<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p style="margin-top:0;margin-bottom:0">Hello everyone,<br>
</p>
<p style="margin-top:0;margin-bottom:0">I can confirm that spice is working for me when I launch it using the .vv file. I have virt viewer installed on my Windows pc and it works without issue. I can also launch spice when I use movirt without any issues.
I examined the contents of the .vv file to see what the certificate looks like. I can confirm that the certficate in the .vv file is the same as the file I downloaded in step 1 of my directions.
<br>
</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">I reviewed the PKI reference<a href="https://www.ovirt.org/develop/release-management/features/infra/pki/" class="OWAAutoLink" id="LPlnk894408" previewremoved="true"> (https://www.ovirt.org/develop/release-management/features/infra/pki/)
</a><span class="OWAAutoLink"></p>
<div>for a second time and I see the same certificate located in different locations.
</div>
</span>
<p></p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">For example, all these locations contain the same certificate-</p>
<ul style="margin-bottom: 0px; margin-top: 0px;">
<li><font size="2"><span style="font-size:11pt;"><a href="https://ovirtengine.lan/ovirt-en" id="LPlnk401540" previewremoved="true"></a>https://ovirtengine.lan/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA</span></font><br>
</li><li>/etc/pki/vdsm/certs/cacert.pem</li><li>/etc/pki/vdsm/libvirt-spice/ca-cert.pem</li><li>/etc/pki/CA/cacert.pem</li></ul>
<p style="margin-top:0;margin-bottom:0">This is the certificate I am using to configure my aSpice client.
<br>
</p>
<p style="margin-top:0;margin-bottom:0">Can someone answer the question from my original post? The PKI reference says for version 3.2 and 3.3. Is the documentation still correct for version 4.2?</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">At this point I am trying to find out where the problems exists - ie.
<br>
</p>
<p style="margin-top:0;margin-bottom:0">#1 Is my client not configured correctly?
<br>
</p>
<p style="margin-top:0;margin-bottom:0">#2 Am I using the wrong cert? (I think I am using the correct cert based on the research I listed above)</p>
<p style="margin-top:0;margin-bottom:0">#3 Does my client need to be able to send a pasword? (based on the contents of the .vv file, I'd have to guess yes)</p>
<p style="margin-top:0;margin-bottom:0">Also my xml file for the VM in question contains this:
</p>
<div> <graphics type='spice' autoport='yes' defaultMode='secure' passwd='*****' passwdValidTo='1970-01-01T00:00:01'><br>
Please note: I did not perform any hand configuration of the xml file, it was all done by the system using the UI.<br>
</div>
#4 Can I configure a file on the system to turn off ticketing and passwords and see if that makes a difference, if so, what file?
<p></p>
<p style="margin-top:0;margin-bottom:0">#5 Can someone explain this error? <br>
</p>
<p style="margin-top:0;margin-bottom:0"><font size="2"><span style="font-size:11pt;">140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:s3_pkt.c:1493:SSL alert number 80
<br>
((null):27595): Spice-Warning **:reds_stream.c:379:reds_stream_ssl_accept: SSL_accept failed, error=1</span></font></p>
<p style="margin-top:0;margin-bottom:0"><font size="2"><span style="font-size:11pt;"></p>
<div>What I know about it is this:<br>
According to RFC 2246, the alert number 80 represents an "internal error". Here is the description from the RFC<br>
internal_error: An internal error unrelated to the peer or the correctness of the protocol makes it impossible to continue (such as a memory allocation failure). This message is always fatal.</div>
</span></font>
<p></p>
<div>#6 Could this error be related to any of #1 through #4 above?<br>
<br>
Thanks!<br>
<br>
</div>
<br>
<div style="color: rgb(0, 0, 0);">
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Karli Sjöberg <karli@inparadise.se><br>
<b>Sent:</b> Tuesday, February 20, 2018 2:56 AM<br>
<b>To:</b> Tomas Jelinek; Jeremy Tourville<br>
<b>Cc:</b> users@ovirt.org<br>
<b>Subject:</b> Re: [ovirt-users] Spice Client Connection Issues Using aSpice</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">On Tue, 2018-02-20 at 08:59 +0100, Tomas Jelinek wrote:<br>
> <br>
> <br>
> On Mon, Feb 19, 2018 at 7:10 PM, Jeremy Tourville <Jeremy_Tourville@h<br>
> otmail.com> wrote:<br>
> > Hi Tomas, <br>
> > To answer your question, yes I am really trying to use aSpice.<br>
> > <br>
> > I appreciate your suggestion. I'm not sure if it meets my<br>
> > objective. Maybe our goals are different? It seems to me that<br>
> > movirt is built around portable management of the ovirt<br>
> > environment. I am attempting to provide a VDI type experience for<br>
> > running a vm. My goal is to run a lab environment with 30<br>
> > chromebooks loaded with a spice clent. The spice client would of<br>
> > course connect to the 30 vms running Kali and each session would be<br>
> > independent of each other. <br>
> > <br>
> <br>
> yes, it looks like a different use case<br>
> <br>
> > I did a little further testing with a different client. (spice<br>
