<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 21, 2018 at 2:05 AM, Jeremy Tourville <span dir="ltr"><<a href="mailto:Jeremy_Tourville@hotmail.com" target="_blank">Jeremy_Tourville@hotmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div id="gmail-m_7020420698810972152divtagdefaultwrapper" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif" dir="ltr">
<p style="margin-top:0px;margin-bottom:0px">Hello everyone,<br>
</p>
<p style="margin-top:0px;margin-bottom:0px">I can confirm that spice is working for me when I launch it using the .vv file. I have virt viewer installed on my Windows pc and it works without issue. I can also launch spice when I use movirt without any issues.
I examined the contents of the .vv file to see what the certificate looks like. I can confirm that the certficate in the .vv file is the same as the file I downloaded in step 1 of my directions.
<br>
</p>
<p style="margin-top:0px;margin-bottom:0px"><br>
</p>
<p style="margin-top:0px;margin-bottom:0px">I reviewed the PKI reference<a href="https://www.ovirt.org/develop/release-management/features/infra/pki/" class="gmail-m_7020420698810972152OWAAutoLink" id="gmail-m_7020420698810972152LPlnk894408" target="_blank"> (https://www.ovirt.org/<wbr>develop/release-management/<wbr>features/infra/pki/)
</a><span class="gmail-m_7020420698810972152OWAAutoLink"></span></p>
<div>for a second time and I see the same certificate located in different locations.
</div>
<p></p>
<p style="margin-top:0px;margin-bottom:0px"><br>
</p>
<p style="margin-top:0px;margin-bottom:0px">For example, all these locations contain the same certificate-</p>
<ul style="margin-bottom:0px;margin-top:0px">
<li><font size="2"><span style="font-size:11pt"><a href="https://ovirtengine.lan/ovirt-en" id="gmail-m_7020420698810972152LPlnk401540" target="_blank"></a><a href="https://ovirtengine.lan/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA" target="_blank">https://ovirtengine.lan/ovirt-<wbr>engine/services/pki-resource?<wbr>resource=ca-certificate&<wbr>format=X509-PEM-CA</a></span></font><br>
</li><li>/etc/pki/vdsm/certs/cacert.pem</li><li>/etc/pki/vdsm/libvirt-spice/<wbr>ca-cert.pem</li><li>/etc/pki/CA/cacert.pem</li></ul>
<p style="margin-top:0px;margin-bottom:0px">This is the certificate I am using to configure my aSpice client.
<br>
</p>
<p style="margin-top:0px;margin-bottom:0px">Can someone answer the question from my original post? The PKI reference says for version 3.2 and 3.3. Is the documentation still correct for version 4.2?</p>
<p style="margin-top:0px;margin-bottom:0px"><br>
</p>
<p style="margin-top:0px;margin-bottom:0px">At this point I am trying to find out where the problems exists - ie.
<br>
</p>
<p style="margin-top:0px;margin-bottom:0px">#1 Is my client not configured correctly?
<br>
</p>
<p style="margin-top:0px;margin-bottom:0px">#2 Am I using the wrong cert? (I think I am using the correct cert based on the research I listed above)</p></div></div></blockquote><div><br></div><div>I'd guess yes based on above<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div id="gmail-m_7020420698810972152divtagdefaultwrapper" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif" dir="ltr">
<p style="margin-top:0px;margin-bottom:0px">#3 Does my client need to be able to send a pasword? (based on the contents of the .vv file, I'd have to guess yes)</p></div></div></blockquote><div><br></div><div>yes<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div id="gmail-m_7020420698810972152divtagdefaultwrapper" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif" dir="ltr">
<p style="margin-top:0px;margin-bottom:0px">Also my xml file for the VM in question contains this:
</p>
<div> <graphics type='spice' autoport='yes' defaultMode='secure' passwd='*****' passwdValidTo='1970-01-01T00:<wbr>00:01'><br>
Please note: I did not perform any hand configuration of the xml file, it was all done by the system using the UI.<br></div></div></div></blockquote><div><br></div><div>the password is generated automatically. Normally it works like this:<br></div><div>- you ask for the .vv file<br></div><div>- ovirt generates a temporary password you can use to connect to console<br></div><div>- you can connect to the console using this temporary password<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div id="gmail-m_7020420698810972152divtagdefaultwrapper" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif" dir="ltr"><div>
</div>
#4 Can I configure a file on the system to turn off ticketing and passwords and see if that makes a difference, if so, what file?
