default, and
> > specified using
> > > an uncommented path
> "/etc/pki/libvirt-spice"
> > >
> >
> >
> > here,
> >
> > >
> > > spice_tls = 1
> > >
> > > # default it to keep them
> in /etc/pki/libvirt-spice. This
> > directory
> > >
> > > # must contain
> > >
> > > ...
> > >
> > > #spice_tls_x509_cert_dir =
> "/etc/pki/libvirt-spice" (using
> > the default
> > > path)
> > >
> > > spice_tls_x509_cert_dir =
> >
> "/etc/pki/libvirt-spice" (specifiying
> the
> > > path directly)
> > >
> >
> >
> > and here are the key points.
> Did you copy the
> > {ca,server}-{key,cert}.pem
> > files
> to /etc/pki/libvirt-spice?
> >
> > David
> >
> > >
> > > Permissions
> > >
> > > -------------
> > >
> > > Permissions were tested
> set as default (assumed root or my
> > account)
> > > and
> > >
> > > sudo chown
> libvirt-qemu /etc/pki/libvirt-spice/
> > >
> > > sudo chown
> libvirt-qemu /etc/pki/libvirt-spice/<filenames of
> > files>
> > >
> > >
> > >
> > > Error Reported
> > > -------------------------
> > >
> > >
> > > sudo
> nano /var/log/libvirt/qemu/VM11.log
> > >
> > >
> > > qemu: terminating on
> signal 15 from pid 1417
> > > 2012-11-12 18:11:24.586
> +0000: shutting down
> > > 2012-11-12 18:11:29.698
> +0000: starting up
> > > LC_ALL=C
> > >
> >
> PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin
> > >
> QEMU_AUDIO_DRV=spice /usr/bin/kvm
> -name VM11 -S -M pc-1.2
> > -cpu
> > > Opteron_G3,+ibs,+osvw,
> +3dnowprefetch,+cr8legacy,+extapic,
> > +cmp_legacy,
> > > +3dnow,+3dnowext,+pdpe1gb,
> +fxsr_opt,+mmxext,+ht,+vme
> > -enable-kvm -m
> > > 2048 -smp
> 1,sockets=1,cores=1,threads=1 -uuid
> > >
> 35a6984d-0b77-da48-770e-a8fb0c7c284d
> -no-user-config
> > -nodefaults
> > > -chardev
> > >
> >
> socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3 -drive file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4 -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1 -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -spice port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
> > > char device redirected
> to /dev/pts/1
> > > ((null):1916):
> Spice-Warning **:
> reds.c:3307:reds_init_ssl:
> > Could not
> > > load certificates
> >
> from /etc/pki/libvirt-spice/server-cert.pem
> > > ((null):1916):
> Spice-Warning **:
> reds.c:3317:reds_init_ssl:
> > Could not
> > > use private key file
> > > ((null):1916):
> Spice-Warning **:
> reds.c:3325:reds_init_ssl:
> > Could not
> > > use CA
> file /etc/pki/libvirt-spice/ca-cert.pem
> > >
> > >
> > >
> > >
> > > Certificates
> > > --------------------
> > > I was able to open and
> read the files using the various
> > commands
> > > similar to sudo openssl
> x509 -noout -text -in ca-cert.pem
> > >
> > >
> > > I did wonder if it is
> rejecting the CA as some security
> > feature, I
> > > hope this is of use.
> > > I chose libvirt-qemu, as
> this is the account closed to the
> > Red
> > > Hat/Fedora account name
> used "qemu"
> > >
> > >
> > >
> > >
> > > Creation
> > > ---------------
> > >
> > >
> > > creation was via an XML
> definition followed by calling virsh
> > define
> > > <path>, virsh start VM11
> > >
> > >
> > > I have tried to keep most
> files inside the libvirt tree to
> > try to
> > > avoid permission errors,
> the configuration has two volume
> > pools,
> > > specified
> inside /var/lib/libvirt/local/<pool-name> (which
> > are mounted
> > > to other drives, and
> operate without problem)
> > >
> > >
> > > The volumes used are vmdk
> volumes (for performance reasons)
> > one inside
> > > each pool, for fixed
> allocation and sparse type
> allocation),
> > not that
> > > this matters but it gives
> you an idea of what the setup is
> > like.
