<div dir="ltr">Hi Uri,<div><br></div><div>Thanks for the reply!</div><div>No, remote-viewer is not running on the same server (neither windows nor Linux tests),</div><div><br></div><div>haven't tried spice-host-subject, but will certainly give it a try, but question is, as what I'm seeking to do is to create a general package (that is usable across multiple installations with different certs, domains), is it really necessary to have ca-cert or host-subject available on windows? I assume it should be possible to get them from the running OS itself...</div><div><br></div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">---<br>Armin ranjbar<br><div><br></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Dec 22, 2020 at 3:54 AM Uri Lublin <<a href="mailto:uril@redhat.com">uril@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 12/20/20 5:37 PM, Armin Ranjbar wrote:<br>
> Hi, With pleasure!<br>
> <br>
> Qemu command line:<br>
> /usr/bin/qemu-system-x86_64 -name <br>
> guest=test1-DOMAIN_XLMEP2ZCTPH2NRMV,debug-threads=on -S -object <br>
> secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-1-test1-pishro.compute/master-key.aes <br>
> -machine pc-i440fx-4.2,accel=kvm,usb=off,vmport=off,dump-guest-core=off <br>
> -cpu <br>
> SandyBridge-IBRS,vme=on,vmx=on,pcid=on,hypervisor=on,arat=on,tsc-adjust=on,umip=on,md-clear=on,stibp=on,arch-capabilities=on,ssbd=on,xsaveopt=on,pdpe1gb=on,ibpb=on,amd-stibp=on,amd-ssbd=on,skip-l1dfl-vmentry=on,pschange-mc-no=on,hv-time,hv-relaxed,hv-vapic,hv-spinlocks=0x1000,hv-vpindex,hv-runtime,hv-synic,hv-stimer,hv-stimer-direct,hv-reset,hv-vendor-id=DaaS,hv-crash <br>
> -m 3248 -overcommit mem-lock=off -smp 2,sockets=1,cores=2,threads=1 <br>
> -uuid 3c01cc16-3a72-11eb-ae67-c3a189c89e46 -no-user-config -nodefaults <br>
> -chardev socket,id=charmonitor,fd=31,server,nowait -mon <br>
> chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew <br>
> -global kvm-pit.lost_tick_policy=delay -no-hpet -no-shutdown -global <br>
> PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on <br>
> -device pci-bridge,chassis_nr=1,id=pci.1,bus=pci.0,addr=0x3 -device <br>
> qemu-xhci,p2=15,p3=15,id=usb,bus=pci.0,addr=0x5 -device <br>
> ahci,id=sata0,bus=pci.0,addr=0x8 -device <br>
> virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x6 -object <br>
> secret,id=libvirt-2-storage-secret0,data=yLtgtQTQJM5xCBZ2TPh1JkrbTTqXkoBo4JEqBOKQBF0=,keyid=masterKey0,iv=H9oULsQg3K4UnoPu65gA/A==,format=base64 <br>
> -blockdev <br>
> {"driver":"rbd","pool":"base_disks","image":"test1-DOMAIN_XLMEP2ZCTPH2NRMV","server":[{"host":"192.168.0.126","port":"3300"}],"user":"admin","auth-client-required":["cephx","none"],"key-secret":"libvirt-2-storage-secret0","node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"} <br>
> -blockdev <br>
> {"node-name":"libvirt-2-format","read-only":false,"driver":"raw","file":"libvirt-2-storage"} <br>
> -device <br>
> ide-hd,bus=sata0.0,drive=libvirt-2-format,id=sata0-0-0,bootindex=1 <br>
> -blockdev <br>
> {"driver":"file","filename":"/var/lib/libvirt/images/windows.iso","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"} <br>
> -blockdev <br>
> {"node-name":"libvirt-1-format","read-only":true,"driver":"raw","file":"libvirt-1-storage"} <br>
> -device <br>
> ide-cd,bus=sata0.1,share-rw=on,drive=libvirt-1-format,id=sata0-0-1,bootindex=2 <br>
> -netdev tap,fd=33,id=hostnet0 -device <br>
> e1000,netdev=hostnet0,id=net0,mac=4a:df:1f:e9:c8:1e,bus=pci.1,addr=0x3 <br>
> -chardev pty,id=charserial0 -device <br>
> isa-serial,chardev=charserial0,id=serial0 -chardev <br>
> spicevmc,id=charchannel0,name=vdagent -device <br>
> virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 <br>
> -chardev socket,id=charchannel1,fd=34,server,nowait -device <br>
> virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=org.qemu.guest_agent.0 <br>
> -chardev spiceport,id=charchannel2,name=org.spice-space.webdav.0 -device <br>
> virtserialport,bus=virtio-serial0.0,nr=3,chardev=charchannel2,id=channel2,name=org.spice-space.webdav.0 <br>
> -device usb-tablet,id=input0,bus=usb.0,port=1 -spice <br>
> port=5900,tls-port=5901,addr=0.0.0.0,agent-mouse=on,x509-dir=/etc/pki/libvirt-spice,image-compression=auto_lz,jpeg-wan-compression=auto,zlib-glz-wan-compression=auto,playback-compression=on,streaming-video=filter,seamless-migration=on <br>
> -device <br>
> qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vram64_size_mb=0,vgamem_mb=16,max_outputs=1,bus=pci.0,addr=0x2 <br>
> -device ich9-intel-hda,id=sound0,bus=pci.0,addr=0x4 -device <br>
> hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device <br>
> i6300esb,id=watchdog0,bus=pci.0,addr=0x9 -watchdog-action reset -chardev <br>
> spicevmc,id=charredir0,name=usbredir -device <br>
> usb-redir,chardev=charredir0,id=redir0,bus=usb.0,port=2 -chardev <br>
> spicevmc,id=charredir1,name=usbredir -device <br>
> usb-redir,chardev=charredir1,id=redir1,bus=usb.0,port=3 -chardev <br>
> spicevmc,id=charredir2,name=usbredir -device <br>
> usb-redir,chardev=charredir2,id=redir2,bus=usb.0,port=4 -chardev <br>
> spicevmc,id=charredir3,name=usbredir -device <br>
> usb-redir,chardev=charredir3,id=redir3,bus=usb.0,port=5 -device <br>
> virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x10 -sandbox <br>
> on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny <br>
> -msg timestamp=on<br>
> <br>
> <br>
> remote-viewer on linux:<br>
> remote-viewer spice+tls://DOMAIN:5901 (works)<br>
<br>
Does remote-viewer run on the same machine as qemu-kvm ?<br>
<br>
Many times I also provide<br>
   --spice-host-subject=$HOST_CERT_SUBJECT<br>
<br>
HOST_CERT_SUBJECT=openssl x509 -noout -text -in \<br>
  $path_to_server-cert.pem | grep 'Subject:'<br>
  # and remove spaces<br>
<br>
> remote-viewer --spice-ca-file=$path_to_ca-cert.crt <br>
> spice+tls://DOMAIN:5901 (works ><br>
> remote-viewer on Windows:<br>
> remote-viewer spice+tls://DOMAIN:5901 (doesn't work)<br>
> remote-viewer --spice-ca-file=$path_to_ca-cert.crt <br>
> spice+tls://DOMAIN:5901 (doesn't work)<br>
<br>
Does it help if you provide it a --spice-host-subject ?<br>
<br>
I'll try to give it a try soon.<br>
<br>
Uri.<br>
<br>
> <br>
> debug output of both provided in the first email, also tried building <br>
> remote-viewer and spice-client libraries from MASTER for windows.<br>
> <br>
> Thank you for the help!<br>
> ---<br>
> Armin ranjbar<br>
> <br>
> <br>
> <br>
> On Sun, Dec 20, 2020 at 6:50 PM Uri Lublin <<a href="mailto:uril@redhat.com" target="_blank">uril@redhat.com</a> <br>
> <mailto:<a href="mailto:uril@redhat.com" target="_blank">uril@redhat.com</a>>> wrote:<br>
> <br>
>     On 12/15/20 1:45 PM, Armin Ranjbar wrote:<br>
>      > Dear Everyone,<br>
>      ><br>
>      > As always, let me thank you first for the effort you put in Spice.<br>
>      ><br>
>      > I have a strange case here, libvirt is configured with letsencrypt<br>
>      > certificates, remote-viewer works happily on Linux, but it<br>
>     doesn't seem<br>
>      > to be able to get local issuer certificate on windows.<br>
>      > same error even when I try to give the address of CA file via<br>
>      > --spice-ca-file, attaching logs with spice-debug here:<br>
> <br>
>     Hi,<br>
> <br>
>     Can you please provide<br>
>     1. qemu-kvm commandline -spice option<br>
>     2. remote-viewer commandline (for both windows and linux)?<br>
>     3. Does the Linux remote-viewer run on the same<br>
>          machine as libvirt/qemu-kvm or does it run on a<br>
>          different machine?<br>
>     4. Did you copy the CA-certificate onto the windows machine ?<br>
>          (Just verifying, I see the name is correctly ca-cert.pem)<br>
> <br>
>     Uri.<br>
> <br>
>      ><br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.293:<br>
>      > ../src/spice-session.c:292 Supported channels: main, display,<br>
>     inputs,<br>
>      > cursor, playback, record, usbredir<br>
>      > (remote-viewer.exe:3584): Spice-DEBUG: 15:13:17.293:<br>
>      > ../src/usb-device-manager.c:259:spice_usb_device_manager_init: UsbDk<br>
>      > driver is not installed<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.293:<br>
>      > ../src/usb-device-manager.c:485 auto-connect filter set to<br>
>      > 0x03,-1,-1,-1,0|-1,-1,-1,-1,1<br>
>      ><br>
>      > (remote-viewer.exe:3584): GSpice-CRITICAL **: 15:13:17.293:<br>
>      > _usbdk_hider_update: assertion 'priv->usbdk_api != NULL' failed<br>
>      ><br>
>      > (remote-viewer.exe:3584): GSpice-WARNING **: 15:13:17.962:<br>
>     password may<br>
>      > be visible in process listings<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965:<br>
>      > ../src/spice-session.c:1814 no migration in progress<br>
>      > Spice-INFO: 15:13:17.965:<br>
>      > ../src/channel-main.c:337:spice_main_set_property:<br>
>      > SpiceMainChannel::color-depth has been deprecated. Property is<br>
>     ignored<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965:<br>
>      > ../src/spice-channel.c:141 main-1:0: spice_channel_constructed<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965:<br>