</div></div></blockquote><div><br></div><div>I don't think there is an easy way to do this... Maybe writing some vdsm hook or some other complex hack. I've seen an old discussion about it here:<br><a href="http://lists.ovirt.org/pipermail/users/2014-August/026774.html">http://lists.ovirt.org/pipermail/users/2014-August/026774.html</a><br></div><div>but I would not recommend you to go down this path.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div id="gmail-m_7020420698810972152divtagdefaultwrapper" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif" dir="ltr"><p></p>
<p style="margin-top:0px;margin-bottom:0px">#5 Can someone explain this error? <br>
</p><span class="gmail-">
<p style="margin-top:0px;margin-bottom:0px"><font size="2"><span style="font-size:11pt">140400191081600:error:<wbr>14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:s3_pkt.c:1493:SSL alert number 80
<br>
((null):27595): Spice-Warning **:reds_stream.c:379:reds_<wbr>stream_ssl_accept: SSL_accept failed, error=1</span></font></p>
<p style="margin-top:0px;margin-bottom:0px"><font size="2"><span style="font-size:11pt"></span></font></p>
</span><div>What I know about it is this:<br>
According to RFC 2246, the alert number 80 represents an "internal error". Here is the description from the RFC<br>
internal_error: An internal error unrelated to the peer or the correctness of the protocol makes it impossible to continue (such as a memory allocation failure). This message is always fatal.</div>
<p></p>
<div>#6 Could this error be related to any of #1 through #4 above?<br></div></div></div></blockquote><div><br></div><div>yes, I'd say yes.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div id="gmail-m_7020420698810972152divtagdefaultwrapper" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif" dir="ltr"><div>
<br>
Thanks!<br>
<br>
</div>
<br>
<div style="color:rgb(0,0,0)">
<hr style="display:inline-block;width:98%">
<div id="gmail-m_7020420698810972152divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" color="#000000" face="Calibri, sans-serif"><b>From:</b> Karli Sjöberg <<a href="mailto:karli@inparadise.se" target="_blank">karli@inparadise.se</a>><br>
<b>Sent:</b> Tuesday, February 20, 2018 2:56 AM<br>
<b>To:</b> Tomas Jelinek; Jeremy Tourville<div><div class="gmail-h5"><br>
<b>Cc:</b> <a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a><br>
<b>Subject:</b> Re: [ovirt-users] Spice Client Connection Issues Using aSpice</div></div></font>
<div> </div>
</div>
<div class="gmail-m_7020420698810972152BodyFragment"><font size="2"><span style="font-size:11pt">
<div class="gmail-m_7020420698810972152PlainText"><div><div class="gmail-h5">On Tue, 2018-02-20 at 08:59 +0100, Tomas Jelinek wrote:<br>
> <br>
> <br>
> On Mon, Feb 19, 2018 at 7:10 PM, Jeremy Tourville <Jeremy_Tourville@h<br>
> <a href="http://otmail.com" target="_blank">otmail.com</a>> wrote:<br>
> > Hi Tomas, <br>
> > To answer your question, yes I am really trying to use aSpice.<br>
> > <br>
> > I appreciate your suggestion. I'm not sure if it meets my<br>
> > objective. Maybe our goals are different? It seems to me that<br>
> > movirt is built around portable management of the ovirt<br>
> > environment. I am attempting to provide a VDI type experience for<br>
> > running a vm. My goal is to run a lab environment with 30<br>
> > chromebooks loaded with a spice clent. The spice client would of<br>
> > course connect to the 30 vms running Kali and each session would be<br>
> > independent of each other. <br>
> > <br>
> <br>
> yes, it looks like a different use case<br>
> <br>
> > I did a little further testing with a different client. (spice<br>
> > plugin for chrome). When I attempted to connect using that client<br>
> > I got a slightly different error message. The message still seemed<br>
> > to be of the same nature- i.e.: there is a problem with SSL<br>
