[Spice-devel] TLS + Letsencrypt doesn't work on Windows
Uri Lublin
uril at redhat.com
Sun Dec 20 16:12:10 UTC 2020
On 12/15/20 1:45 PM, Armin Ranjbar wrote:
> Dear Everyone,
>
> As always, let me thank you first for the effort you put in Spice.
>
> I have a strange case here, libvirt is configured with letsencrypt
> certificates, remote-viewer works happily on Linux, but it doesn't seem
> to be able to get local issuer certificate on windows.
Hi,
Can you please provide
1. qemu-kvm commandline -spice option
2. remote-viewer commandline (for both windows and linux)?
3. Does the Linux remote-viewer run on the same
machine as libvirt/qemu-kvm or does it run on a
different machine?
4. Did you copy the CA-certificate onto the windows machine ?
(Just verifying, I see the name is correctly ca-cert.pem)
Uri.
> same error even when I try to give the address of CA file via
> --spice-ca-file, attaching logs with spice-debug here:
>
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.293:
> ../src/spice-session.c:292 Supported channels: main, display, inputs,
> cursor, playback, record, usbredir
> (remote-viewer.exe:3584): Spice-DEBUG: 15:13:17.293:
> ../src/usb-device-manager.c:259:spice_usb_device_manager_init: UsbDk
> driver is not installed
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.293:
> ../src/usb-device-manager.c:485 auto-connect filter set to
> 0x03,-1,-1,-1,0|-1,-1,-1,-1,1
>
> (remote-viewer.exe:3584): GSpice-CRITICAL **: 15:13:17.293:
> _usbdk_hider_update: assertion 'priv->usbdk_api != NULL' failed
>
> (remote-viewer.exe:3584): GSpice-WARNING **: 15:13:17.962: password may
> be visible in process listings
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965:
> ../src/spice-session.c:1814 no migration in progress
> Spice-INFO: 15:13:17.965:
> ../src/channel-main.c:337:spice_main_set_property:
> SpiceMainChannel::color-depth has been deprecated. Property is ignored
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965:
> ../src/spice-channel.c:141 main-1:0: spice_channel_constructed
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965:
> ../src/spice-session.c:2309 main-1:0: new main channel, switching
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:
> ../src/spice-channel.c:2707 main-1:0: Open coroutine starting
> 000000000462E480
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:
> ../src/spice-channel.c:2544 main-1:0: Started background coroutine
> 000000000462E338
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:
> ../src/spice-session.c:2231 Missing port value, not attempting
> unencrypted connection.
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:
> ../src/spice-channel.c:2570 main-1:0: trying with TLS port
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694:
> ../src/spice-session.c:2244 main-1:0: Using TLS, port 5901
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694:
> ../src/spice-session.c:2177 open host DOMAIN_REPLACED:5901
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694:
> ../src/spice-session.c:2099 main-1:0: connecting 00000000071DFDD0...
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.757:
> ../src/spice-session.c:2083 main-1:0: connect ready
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.757:
> ../src/spice-channel.c:2466 main-1:0: Load CA, file: C:\ca-cert.pem,
> data: 0000000000000000
>
> (remote-viewer.exe:3584): Spice-WARNING **: 15:13:18.819:
> ../subprojects/spice-common/common/ssl_verify.c:444:openssl_verify:
> Error in certificate chain verification: unable to get issuer
> certificate (num=2:depth1:/C=US/O=Let's Encrypt/CN=R3)
>
> (remote-viewer.exe:3584): GSpice-WARNING **: 15:13:18.819: main-1:0:
> SSL_connect: error:00000001:lib(0):func(0):reason(1)
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
> ../src/spice-channel.c:2680 main-1:0: Coroutine exit main-1:0
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
> ../src/spice-channel.c:2871 main-1:0: reset
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
> ../src/channel-main.c:1567 agent connected: no
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
> ../src/spice-channel.c:2819 main-1:0: channel reset
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
> ../src/spice-channel.c:2425 main-1:0: Delayed unref channel 000000000462E480
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
> ../src/spice-session.c:2006 session: disconnecting 0
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
> ../src/spice-session.c:2349 main-1:0: the session lost the main channel
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835:
> ../src/spice-channel.c:2888 main-1:0: channel disconnect 0
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835:
> ../src/spice-channel.c:159 main-1:0: spice_channel_dispose 000000000462E480
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835:
> ../src/spice-channel.c:2888 main-1:0: channel disconnect 12
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.756:
> ../src/spice-session.c:2006 session: disconnecting 1151
