[Spice-devel] [virt-tools-list] Where to put certificates for remote-viewer on windows [SOLVED, PARTIALLY]

Fernando Lozano fernando at lozano.eti.br
Mon Aug 26 12:49:56 PDT 2013


Hi there,

I partially solved my question. Describing it here so others can find on 
the mailing list archives.

That is, I solved only for remote-viewer on Windows. virt-viewer and 
virsh still cannot connect using TLS.


> I downloaded the latest virt-viewer installer for windows from 
> fedorahosted.org (0.5.7) and wish to use spice+tls to access VM 
> consoles from a Fedora machine.  I know my certificates are properly 
> configured on the server side because I can connect from another 
> Fedora machine using both remote-viewer and virsh.
>
> But on Windows it won't work. Virt-viewer was installed on the default 
> location, so I guessed I had to put cacert.pem on:
>
> "C:\Program Files (x86)\VirtViewer\etc\pki\CA"
>
> and the client certificates on:
>
> "C:\Program Files (x86)\VirtViewer\etc\pki\libvirt"

Connections to libvirtd and to a spice server use different TLS setups. 
I was mistaken beliving it was ok on my Linux machines, the fact was 
they were connecting using TLS to libvirtd but then using an insecure 
spice connection to the guest consoles. The same setup solved both Linux 
and windows issues regarding spice, but those info is not easy to find.

The CA certificate configured on the kvm host (saved as 
"/etc/pki/CA/cacert.pem") has to be copied to 
$HOME/.spicec/spice_trusstore.pem. A symbolic link also works fine.

On Windows, you have to copy the CA cert "spice_trustore.pem" to 
"C:\Users\<YourUser>\.spicec". Note Windows Explorer will refuse to 
create a folder name starting with a dot, so you'll have to use the 
Windows Command Prompt.

Then you can use connection URLs like "spice://kvmhost?tls-port=5901" 
and be assured you'll use only TLS connections to the spice display 
(checked using netstat on both Linux server and Windows client).


> When I try to connect to the host using virsh.exe included on 
> viet-viewer install I get the error:
>
> virsh # connect qemu://kvmserv/system
> error: Failed to connect to the hypervisor
> error: Cannot read CA certificate 
> '/usr/i686-w64-mingw32/sys-root/mingw/etc/pki/
> CA/cacert.pem': No such file or directory
>
> virsh # connect qemu+tls://kvmserv/system
> error: Failed to connect to the hypervisor
> error: Cannot read CA certificate 
> '/usr/i686-w64-mingw32/sys-root/mingw/etc/pki/
> CA/cacert.pem': No such file or directory

I still can't find where to put certificates for virsh on Windows to 
work. :-( I tried creating a ".pki\libvirt" folder on the "home" dir 
("c:\users\<my user name>") as a $HOME/.pki/libvirt works for linux 
clients. This worked for ".spicec" and remote-viewer for windows, but 
not for virsh and virt-viewer for Windows. I still get the same error 
from virsh for Windows. If I had strace for Windows!


PS: virt-viewer on WIndows complained about a missing DDL. I got one from:

http://qemu.weilnetz.de/w32/dll/libssp-0.dll

And thus virt-viewer stopped complaining. But it can't connect to 
libvirtd on the host yet. I assume by the same reason virsh can't: they 
cannot find the certificates. But virt-viewer only tells "unable to 
connect to libvirtd with URI..."


[]s, Fernando Lozano



More information about the Spice-devel mailing list