> > protocol and communication. <br>
> > <br>
> > Are you suggesting that movirt can help set up the proper<br>
> > certficates and config the vms to use spice? Thanks!<br>
> > <br>
> <br>
> moVirt has been developed for quite some time and works pretty well,<br>
> this is why I recommended it. But anyway, you have a different use<br>
> case.<br>
> <br>
> What I think the issue is, is that oVirt can have different CAs set<br>
> for console communication and for API. And I think you are trying to<br>
> configure aSPICE to use the one for API. <br>
> <br>
> What moVirt does to make sure it is using the correct CA to put into<br>
> the aSPICE is that it downloads the .vv file of the VM (e.g. you can<br>
> just connect to console using webadmin and save the .vv file<br>
> somewhere), parse it and use the CA= part from it as a certificate.<br>
> This one is guaranteed to be the correct one.<br>
> <br>
> For more details about what else it takes from the .vv file you can<br>
> check here:<br>
> the parsing: <a href="https://github.com/oVirt/moVirt/blob/master/moVirt/src/m" id="gmail-m_7020420698810972152LPlnk119727" target="_blank">
https://github.com/oVirt/<wbr>moVirt/blob/master/moVirt/src/<wbr>m</a><br>
> ain/java/org/ovirt/mobile/<wbr>movirt/rest/client/<wbr>httpconverter/VvFileHttp<br>
> MessageConverter.java<br>
> configuration of aSPICE: <a href="https://github.com/oVirt/moVirt/blob/master/" id="gmail-m_7020420698810972152LPlnk744960" target="_blank">
https://github.com/oVirt/<wbr>moVirt/blob/master/</a><br>
> moVirt/src/main/java/org/<wbr>ovirt/mobile/movirt/util/<wbr>ConsoleHelper.java<br>
> <br>
> enjoy :)<br>
<br>
Feels to me like OP should try to get it working _any_ "normal" way<br>
before trying to get the special use case application working?<br>
<br>
Like trying to run before learning to crawl, if that makes sense?<br>
<br>
I would suggest just logging in to webadmin with a regular PC and<br>
trying to get a SPICE console with remote-viewer to begin with. Then,<br>
once that works, try to get a SPICE console working through moVirt with<br>
aSPICE on an Android phone, or one of the Chromebooks you have to play<br>
with before going into production. Once that´s settled and you know it<br>
should work the way you normally access it, you can start playing with<br>
your special use case application.<br>
<br>
Hope it helps!<br>
<br>
/K<br>
<br>
> <br>
> > <br>
> > From: Tomas Jelinek <<a href="mailto:tjelinek@redhat.com" target="_blank">tjelinek@redhat.com</a>><br>
> > Sent: Monday, February 19, 2018 4:19 AM<br>
> > To: Jeremy Tourville<br>
> > Cc: <a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a><br>
> > Subject: Re: [ovirt-users] Spice Client Connection Issues Using<br>
> > aSpice<br>
> > <br>
> > <br>
> > <br>
> > On Sun, Feb 18, 2018 at 5:32 PM, Jeremy Tourville <Jeremy_Tourville<br>
> > @<a href="http://hotmail.com" target="_blank">hotmail.com</a>> wrote:<br>
> > > Hello,<br>
> > > I am having trouble connecting to my guest vm (Kali Linux) which<br>
> > > is running spice. My engine is running version: 4.2.1.7-<br>
> > > 1.el7.centos.<br>
> > > I am using oVirt Node as my host running version: 4.2.1.1. <br>
> > > <br>
> > > I have taken the following steps to try and get everything<br>
> > > running properly.<br>
> > > Download the root CA certificate <a href="https://ovirtengine.lan/ovirt-en" id="gmail-m_7020420698810972152LPlnk401540" target="_blank">
https://ovirtengine.lan/ovirt-<wbr>en</a><br>
> > > gine/services/pki-resource?<wbr>resource=ca-certificate&<wbr>format=X509-<br>
> > > PEM-CA<br>
> > > Edit the vm and define the graphical console entries. Video type<br>
> > > is set to QXL, Graphics protocol is spice, USB support is<br>
> > > enabled.<br>
> > > Install the guest agent in Debian per the instructions here - htt<br>