> > >
> > >
> > >
> > >
> > >
> > >
> > > Location content
> > >
> > >
> > >
> > >
> > >
> jodic at squealer:/etc/pki/libvirt-spice$
> dir
> > > ca-cert.pem
> server-cert.pem server-key.pem
> > > ca-key.pem
> server-key.csr server-key.pem.secure
> > >
> > >
> > > I could try using a
> location without the qemu tree to try
> to
> > rule out
> > > some permission problems.
> I'll go through it again in a
> > little bit
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Mon, Nov 12, 2012 at
> 6:11 PM, David Jaša
> > <djasa at redhat.com> wrote:
> > > Before reporting a
> bug, could we rule out
> > misconfiguration
> > > possiblity
> > > entirely?
> > >
> > > 1) do you use
> libvirt?
> > > 2) if so, do you
> use system session or per-user
> > session?
> > > 3) could you look
> at qemu command line? If you use
> > libvirt,
> > > you'll find it
> in /var/log/libvirt/qemu/VM_NAME.log
> > > 4) at the libvirt
> command file, is there '...
> > >
> -spice ...,x509-(dir|ca...|server),...
> ' entry?
> > > 5) if the x509
> directive is x509-dir, does "qemu-kvm
> > -spice
> > >
> tls-port=12345,x509-dir=DIR,disable-ticketing"
> > command throw
> > > the same error?
> > > (the same goes
> for per-file x509 options)
> > > 6) if it is indeed
> a problem, is it permission issue
> > or are
> > > the files empty or
> are they invalid?
> > >
> > > (...)
> > >
> > > David
> > >
> > >
> > > Jodi Curtis píše v
> Po 12. 11. 2012 v 17:55 +0000:
> > > > Hi
> > > >
> > > >
> > > > I've used the
> directory correctly on qemu.conf,
> > I've seen
> > > these
> > > > problems
> relating to Red Hat/oVirt, where it
> > wasn't set
> > > despite being
> > > > set in
> qemu.conf, so I will probably file a
> bug
> > report with
> > > Ubuntu on
> > > > this one.
> > > >
> > > >
> > > > The red-hat
> solution isn't valid for Ubuntu.
> > > >
> > > >
> > > > Thanks
> > > >
> > > > On Mon, Nov 12,
> 2012 at 5:49 PM, David Jaša
> > > <djasa at redhat.com>
> wrote:
> > > > Jodi
> Curtis píše v Po 12. 11. 2012 v 17:31
> > +0000:
> > > > > Hi
> > > > >
> > > > >
> > > > >
> Thanks, I found the method in the end,
> > my current
> > > problem is
> > > > related
> > > > > to a
> problem with Ubuntu/SSL/Spice, so
> > not really
> > > your
> > > >
> software, I
> > > > > have
> asked for help from a Linux admin,
> > but its
> > > detailed
> > > > below
> for the
> > > > >
> record, I've gone through the key
> making
> > proces
> > > twice, and
> > > >
> rebooted,
> > > > >
> obviously paths have been checked and
> > qemu.conf
> > > has been set
> > > > as
> > > > >
> required
> > > > >
> > > > >
> > > > >
> ((null):2176): Spice-Warning **:
> > >
> reds.c:3307:reds_init_ssl:
> > > > Could
> not
> > > > > load
> certificates from server-cert.pem
> > > > >
> ((null):2176): Spice-Warning **:
> > >
> reds.c:3317:reds_init_ssl:
> > > > Could
> not
> > > > > use
> private key file
> > > > >
> ((null):2176): Spice-Warning **:
> > >
> reds.c:3325:reds_init_ssl:
> > > > Could
> not
> > > > > use CA
> file
> > > >
> > > >
> > > > Assuming
> that your cert/key files are
> > correct and in
> > > place,
> > > > this
> looks
> > > > like
> incorrect x509-dir option of qemu cli
> > or
> > > >
> spice_tls_x509_cert_dir
> > > >
> directive of /etc/libvirt/qemu.conf
> > pointing to a
> > > wrong
> > > >
> directory. Just
> > > > a
> configuration issue.
