<div dir="ltr">Hi Uri,<div> </div><div>Thanks for the reply!</div><div>No, remote-viewer is not running on the same server (neither windows nor Linux tests),</div><div> </div><div>haven't tried spice-host-subject, but will certainly give it a try, but question is, as what I'm seeking to do is to create a general package (that is usable across multiple installations with different certs, domains), is it really necessary to have ca-cert or host-subject available on windows? I assume it should be possible to get them from the running OS itself...</div><div> </div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">--- Armin ranjbar <div> </div></div></div></div> </div></div> <div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Dec 22, 2020 at 3:54 AM Uri Lublin <<a href="mailto:uril@redhat.com">uril@redhat.com</a>> wrote: </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 12/20/20 5:37 PM, Armin Ranjbar wrote: > Hi, With pleasure! > > Qemu command line: > /usr/bin/qemu-system-x86_64 -name > guest=test1-DOMAIN_XLMEP2ZCTPH2NRMV,debug-threads=on -S -object > secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-1-test1-pishro.compute/master-key.aes > -machine pc-i440fx-4.2,accel=kvm,usb=off,vmport=off,dump-guest-core=off > -cpu > SandyBridge-IBRS,vme=on,vmx=on,pcid=on,hypervisor=on,arat=on,tsc-adjust=on,umip=on,md-clear=on,stibp=on,arch-capabilities=on,ssbd=on,xsaveopt=on,pdpe1gb=on,ibpb=on,amd-stibp=on,amd-ssbd=on,skip-l1dfl-vmentry=on,pschange-mc-no=on,hv-time,hv-relaxed,hv-vapic,hv-spinlocks=0x1000,hv-vpindex,hv-runtime,hv-synic,hv-stimer,hv-stimer-direct,hv-reset,hv-vendor-id=DaaS,hv-crash > -m 3248 -overcommit mem-lock=off -smp 2,sockets=1,cores=2,threads=1 > -uuid 3c01cc16-3a72-11eb-ae67-c3a189c89e46 -no-user-config -nodefaults > -chardev socket,id=charmonitor,fd=31,server,nowait -mon > chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew > -global kvm-pit.lost_tick_policy=delay -no-hpet -no-shutdown -global > PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on > -device pci-bridge,chassis_nr=1,id=pci.1,bus=pci.0,addr=0x3 -device > qemu-xhci,p2=15,p3=15,id=usb,bus=pci.0,addr=0x5 -device > ahci,id=sata0,bus=pci.0,addr=0x8 -device > virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x6 -object > secret,id=libvirt-2-storage-secret0,data=yLtgtQTQJM5xCBZ2TPh1JkrbTTqXkoBo4JEqBOKQBF0=,keyid=masterKey0,iv=H9oULsQg3K4UnoPu65gA/A==,format=base64 > -blockdev > {"driver":"rbd","pool":"base_disks","image":"test1-DOMAIN_XLMEP2ZCTPH2NRMV","server":[{"host":"192.168.0.126","port":"3300"}],"user":"admin","auth-client-required":["cephx","none"],"key-secret":"libvirt-2-storage-secret0","node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"} > -blockdev > {"node-name":"libvirt-2-format","read-only":false,"driver":"raw","file":"libvirt-2-storage"} > -device > ide-hd,bus=sata0.0,drive=libvirt-2-format,id=sata0-0-0,bootindex=1 > -blockdev > {"driver":"file","filename":"/var/lib/libvirt/images/windows.iso","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"} > -blockdev > {"node-name":"libvirt-1-format","read-only":true,"driver":"raw","file":"libvirt-1-storage"} > -device > ide-cd,bus=sata0.1,share-rw=on,drive=libvirt-1-format,id=sata0-0-1,bootindex=2 > -netdev tap,fd=33,id=hostnet0 -device > e1000,netdev=hostnet0,id=net0,mac=4a:df:1f:e9:c8:1e,bus=pci.1,addr=0x3 > -chardev pty,id=charserial0 -device > isa-serial,chardev=charserial0,id=serial0 -chardev > spicevmc,id=charchannel0,name=vdagent -device > virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 > -chardev socket,id=charchannel1,fd=34,server,nowait -device > virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=org.qemu.guest_agent.0 > -chardev spiceport,id=charchannel2,name=org.spice-space.webdav.0 -device > virtserialport,bus=virtio-serial0.0,nr=3,chardev=charchannel2,id=channel2,name=org.spice-space.webdav.0 > -device usb-tablet,id=input0,bus=usb.0,port=1 -spice > port=5900,tls-port=5901,addr=0.0.0.0,agent-mouse=on,x509-dir=/etc/pki/libvirt-spice,image-compression=auto_lz,jpeg-wan-compression=auto,zlib-glz-wan-compression=auto,playback-compression=on,streaming-video=filter,seamless-migration=on > -device > qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vram64_size_mb=0,vgamem_mb=16,max_outputs=1,bus=pci.0,addr=0x2 > -device ich9-intel-hda,id=sound0,bus=pci.0,addr=0x4 -device > hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device > i6300esb,id=watchdog0,bus=pci.0,addr=0x9 -watchdog-action reset -chardev > spicevmc,id=charredir0,name=usbredir -device > usb-redir,chardev=charredir0,id=redir0,bus=usb.0,port=2 -chardev > spicevmc,id=charredir1,name=usbredir -device > usb-redir,chardev=charredir1,id=redir1,bus=usb.0,port=3 -chardev > spicevmc,id=charredir2,name=usbredir -device > usb-redir,chardev=charredir2,id=redir2,bus=usb.0,port=4 -chardev > spicevmc,id=charredir3,name=usbredir -device > usb-redir,chardev=charredir3,id=redir3,bus=usb.0,port=5 -device > virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x10 -sandbox > on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny > -msg timestamp=on > > > remote-viewer on linux: > remote-viewer spice+tls://DOMAIN:5901 (works) Does remote-viewer run on the same machine as qemu-kvm ? Many times I also provide --spice-host-subject=$HOST_CERT_SUBJECT HOST_CERT_SUBJECT=openssl x509 -noout -text -in \ $path_to_server-cert.pem | grep 'Subject:' # and remove spaces > remote-viewer --spice-ca-file=$path_to_ca-cert.crt > spice+tls://DOMAIN:5901 (works > > remote-viewer on Windows: > remote-viewer spice+tls://DOMAIN:5901 (doesn't work) > remote-viewer --spice-ca-file=$path_to_ca-cert.crt > spice+tls://DOMAIN:5901 (doesn't work) Does it help if you provide it a --spice-host-subject ? I'll try to give it a try soon. Uri. > > debug output of both provided in the first email, also tried building > remote-viewer and spice-client libraries from MASTER for windows. > > Thank you for the help! > --- > Armin ranjbar > > > > On Sun, Dec 20, 2020 at 6:50 PM Uri Lublin <<a href="mailto:uril@redhat.com" target="_blank">uril@redhat.com</a> > <mailto:<a href="mailto:uril@redhat.com" target="_blank">uril@redhat.com</a>>> wrote: > > On 12/15/20 1:45 PM, Armin Ranjbar wrote: > > Dear Everyone, > > > > As always, let me thank you first for the effort you put in Spice. > > > > I have a strange case here, libvirt is configured with letsencrypt > > certificates, remote-viewer works happily on Linux, but it > doesn't seem > > to be able to get local issuer certificate on windows. > > same error even when I try to give the address of CA file via > > --spice-ca-file, attaching logs with spice-debug here: > > Hi, > > Can you please provide > 1. qemu-kvm commandline -spice option > 2. remote-viewer commandline (for both windows and linux)? > 3. Does the Linux remote-viewer run on the same > machine as libvirt/qemu-kvm or does it run on a > different machine? > 4. Did you copy the CA-certificate onto the windows machine ? > (Just verifying, I see the name is correctly ca-cert.pem) > > Uri. > > > > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.293: > > ../src/spice-session.c:292 Supported channels: main, display, > inputs, > > cursor, playback, record, usbredir > > (remote-viewer.exe:3584): Spice-DEBUG: 15:13:17.293: > > ../src/usb-device-manager.c:259:spice_usb_device_manager_init: UsbDk > > driver is not installed > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.293: > > ../src/usb-device-manager.c:485 auto-connect filter set to > > 0x03,-1,-1,-1,0|-1,-1,-1,-1,1 > > > > (remote-viewer.exe:3584): GSpice-CRITICAL **: 15:13:17.293: > > _usbdk_hider_update: assertion 'priv->usbdk_api != NULL' failed > > > > (remote-viewer.exe:3584): GSpice-WARNING **: 15:13:17.962: > password may > > be visible in process listings > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965: > > ../src/spice-session.c:1814 no migration in progress > > Spice-INFO: 15:13:17.965: > > ../src/channel-main.c:337:spice_main_set_property: > > SpiceMainChannel::color-depth has been deprecated. Property is > ignored > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965: > > ../src/spice-channel.c:141 main-1:0: spice_channel_constructed > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965: > > ../src/spice-session.c:2309 main-1:0: new main channel, switching > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680: > > ../src/spice-channel.c:2707 main-1:0: Open coroutine starting > > 000000000462E480 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680: > > ../src/spice-channel.c:2544 main-1:0: Started background coroutine > > 000000000462E338 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680: > > ../src/spice-session.c:2231 Missing port value, not attempting > > unencrypted connection. > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680: > > ../src/spice-channel.c:2570 main-1:0: trying with TLS port > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694: > > ../src/spice-session.c:2244 main-1:0: Using TLS, port 5901 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694: > > ../src/spice-session.c:2177 open host DOMAIN_REPLACED:5901 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694: > > ../src/spice-session.c:2099 main-1:0: connecting 00000000071DFDD0... > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.757: > > ../src/spice-session.c:2083 main-1:0: connect ready > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.757: > > ../src/spice-channel.c:2466 main-1:0: Load CA, file: C:\ca-cert.pem, > > data: 0000000000000000 > > > > (remote-viewer.exe:3584): Spice-WARNING **: 15:13:18.819: > > ../subprojects/spice-common/common/ssl_verify.c:444:openssl_verify: > > Error in certificate chain verification: unable to get issuer > > certificate (num=2:depth1:/C=US/O=Let's Encrypt/CN=R3) > > > > (remote-viewer.exe:3584): GSpice-WARNING **: 15:13:18.819: main-1:0: > > SSL_connect: error:00000001:lib(0):func(0):reason(1) > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819: > > ../src/spice-channel.c:2680 main-1:0: Coroutine exit main-1:0 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819: > > ../src/spice-channel.c:2871 main-1:0: reset > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819: > > ../src/channel-main.c:1567 agent connected: no > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819: > > ../src/spice-channel.c:2819 main-1:0: channel reset > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819: > > ../src/spice-channel.c:2425 main-1:0: Delayed unref channel > 000000000462E480 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819: > > ../src/spice-session.c:2006 session: disconnecting 0 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819: > > ../src/spice-session.c:2349 main-1:0: the session lost the main > channel > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835: > > ../src/spice-channel.c:2888 main-1:0: channel disconnect 0 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835: > > ../src/spice-channel.c:159 main-1:0: spice_channel_dispose > 000000000462E480 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835: > > ../src/spice-channel.c:2888 main-1:0: channel disconnect 12 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.756: > > ../src/spice-session.c:2006 session: disconnecting 1151 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.757: > > ../src/spice-session.c:288 New session (compiled from package > spice-gtk > > 0.37) > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.758: > > ../src/spice-session.c:292 Supported channels: main, display, > inputs, > > cursor, playback, record, usbredir > > (remote-viewer.exe:3584): Spice-DEBUG: 15:13:19.759: > > ../src/usb-device-manager.c:259:spice_usb_device_manager_init: UsbDk > > driver is not installed > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.760: > > ../src/usb-device-manager.c:485 auto-connect filter set to > > 0x03,-1,-1,-1,0|-1,-1,-1,-1,1 > > > > > > > > also output when giving the --spica-ca-file, one thing i found > strange > > is the fact that Load CA file, shows zeroes as data, even when > provided > > file doesn't exist : > > > > (remote-viewer.exe:3584): GSpice-WARNING **: 15:13:17.962: > password may > > be visible in process listings > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965: > > ../src/spice-session.c:1814 no migration in progress > > Spice-INFO: 15:13:17.965: > > ../src/channel-main.c:337:spice_main_set_property: > > SpiceMainChannel::color-depth has been deprecated. Property is > ignored > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965: > > ../src/spice-channel.c:141 main-1:0: spice_channel_constructed > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965: > > ../src/spice-session.c:2309 main-1:0: new main channel, switching > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680: > > ../src/spice-channel.c:2707 main-1:0: Open coroutine starting > > 000000000462E480 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680: > > ../src/spice-channel.c:2544 main-1:0: Started background coroutine > > 000000000462E338 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680: > > ../src/spice-session.c:2231 Missing port value, not attempting > > unencrypted connection. > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680: > > ../src/spice-channel.c:2570 main-1:0: trying with TLS port > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694: > > ../src/spice-session.c:2244 main-1:0: Using TLS, port 5901 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694: > > ../src/spice-session.c:2177 open host vdi.pishro.computer:5901 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694: > > ../src/spice-session.c:2099 main-1:0: connecting 00000000071DFDD0... > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.757: > > ../src/spice-session.c:2083 main-1:0: connect ready > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.757: > > ../src/spice-channel.c:2466 main-1:0: Load CA, file: C:\ca-cert.pem, > > data: 0000000000000000 > > > > (remote-viewer.exe:3584): Spice-WARNING **: 15:13:18.819: > > ../subprojects/spice-common/common/ssl_verify.c:444:openssl_verify: > > Error in certificate chain verification: unable to get issuer > > certificate (num=2:depth1:/C=US/O=Let's Encrypt/CN=R3) > > > > (remote-viewer.exe:3584): GSpice-WARNING **: 15:13:18.819: main-1:0: > > SSL_connect: error:00000001:lib(0):func(0):reason(1) > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819: > > ../src/spice-channel.c:2680 main-1:0: Coroutine exit main-1:0 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819: > > ../src/spice-channel.c:2871 main-1:0: reset > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819: > > ../src/channel-main.c:1567 agent connected: no > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819: > > ../src/spice-channel.c:2819 main-1:0: channel reset > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819: > > ../src/spice-channel.c:2425 main-1:0: Delayed unref channel > 000000000462E480 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819: > > ../src/spice-session.c:2006 session: disconnecting 0 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819: > > ../src/spice-session.c:2349 main-1:0: the session lost the main > channel > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835: > > ../src/spice-channel.c:2888 main-1:0: channel disconnect 0 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835: > > ../src/spice-channel.c:159 main-1:0: spice_channel_dispose > 000000000462E480 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835: > > ../src/spice-channel.c:2888 main-1:0: channel disconnect 12 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.756: > > ../src/spice-session.c:2006 session: disconnecting 1151 > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.757: > > ../src/spice-session.c:288 New session (compiled from package > spice-gtk > > 0.37) > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.758: > > ../src/spice-session.c:292 Supported channels: main, display, > inputs, > > cursor, playback, record, usbredir > > (remote-viewer.exe:3584): Spice-DEBUG: 15:13:19.759: > > ../src/usb-device-manager.c:259:spice_usb_device_manager_init: UsbDk > > driver is not installed > > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.760: > > ../src/usb-device-manager.c:485 auto-connect filter set to > > 0x03,-1,-1,-1,0|-1,-1,-1,-1,1 > > > </blockquote></div>