> > > ps://<a href="http://www.ovirt.org/documentation/how-to/guest-agent/install-the-" target="_blank">www.ovirt.org/<wbr>documentation/how-to/guest-<wbr>agent/install-the-</a><br>
> > > guest-agent-in-debian/ It is my understanding that installing<br>
> > > the guest agent will also install the virt IO device drivers.<br>
> > > Install the spice-vdagent per the instructions here - <a href="https://www" id="gmail-m_7020420698810972152LPlnk534540" target="_blank">
https://www</a><br>
> > > .<a href="http://ovirt.org/documentation/how-to/guest-agent/install-the-spice-" target="_blank">ovirt.org/documentation/how-<wbr>to/guest-agent/install-the-<wbr>spice-</a><br>
> > > guest-agent/<br>
> > > On the aSpice client I have imported the CA certficate from step<br>
> > > 1 above. I defined the connection using the IP of my Node and<br>
> > > TLS port 5901.<br>
> > <br>
> > are you really using aSPICE client (e.g. the android SPICE<br>
> > client?). If yes, maybe you want to try to open it using moVirt (ht<br>
> > tps://<a href="http://play.google.com/store/apps/details?id=org.ovirt.mobile.movirt" target="_blank">play.google.com/store/<wbr>apps/details?id=org.ovirt.<wbr>mobile.movirt</a><br>
> > &hl=en) which delegates the console to aSPICE but configures<br>
> > everything including the certificates on it. Should be much simpler<br>
> > than configuring it by hand..<br>
> > <br>
> > > To troubleshoot my connection issues I confirmed the port being<br>
> > > used to listen. <br>
> > > virsh # domdisplay Kali<br>
> > > spice://<a href="http://172.30.42.12?tls-port=5901" target="_blank">172.30.42.12?tls-port=<wbr>5901</a><br>
> > > <br>
> > > I see the following when attempting to connect.<br>
> > > tail -f /var/log/libvirt/qemu/Kali.log<br>
> > > <br>
> > > 140400191081600:error:<wbr>14094438:SSL routines:ssl3_read_bytes:tlsv1<br>
> > > alert internal error:s3_pkt.c:1493:SSL alert number 80<br>
> > > ((null):27595): Spice-Warning **:<br>
> > > reds_stream.c:379:reds_stream_<wbr>ssl_accept: SSL_accept failed,<br>
> > > error=1<br>
> > > <br>
> > > I came across some documentation that states in the caveat<br>
> > > section "Certificate of spice SSL should be separate<br>
> > > certificate."<br>
> > > <a href="https://www.ovirt.org/develop/release-management/features/infra/p" id="gmail-m_7020420698810972152LPlnk306127" target="_blank">
https://www.ovirt.org/develop/<wbr>release-management/features/<wbr>infra/p</a><br>
> > > ki/<br>
> > > <br>
> > > Is this still the case for version 4? The document references<br>
> > > version 3.2 and 3.3. If so, how do I generate a new certificate<br>
> > > for use with spice? Please let me know if you require further<br>
> > > info to troubleshoot, I am happy to provide it. Many thanks in<br>
> > > advance.<br>
> > > <br>
> > > <br>
> > > <br>
> > > <br>
> > > <br>
> > > <br>
> > > <br>
> > > <br>
> > > <br>
> > > <br>
> > > ______________________________<wbr>_________________<br>
> > > Users mailing list<br>
> > > <a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
> > > <a href="http://lists.ovirt.org/mailman/listinfo/users" id="gmail-m_7020420698810972152LPlnk439922" target="_blank">
http://lists.ovirt.org/<wbr>mailman/listinfo/users</a>
</div></div><div id="gmail-m_7020420698810972152LPBorder_GT_15191689794020.9506041758926115" style="margin-bottom:20px;overflow:auto;width:100%;text-indent:0px">
<table id="gmail-m_7020420698810972152LPContainer_15191689793980.020877905619313797" style="width:90%;background-color:rgb(255,255,255);overflow:auto;padding-top:20px;padding-bottom:20px;margin-top:20px;border-top:1px dotted rgb(200,200,200);border-bottom:1px dotted rgb(200,200,200)" cellspacing="0">
<tbody>
<tr style="border-spacing:0px" valign="top">
<td id="gmail-m_7020420698810972152TextCell_15191689794000.745711158074434" style="vertical-align:top;padding:0px;display:table-cell" colspan="2">
<div id="gmail-m_7020420698810972152LPRemovePreviewContainer_15191689794000.6616147681997978"></div>