> > > >
> > > > David
> > > >
> > > > >
> > > > >
> > > > > There
> is very little obvious on the
> > internet, so
> > > am trying
> > > > to
> identify
> > > > > if its
> a common SSL or config problem,
> > or if I
> > > should file a
> > > > bug
> > > > > report
> with Ubuntu kvm-spice
> > > > >
> > > > >
> > > > > Jodi
> > > > >
> > > > >
> > > > > On
> Mon, Nov 12, 2012 at 12:12 PM, David
> > Jaša
> > > >
> <djasa at redhat.com> wrote:
> > > > >
> Hi Jodi,
> > > > >
> > > > >
> You can find full tls-enabled
> > > remote-viewer
> > > >
> invocation in this
> > > > >
> oVirt
> > > > >
> wiki page:
> > > > >
> > > >
> > >
> >
> http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal
> > > > >
> > > > >
> David
> > > > >
> > > > >
> > > > >
> Jodi Curtis píše v Ne 11. 11.
> > 2012 v 23:28
> > > +0000:
> > > > >
> > Hi
> > > > >
> >
> > > > >
> >
> > > > >
> > I'm having trouble connecting
> > to a spice
> > > server
> > > > with tls
> > > > >
> enabled
> > > > >
> > through virt-viewer on
> > windows, I have
> > > tls
> > > >
> configured and a
> > > > >
> > ca-cert.pem file, but I don't
> > know where
> > > to put
> > > > it, or
> what
> > > > >
> to use
> > > > >
> >
> > > > >
> >
> > > > >
> > I have tried various
> > combinations of
> > > > >
> spice://192.168.2.140:590x
> > > > >
> >
> > > > >
> >
> > > > >
> > I have tried adding +ssh or
> > +tls, I have
> > > tried
> > > > adding
> the
> > > > >
> ca-cert.pem
> > > > >
> > file to the location used by
> > the spicec
> > > page that
> > > > covers
> how
> > > > >
> to set up
> > > > >
> > tls, and I have tried adding
> > my username
> > > before
> > > > the IP.
> > > > >
> >
> > > > >
> > I have tried connecting to
> > both ports.
> > > > >
> >
> > > > >
> >
> > > > >
> > Any help on what it should be,
> > or if
> > > there is an
> > > >
> alternative
> > > > >
> to
> > > > >
> > virt-viewer on windows that I
> > need to
> > > use for the
> > > > secure
> > > > >
> connection.
> > > > >
> >
> > > > >
> >
> > > > >
> > Thanks
> > > > >
> > > > >
> >
> > >
> _______________________________________________
> > > > >
> > Spice-devel mailing list
> > > > >
> >
> >
> Spice-devel at lists.freedesktop.org
> > > > >
> >
> > > >
> > >
> >
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> > > > >
> > > > >
> --
> > > > >
> > > > >
> David Jaša, RHCE
> > > > >
> > > > >
> SPICE QE based in Brno
> > > > >
> GPG Key: 22C33E24
> > > > >
> Fingerprint: 513A 060B D1B4 2A72
> > 7F0D 0278
> > > B125 CD00
> > > > 22C3
> 3E24
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> >
> _______________________________________________
> > > > >
> Spice-devel mailing list
> > > > >
> Spice-devel at lists.freedesktop.org
> > > > >
> > >
> >
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> > > >
> > > > --
> > > >
> > > > David
> Jaša, RHCE
> > > >
> > > > SPICE QE
> based in Brno
> > > > GPG Key:
> 22C33E24
> > > >
> Fingerprint: 513A 060B D1B4 2A72 7F0D
> 0278
> > B125 CD00
> > > 22C3 3E24
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > > --
> > >
> > > David Jaša, RHCE
> > >
> > > SPICE QE based in
> Brno
> > > GPG Key:
> 22C33E24
> > > Fingerprint: 513A
> 060B D1B4 2A72 7F0D 0278 B125 CD00
> > 22C3 3E24
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> _______________________________________________
> > > Spice-devel mailing list
> > >
> Spice-devel at lists.freedesktop.org
> > >
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> >
> > --
> >
> > David Jaša, RHCE
> >
> > SPICE QE based in Brno
> > GPG Key: 22C33E24
> > Fingerprint: 513A 060B D1B4
> 2A72 7F0D 0278 B125 CD00 22C3 3E24
> >
> >
> >
> >
> >
> >
> >
> _______________________________________________
> > Spice-devel mailing list
> > Spice-devel at lists.freedesktop.org
> >
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>
> --
>
> David Jaša, RHCE
>
> SPICE QE based in Brno
> GPG Key: 22C33E24
> Fingerprint: 513A 060B D1B4 2A72 7F0D
> 0278 B125 CD00 22C3 3E24
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
--
David Jaša, RHCE
SPICE QE based in Brno
GPG Key: 22C33E24
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24