[Spice-devel] [virt-tools-list] Where to put certificates for remote-viewer on windows [SOLVED, PARTIALLY]
Fernando Lozano
fernando at lozano.eti.br
Mon Aug 26 12:49:56 PDT 2013
Hi there,
I partially solved my question. Describing it here so others can find on
the mailing list archives.
That is, I solved only for remote-viewer on Windows. virt-viewer and
virsh still cannot connect using TLS.
> I downloaded the latest virt-viewer installer for windows from
> fedorahosted.org (0.5.7) and wish to use spice+tls to access VM
> consoles from a Fedora machine. I know my certificates are properly
> configured on the server side because I can connect from another
> Fedora machine using both remote-viewer and virsh.
>
> But on Windows it won't work. Virt-viewer was installed on the default
> location, so I guessed I had to put cacert.pem on:
>
> "C:\Program Files (x86)\VirtViewer\etc\pki\CA"
>
> and the client certificates on:
>
> "C:\Program Files (x86)\VirtViewer\etc\pki\libvirt"
Connections to libvirtd and to a spice server use different TLS setups.
I was mistaken beliving it was ok on my Linux machines, the fact was
they were connecting using TLS to libvirtd but then using an insecure
spice connection to the guest consoles. The same setup solved both Linux
and windows issues regarding spice, but those info is not easy to find.
The CA certificate configured on the kvm host (saved as
"/etc/pki/CA/cacert.pem") has to be copied to
$HOME/.spicec/spice_trusstore.pem. A symbolic link also works fine.
On Windows, you have to copy the CA cert "spice_trustore.pem" to
"C:\Users\<YourUser>\.spicec". Note Windows Explorer will refuse to
create a folder name starting with a dot, so you'll have to use the
Windows Command Prompt.
Then you can use connection URLs like "spice://kvmhost?tls-port=5901"
and be assured you'll use only TLS connections to the spice display
(checked using netstat on both Linux server and Windows client).
> When I try to connect to the host using virsh.exe included on
> viet-viewer install I get the error:
>
> virsh # connect qemu://kvmserv/system
> error: Failed to connect to the hypervisor
> error: Cannot read CA certificate
> '/usr/i686-w64-mingw32/sys-root/mingw/etc/pki/
> CA/cacert.pem': No such file or directory
>
> virsh # connect qemu+tls://kvmserv/system
> error: Failed to connect to the hypervisor
> error: Cannot read CA certificate
> '/usr/i686-w64-mingw32/sys-root/mingw/etc/pki/
> CA/cacert.pem': No such file or directory
I still can't find where to put certificates for virsh on Windows to
work. :-( I tried creating a ".pki\libvirt" folder on the "home" dir
("c:\users\<my user name>") as a $HOME/.pki/libvirt works for linux
clients. This worked for ".spicec" and remote-viewer for windows, but
not for virsh and virt-viewer for Windows. I still get the same error
from virsh for Windows. If I had strace for Windows!
PS: virt-viewer on WIndows complained about a missing DDL. I got one from:
http://qemu.weilnetz.de/w32/dll/libssp-0.dll
And thus virt-viewer stopped complaining. But it can't connect to
libvirtd on the host yet. I assume by the same reason virsh can't: they
cannot find the certificates. But virt-viewer only tells "unable to
connect to libvirtd with URI..."
[]s, Fernando Lozano
More information about the Spice-devel
mailing list