>      > ../src/spice-session.c:2309 main-1:0: new main channel, switching<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:<br>
>      > ../src/spice-channel.c:2707 main-1:0: Open coroutine starting<br>
>      > 000000000462E480<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:<br>
>      > ../src/spice-channel.c:2544 main-1:0: Started background coroutine<br>
>      > 000000000462E338<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:<br>
>      > ../src/spice-session.c:2231 Missing port value, not attempting<br>
>      > unencrypted connection.<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:<br>
>      > ../src/spice-channel.c:2570 main-1:0: trying with TLS port<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694:<br>
>      > ../src/spice-session.c:2244 main-1:0: Using TLS, port 5901<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694:<br>
>      > ../src/spice-session.c:2177 open host DOMAIN_REPLACED:5901<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694:<br>
>      > ../src/spice-session.c:2099 main-1:0: connecting 00000000071DFDD0...<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.757:<br>
>      > ../src/spice-session.c:2083 main-1:0: connect ready<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.757:<br>
>      > ../src/spice-channel.c:2466 main-1:0: Load CA, file: C:\ca-cert.pem,<br>
>      > data: 0000000000000000<br>
>      ><br>
>      > (remote-viewer.exe:3584): Spice-WARNING **: 15:13:18.819:<br>
>      > ../subprojects/spice-common/common/ssl_verify.c:444:openssl_verify:<br>
>      > Error in certificate chain verification: unable to get issuer<br>
>      > certificate (num=2:depth1:/C=US/O=Let's Encrypt/CN=R3)<br>
>      ><br>
>      > (remote-viewer.exe:3584): GSpice-WARNING **: 15:13:18.819: main-1:0:<br>
>      > SSL_connect: error:00000001:lib(0):func(0):reason(1)<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:<br>
>      > ../src/spice-channel.c:2680 main-1:0: Coroutine exit main-1:0<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:<br>
>      > ../src/spice-channel.c:2871 main-1:0: reset<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:<br>
>      > ../src/channel-main.c:1567 agent connected: no<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:<br>
>      > ../src/spice-channel.c:2819 main-1:0: channel reset<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:<br>
>      > ../src/spice-channel.c:2425 main-1:0: Delayed unref channel<br>
>     000000000462E480<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:<br>
>      > ../src/spice-session.c:2006 session: disconnecting 0<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:<br>
>      > ../src/spice-session.c:2349 main-1:0: the session lost the main<br>
>     channel<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835:<br>
>      > ../src/spice-channel.c:2888 main-1:0: channel disconnect 0<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835:<br>
>      > ../src/spice-channel.c:159 main-1:0: spice_channel_dispose<br>
>     000000000462E480<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835:<br>
>      > ../src/spice-channel.c:2888 main-1:0: channel disconnect 12<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.756:<br>
>      > ../src/spice-session.c:2006 session: disconnecting 1151<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.757:<br>
>      > ../src/spice-session.c:288 New session (compiled from package<br>
>     spice-gtk<br>
>      > 0.37)<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.758:<br>
>      > ../src/spice-session.c:292 Supported channels: main, display,<br>
>     inputs,<br>
>      > cursor, playback, record, usbredir<br>
>      > (remote-viewer.exe:3584): Spice-DEBUG: 15:13:19.759:<br>
>      > ../src/usb-device-manager.c:259:spice_usb_device_manager_init: UsbDk<br>
>      > driver is not installed<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.760:<br>
>      > ../src/usb-device-manager.c:485 auto-connect filter set to<br>
>      > 0x03,-1,-1,-1,0|-1,-1,-1,-1,1<br>
>      ><br>
>      ><br>
>      ><br>
>      > also output when giving the --spica-ca-file, one thing i found<br>
>     strange<br>
>      > is the fact that Load CA file, shows zeroes as data, even when<br>
>     provided<br>
>      > file doesn't exist :<br>
>      ><br>
>      > (remote-viewer.exe:3584): GSpice-WARNING **: 15:13:17.962:<br>
>     password may<br>
>      > be visible in process listings<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965:<br>
