<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p style="margin-top:0;margin-bottom:0">Hello,</p>
<p style="margin-top:0;margin-bottom:0">I am having trouble connecting to my guest vm (Kali Linux) which is running spice. My engine is running version: <span class="gwt-InlineLabel GNEKTHVBIXB"></span><span class="gwt-InlineLabel">4.2.1.7-1.el7.centos</span>.</p>
<p style="margin-top:0;margin-bottom:0">I am using oVirt Node as my host running version:<span> 4.2.1.1.
<br>
</span></p>
<p style="margin-top:0;margin-bottom:0"><span><br>
</span></p>
<p style="margin-top:0;margin-bottom:0"><span>I have taken the following steps to try and get everything running properly.</span></p>
<ol style="margin-bottom: 0px; margin-top: 0px;">
<li><span>Download the root CA certificate <a href="https://ovirtengine.lan/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA" class="OWAAutoLink" id="LPlnk141717" previewremoved="true">https://ovirtengine.lan/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA</a></span></li><li><span>Edit the vm and define the graphical console entries. Video type is set to QXL, Graphics protocol is spice, USB support is enabled.</span></li><li><span>Install the guest agent in Debian per the instructions here - <a href="https://www.ovirt.org/documentation/how-to/guest-agent/install-the-guest-agent-in-debian/" class="OWAAutoLink" id="LPlnk263752" previewremoved="true">
https://www.ovirt.org/documentation/how-to/guest-agent/install-the-guest-agent-in-debian/</a> It is my understanding that installing the guest agent will also install the virt IO device drivers.<br>
</span></li><li><span>Install the spice-vdagent per the instructions here - <a href="https://www.ovirt.org/documentation/how-to/guest-agent/install-the-spice-guest-agent/" class="OWAAutoLink" id="LPlnk313725" previewremoved="true">
https://www.ovirt.org/documentation/how-to/guest-agent/install-the-spice-guest-agent/</a></span></li><li><span> On the aSpice client I have imported the CA certficate from step 1 above. I defined the connection using the IP of my Node and TLS port 5901.</span></li></ol>
<span><br>
To troubleshoot my connection issues I confirmed the port being used to listen. <br>
<div>virsh # domdisplay Kali<br>
<span>spice://172.30.42.12?tls-port=5901</span></div>
<br>
I see the following when attempting to connect.<br>
tail -f <span>/var/log/libvirt/qemu</span>/Kali.log<br>
<br>
<div>
<div>140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:s3_pkt.c:1493:SSL alert number 80<br>
((null):27595): Spice-Warning **: reds_stream.c:379:reds_stream_ssl_accept: SSL_accept failed, error=1<br>
<br>
I came across some documentation that states in the caveat section "<span>Certificate of spice SSL should be separate certificate."</span><br>
<a href="https://www.ovirt.org/develop/release-management/features/infra/pki/" class="OWAAutoLink" id="LPlnk743161" previewremoved="true">https://www.ovirt.org/develop/release-management/features/infra/pki/</a><br>
<br>
Is this still the case for version 4? The document references version 3.2 and 3.3. If so, how do I generate a new certificate for use with spice? Please let me know if you require further info to troubleshoot, I am happy to provide it. Many thanks in advance.<br>
<a href="https://www.ovirt.org/develop/release-management/features/infra/pki/" class="OWAAutoLink" id="LPlnk743161" previewremoved="true"></a><br>
<br>
</div>
<br>
<br>
</div>
<br>
</span><br>
<span><br>
<br>
</span>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
</div>
</body>
</html>