[Spice-devel] SSL connection problem
Jodi Curtis
jodi.curtis at gmail.com
Wed Nov 21 11:42:46 PST 2012
Hi
I am still having problems connecting via SSL after resolving the
apparmor.d problem with reading the key directory contents
I am not sure what the error is caused by, any help would be appreciated
I can connect after commenting out the secure channel request
There is no port restrictions or firewall, and the attempt to connect has
been tried on both secure and unsecure ports
(I think the secure port is passed so the unsecure port is used for the
initial connection though, it isn't a passed argument issue)
I have tried passing the ca file via the appropriate argument from
remote-viewer
Package and OS
------------------------------
Ubuntu 12.10
qemu-kvm-spice:
Installed: 1.2.0-2012.09-0ubuntu1
Candidate: 1.2.0-2012.09-0ubuntu1
Version table:
*** 1.2.0-2012.09-0ubuntu1 0
500 http://gb.archive.ubuntu.com/ubuntu/ quantal/universe amd64
Packages
100 /var/lib/dpkg/status
/etc/hostname
squealer
/etc/hosts
127.0.0.1 localhost squealer squealer.maiakaat.co.uk maiakaat.co.uk
www.maiakaat.co.uk
192.168.2.140 localhost squealer squealer.maiakaat.co.uk maiakaat.co.uk
www.maiakaat.co.uk
sudo usermod -a -G root,kvm jodic
chmod 775 /var/lib/libvirt/qemu
#temporary change
#libvirt directory permissions are drwxr-xr-x
sudo mkdir /var/lib/libvirt/pki
sudo mkdir /var/lib/libvirt/pki/libvirt-spice
sudo nano /etc/libvirt/qemu.conf
spice_tls = 1
spice_tls_x509_cert_dir = "/var/lib/libvirt/pki/libvirt-spice"
cd /var/lib/libvirt/pki/libvirt-spice
sudo openssl genrsa -des3 -out ca-key.pem 1024
sudo openssl req -new -x509 -days 750 -key ca-key.pem -out ca-cert.pem
-utf8 -subj "/CN=Self Signed"
sudo openssl genrsa -out server-key.pem 1024
sudo openssl req -new -key server-key.pem -out server-key.csr -utf8 -subj
"/CN=squealer"
sudo openssl x509 req -days 750 -in server-key.csr -CA ca-cert.pem -CAkey
ca-key.pem -set_serial 01 -out server-cert.pem
sudo openssl rsa -in server-key.pem -out server-key.pem.insecure
sudo mv server-key.pem server-key.pem.secure
sudo mv server-key.pem.insecure server-key.pem
sudo chown libvirt-qemu /var/lib/libvirt/pki
sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice
sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-key.pem
sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
sudo chown libvirt-qemu /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
#temporary change
sudo chmod 775 /var/lib/libvirt/pki
sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice
sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/server-key.pem
sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/server-cert.pem
sudo chmod 775 /var/lib/libvirt/pki/libvirt-spice/ca-cert.pem
sudo virsh destroy VM11
sudo virsh undefine VM11
sudo shutdown -r now
#don't know how to restart service for re-read of qemu.conf in Ubuntu
#Ubuntu offering 28 updates - none related to virtualization at all
sudo apt-get update
sudo apt-get upgrade
edit apparmor.d/libvirt-qemu and add the key directory after
/etc/pki/libvirt-vnc** r, in an identical format within the apparmor.d
config file, along with any iso directories needed
sudo virsh define /var/lib/libvirt/local/xml/default-revision7.xml
#defined VM11
sudo virsh start VM11
#started VM11 23:14 ish UK time
#spice configuration
<graphics type="spice" autoport="yes" keymap="en-gb">
<channel name="main" mode="secure" />
<channel name="record" mode="insecure" />
<channel name="display" mode="insecure" />
<channel name="inputs" mode="insecure" />
<channel name="cursor" mode="insecure" />
<channel name="playback" mode="insecure" />
<channel name="usbredir" mode="insecure" />
<image compression="auto_glz"/>
<streaming mode="filter"/>
<clipboard copypaste="yes"/>
<mouse mode="client"/>
<!-- enable connection from remote terminal -->
<listen type="address" address="0.0.0.0" />
<disable-ticketing />
</graphics>
On attempts to connect via virsh I am given this warning
spice channels 1 should be encrypted, I'm guessing this is an
authentication issue with my attempts to connect?
sudo /var/log/libvirt/qemu/qemu.conf
((null):2230): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
2012-11-13 07:28:43.081+0000: starting up
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin
QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2 -cpu
Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,+cmp_legacy,+3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme
-enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid
a5fa6af1-89e6-ff32-7d47-5fd28ab47a05 -no-user-config -nodefaults -chardev
socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait
-mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime
-no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive
file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback
-device
virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3
-drive
file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough
-device
virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4
-drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device
ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive
file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw
-device
ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1
-netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device
virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3
-chardev pty,id=charserial0 -device
isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0
-spice
port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/var/lib/libvirt/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter
-k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device
virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
char device redirected to /dev/pts/1
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
((null):1838): Spice-Warning **: reds.c:2812:reds_handle_read_link_done:
spice channels 1 should be encrypted
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20121121/2abc32da/attachment.html>
More information about the Spice-devel
mailing list