<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Feb 18, 2018 at 5:32 PM, Jeremy Tourville <span dir="ltr"><<a href="mailto:Jeremy_Tourville@hotmail.com" target="_blank">Jeremy_Tourville@hotmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div id="gmail-m_4314768941515087156divtagdefaultwrapper" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif" dir="ltr">
<p style="margin-top:0px;margin-bottom:0px">Hello,</p>
<p style="margin-top:0px;margin-bottom:0px">I am having trouble connecting to my guest vm (Kali Linux) which is running spice. My engine is running version: <span class="gmail-m_4314768941515087156gwt-InlineLabel gmail-m_4314768941515087156GNEKTHVBIXB"></span><span class="gmail-m_4314768941515087156gwt-InlineLabel">4.2.1.7-1.el7.centos</span>.</p>
<p style="margin-top:0px;margin-bottom:0px">I am using oVirt Node as my host running version:<span> 4.2.1.1.
<br>
</span></p>
<p style="margin-top:0px;margin-bottom:0px"><span><br>
</span></p>
<p style="margin-top:0px;margin-bottom:0px"><span>I have taken the following steps to try and get everything running properly.</span></p>
<ol style="margin-bottom:0px;margin-top:0px">
<li><span>Download the root CA certificate <a href="https://ovirtengine.lan/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA" class="gmail-m_4314768941515087156OWAAutoLink" id="gmail-m_4314768941515087156LPlnk141717" target="_blank">https://<wbr>ovirtengine.lan/ovirt-engine/<wbr>services/pki-resource?<wbr>resource=ca-certificate&<wbr>format=X509-PEM-CA</a></span></li><li><span>Edit the vm and define the graphical console entries. Video type is set to QXL, Graphics protocol is spice, USB support is enabled.</span></li><li><span>Install the guest agent in Debian per the instructions here - <a href="https://www.ovirt.org/documentation/how-to/guest-agent/install-the-guest-agent-in-debian/" class="gmail-m_4314768941515087156OWAAutoLink" id="gmail-m_4314768941515087156LPlnk263752" target="_blank">
https://www.ovirt.org/<wbr>documentation/how-to/guest-<wbr>agent/install-the-guest-agent-<wbr>in-debian/</a> It is my understanding that installing the guest agent will also install the virt IO device drivers.<br>
</span></li><li><span>Install the spice-vdagent per the instructions here - <a href="https://www.ovirt.org/documentation/how-to/guest-agent/install-the-spice-guest-agent/" class="gmail-m_4314768941515087156OWAAutoLink" id="gmail-m_4314768941515087156LPlnk313725" target="_blank">
https://www.ovirt.org/<wbr>documentation/how-to/guest-<wbr>agent/install-the-spice-guest-<wbr>agent/</a></span></li><li><span> On the aSpice client I have imported the CA certficate from step 1 above. I defined the connection using the IP of my Node and TLS port 5901.</span></li></ol></div></div></blockquote><div><br></div><div>are you really using aSPICE client (e.g. the android SPICE client?). If yes, maybe you want to try to open it using moVirt (<a href="https://play.google.com/store/apps/details?id=org.ovirt.mobile.movirt&hl=en">https://play.google.com/store/apps/details?id=org.ovirt.mobile.movirt&hl=en</a>) which delegates the console to aSPICE but configures everything including the certificates on it. Should be much simpler than configuring it by hand..<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div id="gmail-m_4314768941515087156divtagdefaultwrapper" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif" dir="ltr">
<span><br>
To troubleshoot my connection issues I confirmed the port being used to listen. <br>
<div>virsh # domdisplay Kali<br>
<span>spice://<a href="http://172.30.42.12?tls-port=5901" target="_blank">172.30.42.12?tls-port=<wbr>5901</a></span></div>
<br>
I see the following when attempting to connect.<br>
tail -f <span>/var/log/libvirt/qemu</span>/Kali.log<br>
<br>
<div>
<div>140400191081600:error:<wbr>14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:s3_pkt.c:1493:SSL alert number 80<br>
((null):27595): Spice-Warning **: reds_stream.c:379:reds_stream_<wbr>ssl_accept: SSL_accept failed, error=1<br>
<br>
I came across some documentation that states in the caveat section "<span>Certificate of spice SSL should be separate certificate."</span><br>
<a href="https://www.ovirt.org/develop/release-management/features/infra/pki/" class="gmail-m_4314768941515087156OWAAutoLink" id="gmail-m_4314768941515087156LPlnk743161" target="_blank">https://www.ovirt.org/develop/<wbr>release-management/features/<wbr>infra/pki/</a><br>
<br>
Is this still the case for version 4? The document references version 3.2 and 3.3. If so, how do I generate a new certificate for use with spice? Please let me know if you require further info to troubleshoot, I am happy to provide it. Many thanks in advance.<br>
<a href="https://www.ovirt.org/develop/release-management/features/infra/pki/" class="gmail-m_4314768941515087156OWAAutoLink" id="gmail-m_4314768941515087156LPlnk743161" target="_blank"></a><br>
<br>
</div>
<br>
<br>
</div>
<br>
</span><br>
<span><br>
<br>
</span>
<p style="margin-top:0px;margin-bottom:0px"><br>
</p>
</div>
</div>
<br>______________________________<wbr>_________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><br>
<br></blockquote></div><br></div></div>