>      > ../src/spice-session.c:1814 no migration in progress<br>
>      > Spice-INFO: 15:13:17.965:<br>
>      > ../src/channel-main.c:337:spice_main_set_property:<br>
>      > SpiceMainChannel::color-depth has been deprecated. Property is<br>
>     ignored<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965:<br>
>      > ../src/spice-channel.c:141 main-1:0: spice_channel_constructed<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:17.965:<br>
>      > ../src/spice-session.c:2309 main-1:0: new main channel, switching<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:<br>
>      > ../src/spice-channel.c:2707 main-1:0: Open coroutine starting<br>
>      > 000000000462E480<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:<br>
>      > ../src/spice-channel.c:2544 main-1:0: Started background coroutine<br>
>      > 000000000462E338<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:<br>
>      > ../src/spice-session.c:2231 Missing port value, not attempting<br>
>      > unencrypted connection.<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.680:<br>
>      > ../src/spice-channel.c:2570 main-1:0: trying with TLS port<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694:<br>
>      > ../src/spice-session.c:2244 main-1:0: Using TLS, port 5901<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694:<br>
>      > ../src/spice-session.c:2177 open host vdi.pishro.computer:5901<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.694:<br>
>      > ../src/spice-session.c:2099 main-1:0: connecting 00000000071DFDD0...<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.757:<br>
>      > ../src/spice-session.c:2083 main-1:0: connect ready<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.757:<br>
>      > ../src/spice-channel.c:2466 main-1:0: Load CA, file: C:\ca-cert.pem,<br>
>      > data: 0000000000000000<br>
>      ><br>
>      > (remote-viewer.exe:3584): Spice-WARNING **: 15:13:18.819:<br>
>      > ../subprojects/spice-common/common/ssl_verify.c:444:openssl_verify:<br>
>      > Error in certificate chain verification: unable to get issuer<br>
>      > certificate (num=2:depth1:/C=US/O=Let's Encrypt/CN=R3)<br>
>      ><br>
>      > (remote-viewer.exe:3584): GSpice-WARNING **: 15:13:18.819: main-1:0:<br>
>      > SSL_connect: error:00000001:lib(0):func(0):reason(1)<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:<br>
>      > ../src/spice-channel.c:2680 main-1:0: Coroutine exit main-1:0<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:<br>
>      > ../src/spice-channel.c:2871 main-1:0: reset<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:<br>
>      > ../src/channel-main.c:1567 agent connected: no<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:<br>
>      > ../src/spice-channel.c:2819 main-1:0: channel reset<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:<br>
>      > ../src/spice-channel.c:2425 main-1:0: Delayed unref channel<br>
>     000000000462E480<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:<br>
>      > ../src/spice-session.c:2006 session: disconnecting 0<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.819:<br>
>      > ../src/spice-session.c:2349 main-1:0: the session lost the main<br>
>     channel<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835:<br>
>      > ../src/spice-channel.c:2888 main-1:0: channel disconnect 0<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835:<br>
>      > ../src/spice-channel.c:159 main-1:0: spice_channel_dispose<br>
>     000000000462E480<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:18.835:<br>
>      > ../src/spice-channel.c:2888 main-1:0: channel disconnect 12<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.756:<br>
>      > ../src/spice-session.c:2006 session: disconnecting 1151<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.757:<br>
>      > ../src/spice-session.c:288 New session (compiled from package<br>
>     spice-gtk<br>
>      > 0.37)<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.758:<br>
>      > ../src/spice-session.c:292 Supported channels: main, display,<br>
>     inputs,<br>
>      > cursor, playback, record, usbredir<br>
>      > (remote-viewer.exe:3584): Spice-DEBUG: 15:13:19.759:<br>
>      > ../src/usb-device-manager.c:259:spice_usb_device_manager_init: UsbDk<br>
>      > driver is not installed<br>
>      > (remote-viewer.exe:3584): GSpice-DEBUG: 15:13:19.760:<br>
>      > ../src/usb-device-manager.c:485 auto-connect filter set to<br>
>      > 0x03,-1,-1,-1,0|-1,-1,-1,-1,1<br>
>      ><br>
> <br>
<br>
</blockquote></div>