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.757:
> ../src/spice-session.c:288 New session (compiled from package spice-gtk
> 0.37)
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.758:
> ../src/spice-session.c:292 Supported channels: main, display, inputs,
> cursor, playback, record, usbredir
> (remote-viewer.exe:3584): Spice-DEBUG: 15:13:19.759:
> ../src/usb-device-manager.c:259:spice_usb_device_manager_init: UsbDk
> driver is not installed
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.760:
> ../src/usb-device-manager.c:485 auto-connect filter set to
> 0x03,-1,-1,-1,0|-1,-1,-1,-1,1
>
>
>
> also output when giving the --spica-ca-file, one thing i found strange
> is the fact that Load CA file, shows zeroes as data, even when provided
> file doesn't exist :
>
> (remote-viewer.exe:3584): GSpice-WARNING **: 15:13:17.962: password may
> be visible in process listings
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965:
> ../src/spice-session.c:1814 no migration in progress
> Spice-INFO: 15:13:17.965:
> ../src/channel-main.c:337:spice_main_set_property:
> SpiceMainChannel::color-depth has been deprecated. Property is ignored
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965:
> ../src/spice-channel.c:141 main-1:0: spice_channel_constructed
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965:
> ../src/spice-session.c:2309 main-1:0: new main channel, switching
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:
> ../src/spice-channel.c:2707 main-1:0: Open coroutine starting
> 000000000462E480
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:
> ../src/spice-channel.c:2544 main-1:0: Started background coroutine
> 000000000462E338
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:
> ../src/spice-session.c:2231 Missing port value, not attempting
> unencrypted connection.
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:
> ../src/spice-channel.c:2570 main-1:0: trying with TLS port
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694:
> ../src/spice-session.c:2244 main-1:0: Using TLS, port 5901
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694:
> ../src/spice-session.c:2177 open host vdi.pishro.computer:5901
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694:
> ../src/spice-session.c:2099 main-1:0: connecting 00000000071DFDD0...
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.757:
> ../src/spice-session.c:2083 main-1:0: connect ready
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.757:
> ../src/spice-channel.c:2466 main-1:0: Load CA, file: C:\ca-cert.pem,
> data: 0000000000000000
>
> (remote-viewer.exe:3584): Spice-WARNING **: 15:13:18.819:
> ../subprojects/spice-common/common/ssl_verify.c:444:openssl_verify:
> Error in certificate chain verification: unable to get issuer
> certificate (num=2:depth1:/C=US/O=Let's Encrypt/CN=R3)
>
> (remote-viewer.exe:3584): GSpice-WARNING **: 15:13:18.819: main-1:0:
> SSL_connect: error:00000001:lib(0):func(0):reason(1)
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
> ../src/spice-channel.c:2680 main-1:0: Coroutine exit main-1:0
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
> ../src/spice-channel.c:2871 main-1:0: reset
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
> ../src/channel-main.c:1567 agent connected: no
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
> ../src/spice-channel.c:2819 main-1:0: channel reset
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
> ../src/spice-channel.c:2425 main-1:0: Delayed unref channel 000000000462E480
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
> ../src/spice-session.c:2006 session: disconnecting 0
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:
> ../src/spice-session.c:2349 main-1:0: the session lost the main channel
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835:
> ../src/spice-channel.c:2888 main-1:0: channel disconnect 0
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835:
> ../src/spice-channel.c:159 main-1:0: spice_channel_dispose 000000000462E480
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835:
> ../src/spice-channel.c:2888 main-1:0: channel disconnect 12
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.756:
> ../src/spice-session.c:2006 session: disconnecting 1151
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.757:
> ../src/spice-session.c:288 New session (compiled from package spice-gtk
> 0.37)
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.758:
> ../src/spice-session.c:292 Supported channels: main, display, inputs,
> cursor, playback, record, usbredir
> (remote-viewer.exe:3584): Spice-DEBUG: 15:13:19.759:
> ../src/usb-device-manager.c:259:spice_usb_device_manager_init: UsbDk
> driver is not installed
> (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.760:
> ../src/usb-device-manager.c:485 auto-connect filter set to
> 0x03,-1,-1,-1,0|-1,-1,-1,-1,1
>
> ---
> Armin ranjbar
>
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
>
More information about the Spice-devel
mailing list