[Spice-devel] TLS + Letsencrypt doesn't work on Windows

Armin Ranjbar zoup at zoup.org
Tue Dec 15 11:45:36 UTC 2020


Dear Everyone,

As always, let me thank you first for the effort you put in Spice.

I have a strange case here, libvirt is configured with letsencrypt
certificates, remote-viewer works happily on Linux, but it doesn't seem to
be able to get local issuer certificate on windows.
same error even when I try to give the address of CA file via
--spice-ca-file, attaching logs with spice-debug here:

(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.293:
../src/spice-session.c:292 Supported channels: main, display, inputs,
cursor, playback, record, usbredir
(remote-viewer.exe:3584): Spice-DEBUG: 15:13:17.293:
../src/usb-device-manager.c:259:spice_usb_device_manager_init: UsbDk driver
is not installed
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.293:
../src/usb-device-manager.c:485 auto-connect filter set to
0x03,-1,-1,-1,0|-1,-1,-1,-1,1

(remote-viewer.exe:3584): GSpice-CRITICAL **: 15:13:17.293:
_usbdk_hider_update: assertion 'priv->usbdk_api != NULL' failed

(remote-viewer.exe:3584): GSpice-WARNING **: 15:13:17.962: password may be
visible in process listings
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965:
../src/spice-session.c:1814 no migration in progress
Spice-INFO: 15:13:17.965:
../src/channel-main.c:337:spice_main_set_property:
SpiceMainChannel::color-depth has been deprecated. Property is ignored
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965:
../src/spice-channel.c:141 main-1:0: spice_channel_constructed
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965:
../src/spice-session.c:2309 main-1:0: new main channel, switching
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:
../src/spice-channel.c:2707 main-1:0: Open coroutine starting
000000000462E480
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:
../src/spice-channel.c:2544 main-1:0: Started background coroutine
000000000462E338
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:
../src/spice-session.c:2231 Missing port value, not attempting unencrypted
connection.
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:
../src/spice-channel.c:2570 main-1:0: trying with TLS port
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694:
../src/spice-session.c:2244 main-1:0: Using TLS, port 5901
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694:
../src/spice-session.c:2177 open host DOMAIN_REPLACED:5901
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694:
../src/spice-session.c:2099 main-1:0: connecting 00000000071DFDD0...
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.757:
../src/spice-session.c:2083 main-1:0: connect ready
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.757:
../src/spice-channel.c:2466 main-1:0: Load CA, file: C:\ca-cert.pem, data:
0000000000000000

(remote-viewer.exe:3584): Spice-WARNING **: 15:13:18.819:
../subprojects/spice-common/common/ssl_verify.c:444:openssl_verify: Error
in certificate chain verification: unable to get issuer certificate
(num=2:depth1:/C=US/O=Let's Encrypt/CN=R3)

(remote-viewer.exe:3584): GSpice-WARNING **: 15:13:18.819: main-1:0:
SSL_connect: error:00000001:lib(0):func(0):reason(1)
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
../src/spice-channel.c:2680 main-1:0: Coroutine exit main-1:0
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
../src/spice-channel.c:2871 main-1:0: reset
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
../src/channel-main.c:1567 agent connected: no
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
../src/spice-channel.c:2819 main-1:0: channel reset
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
../src/spice-channel.c:2425 main-1:0: Delayed unref channel 000000000462E480
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
../src/spice-session.c:2006 session: disconnecting 0
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
../src/spice-session.c:2349 main-1:0: the session lost the main channel
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835:
../src/spice-channel.c:2888 main-1:0: channel disconnect 0
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835:
../src/spice-channel.c:159 main-1:0: spice_channel_dispose 000000000462E480
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835:
../src/spice-channel.c:2888 main-1:0: channel disconnect 12
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.756:
../src/spice-session.c:2006 session: disconnecting 1151
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.757:
../src/spice-session.c:288 New session (compiled from package spice-gtk
0.37)
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.758:
../src/spice-session.c:292 Supported channels: main, display, inputs,
cursor, playback, record, usbredir
(remote-viewer.exe:3584): Spice-DEBUG: 15:13:19.759:
../src/usb-device-manager.c:259:spice_usb_device_manager_init: UsbDk driver
is not installed
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.760:
../src/usb-device-manager.c:485 auto-connect filter set to
0x03,-1,-1,-1,0|-1,-1,-1,-1,1