<div id="gmail-m_7020420698810972152LPTitle_15191689794000.998721573314241" style="color:rgb(0,120,215);font-weight:400;font-size:21px;font-family:"wf_segoe-ui_light","Segoe UI Light","Segoe WP Light","Segoe UI","Segoe WP",Tahoma,Arial,sans-serif;line-height:21px">
<a id="gmail-m_7020420698810972152LPUrlAnchor_15191689794000.39103588621365026" style="text-decoration:none" href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">Users Info Page - lists.ovirt.org Mailing Lists</a></div>
<div id="gmail-m_7020420698810972152LPMetadata_15191689794010.7935502771020931" style="margin:10px 0px 16px;color:rgb(102,102,102);font-weight:400;font-family:"wf_segoe-ui_normal","Segoe UI","Segoe WP",Tahoma,Arial,sans-serif;font-size:14px;line-height:14px">
<a href="http://lists.ovirt.org" target="_blank">lists.ovirt.org</a></div>
<div id="gmail-m_7020420698810972152LPDescription_15191689794010.9775418907289667" style="display:block;color:rgb(102,102,102);font-weight:400;font-family:"wf_segoe-ui_normal","Segoe UI","Segoe WP",Tahoma,Arial,sans-serif;font-size:14px;line-height:20px;max-height:100px;overflow:hidden">
If you have a question about oVirt, this is where you can start getting answers. To see the collection of prior postings to the list, visit the Users Archives.</div>
</td>
</tr>
</tbody>
</table>
</div><span class="gmail-">
<br>
> > > <br>
> <br>
> ______________________________<wbr>_________________<br>
> Users mailing list<br>
> <a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
> <a href="http://lists.ovirt.org/mailman/listinfo/users" id="gmail-m_7020420698810972152LPlnk378649" target="_blank">
http://lists.ovirt.org/<wbr>mailman/listinfo/users</a></span></div>
<div id="gmail-m_7020420698810972152LPBorder_GT_15191689794330.830208412449906" style="margin-bottom:20px;overflow:auto;width:100%;text-indent:0px">
<table id="gmail-m_7020420698810972152LPContainer_15191689794290.19160292129344736" style="width:90%;background-color:rgb(255,255,255);overflow:auto;padding-top:20px;padding-bottom:20px;margin-top:20px;border-top:1px dotted rgb(200,200,200);border-bottom:1px dotted rgb(200,200,200)" cellspacing="0">
<tbody>
<tr style="border-spacing:0px" valign="top">
<td id="gmail-m_7020420698810972152TextCell_15191689794300.8164774816413748" style="vertical-align:top;padding:0px;display:table-cell" colspan="2">
<div id="gmail-m_7020420698810972152LPRemovePreviewContainer_15191689794300.9561033892326608"></div>
<div id="gmail-m_7020420698810972152LPTitle_15191689794310.4201760885913921" style="color:rgb(0,120,215);font-weight:400;font-size:21px;font-family:"wf_segoe-ui_light","Segoe UI Light","Segoe WP Light","Segoe UI","Segoe WP",Tahoma,Arial,sans-serif;line-height:21px">
<a id="gmail-m_7020420698810972152LPUrlAnchor_15191689794310.759099477830945" style="text-decoration:none" href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">Users Info Page - lists.ovirt.org Mailing Lists</a></div>
<div id="gmail-m_7020420698810972152LPMetadata_15191689794320.8467953153034486" style="margin:10px 0px 16px;color:rgb(102,102,102);font-weight:400;font-family:"wf_segoe-ui_normal","Segoe UI","Segoe WP",Tahoma,Arial,sans-serif;font-size:14px;line-height:14px">
<a href="http://lists.ovirt.org" target="_blank">lists.ovirt.org</a></div>
<div id="gmail-m_7020420698810972152LPDescription_15191689794320.8773237228541786" style="display:block;color:rgb(102,102,102);font-weight:400;font-family:"wf_segoe-ui_normal","Segoe UI","Segoe WP",Tahoma,Arial,sans-serif;font-size:14px;line-height:20px;max-height:100px;overflow:hidden">
If you have a question about oVirt, this is where you can start getting answers. To see the collection of prior postings to the list, visit the Users Archives.</div>
</td>
</tr>
</tbody>
</table>
</div>
</span></font></div>
</div>
</div>
</div>
</blockquote></div><br></div></div>