also output when giving the --spica-ca-file, one thing i found strange is
the fact that Load CA file, shows zeroes as data, even when provided file
doesn't exist :

(remote-viewer.exe:3584): GSpice-WARNING **: 15:13:17.962: password may be
visible in process listings
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965:
../src/spice-session.c:1814 no migration in progress
Spice-INFO: 15:13:17.965:
../src/channel-main.c:337:spice_main_set_property:
SpiceMainChannel::color-depth has been deprecated. Property is ignored
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965:
../src/spice-channel.c:141 main-1:0: spice_channel_constructed
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965:
../src/spice-session.c:2309 main-1:0: new main channel, switching
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:
../src/spice-channel.c:2707 main-1:0: Open coroutine starting
000000000462E480
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:
../src/spice-channel.c:2544 main-1:0: Started background coroutine
000000000462E338
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:
../src/spice-session.c:2231 Missing port value, not attempting unencrypted
connection.
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:
../src/spice-channel.c:2570 main-1:0: trying with TLS port
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694:
../src/spice-session.c:2244 main-1:0: Using TLS, port 5901
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694:
../src/spice-session.c:2177 open host vdi.pishro.computer:5901
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694:
../src/spice-session.c:2099 main-1:0: connecting 00000000071DFDD0...
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.757:
../src/spice-session.c:2083 main-1:0: connect ready
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.757:
../src/spice-channel.c:2466 main-1:0: Load CA, file: C:\ca-cert.pem, data:
0000000000000000

(remote-viewer.exe:3584): Spice-WARNING **: 15:13:18.819:
../subprojects/spice-common/common/ssl_verify.c:444:openssl_verify: Error
in certificate chain verification: unable to get issuer certificate
(num=2:depth1:/C=US/O=Let's Encrypt/CN=R3)

(remote-viewer.exe:3584): GSpice-WARNING **: 15:13:18.819: main-1:0:
SSL_connect: error:00000001:lib(0):func(0):reason(1)
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
../src/spice-channel.c:2680 main-1:0: Coroutine exit main-1:0
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
../src/spice-channel.c:2871 main-1:0: reset
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
../src/channel-main.c:1567 agent connected: no
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
../src/spice-channel.c:2819 main-1:0: channel reset
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
../src/spice-channel.c:2425 main-1:0: Delayed unref channel 000000000462E480
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
../src/spice-session.c:2006 session: disconnecting 0
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
../src/spice-session.c:2349 main-1:0: the session lost the main channel
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835:
../src/spice-channel.c:2888 main-1:0: channel disconnect 0
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835:
../src/spice-channel.c:159 main-1:0: spice_channel_dispose 000000000462E480
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835:
../src/spice-channel.c:2888 main-1:0: channel disconnect 12
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.756:
../src/spice-session.c:2006 session: disconnecting 1151
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.757:
../src/spice-session.c:288 New session (compiled from package spice-gtk
0.37)
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.758:
../src/spice-session.c:292 Supported channels: main, display, inputs,
cursor, playback, record, usbredir
(remote-viewer.exe:3584): Spice-DEBUG: 15:13:19.759:
../src/usb-device-manager.c:259:spice_usb_device_manager_init: UsbDk driver
is not installed
(remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.760:
../src/usb-device-manager.c:485 auto-connect filter set to
0x03,-1,-1,-1,0|-1,-1,-1,-1,1

---
Armin ranjbar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20201215/b32fcbf6/attachment.htm>


More information about the Spice-devel mailing list