> > plugin for chrome). When I attempted to connect using that client<br>
> > I got a slightly different error message. The message still seemed<br>
> > to be of the same nature- i.e.: there is a problem with SSL<br>
> > protocol and communication. <br>
> > <br>
> > Are you suggesting that movirt can help set up the proper<br>
> > certficates and config the vms to use spice? Thanks!<br>
> > <br>
> <br>
> moVirt has been developed for quite some time and works pretty well,<br>
> this is why I recommended it. But anyway, you have a different use<br>
> case.<br>
> <br>
> What I think the issue is, is that oVirt can have different CAs set<br>
> for console communication and for API. And I think you are trying to<br>
> configure aSPICE to use the one for API. <br>
> <br>
> What moVirt does to make sure it is using the correct CA to put into<br>
> the aSPICE is that it downloads the .vv file of the VM (e.g. you can<br>
> just connect to console using webadmin and save the .vv file<br>
> somewhere), parse it and use the CA= part from it as a certificate.<br>
> This one is guaranteed to be the correct one.<br>
> <br>
> For more details about what else it takes from the .vv file you can<br>
> check here:<br>
> the parsing: <a href="https://github.com/oVirt/moVirt/blob/master/moVirt/src/m" id="LPlnk119727" previewremoved="true">
https://github.com/oVirt/moVirt/blob/master/moVirt/src/m</a><br>
> ain/java/org/ovirt/mobile/movirt/rest/client/httpconverter/VvFileHttp<br>
> MessageConverter.java<br>
> configuration of aSPICE: <a href="https://github.com/oVirt/moVirt/blob/master/" id="LPlnk744960" previewremoved="true">
https://github.com/oVirt/moVirt/blob/master/</a><br>
> moVirt/src/main/java/org/ovirt/mobile/movirt/util/ConsoleHelper.java<br>
> <br>
> enjoy :)<br>
<br>
Feels to me like OP should try to get it working _any_ "normal" way<br>
before trying to get the special use case application working?<br>
<br>
Like trying to run before learning to crawl, if that makes sense?<br>
<br>
I would suggest just logging in to webadmin with a regular PC and<br>
trying to get a SPICE console with remote-viewer to begin with. Then,<br>
once that works, try to get a SPICE console working through moVirt with<br>
aSPICE on an Android phone, or one of the Chromebooks you have to play<br>
with before going into production. Once that´s settled and you know it<br>
should work the way you normally access it, you can start playing with<br>
your special use case application.<br>
<br>
Hope it helps!<br>
<br>
/K<br>
<br>
> <br>
> > <br>
> > From: Tomas Jelinek <tjelinek@redhat.com><br>
> > Sent: Monday, February 19, 2018 4:19 AM<br>
> > To: Jeremy Tourville<br>
> > Cc: users@ovirt.org<br>
> > Subject: Re: [ovirt-users] Spice Client Connection Issues Using<br>
> > aSpice<br>
> > <br>
> > <br>
> > <br>
> > On Sun, Feb 18, 2018 at 5:32 PM, Jeremy Tourville <Jeremy_Tourville<br>
> > @hotmail.com> wrote:<br>
> > > Hello,<br>
> > > I am having trouble connecting to my guest vm (Kali Linux) which<br>
> > > is running spice. My engine is running version: 4.2.1.7-<br>
> > > 1.el7.centos.<br>
> > > I am using oVirt Node as my host running version: 4.2.1.1. <br>
> > > <br>
> > > I have taken the following steps to try and get everything<br>
> > > running properly.<br>
> > > Download the root CA certificate <a href="https://ovirtengine.lan/ovirt-en" id="LPlnk401540" previewremoved="true">
https://ovirtengine.lan/ovirt-en</a><br>
> > > gine/services/pki-resource?resource=ca-certificate&format=X509-<br>
> > > PEM-CA<br>
> > > Edit the vm and define the graphical console entries. Video type<br>
> > > is set to QXL, Graphics protocol is spice, USB support is<br>
> > > enabled.<br>
> > > Install the guest agent in Debian per the instructions here - htt<br>
> > > ps://www.ovirt.org/documentation/how-to/guest-agent/install-the-<br>
> > > guest-agent-in-debian/ It is my understanding that installing<br>
> > > the guest agent will also install the virt IO device drivers.<br>
> > > Install the spice-vdagent per the instructions here - <a href="https://www" id="LPlnk534540" previewremoved="true">
https://www</a><br>
> > > .ovirt.org/documentation/how-to/guest-agent/install-the-spice-<br>
> > > guest-agent/<br>
> > > On the aSpice client I have imported the CA certficate from step<br>
> > > 1 above. I defined the connection using the IP of my Node and<br>
> > > TLS port 5901.<br>
> > <br>
> > are you really using aSPICE client (e.g. the android SPICE<br>
> > client?). If yes, maybe you want to try to open it using moVirt (ht<br>
> > tps://play.google.com/store/apps/details?id=org.ovirt.mobile.movirt<br>
> > &hl=en) which delegates the console to aSPICE but configures<br>
> > everything including the certificates on it. Should be much simpler<br>
> > than configuring it by hand..<br>
> > <br>
> > > To troubleshoot my connection issues I confirmed the port being<br>
> > > used to listen. <br>
> > > virsh # domdisplay Kali<br>
> > > spice://172.30.42.12?tls-port=5901<br>
> > > <br>
> > > I see the following when attempting to connect.<br>
> > > tail -f /var/log/libvirt/qemu/Kali.log<br>
> > > <br>
> > > 140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1<br>
> > > alert internal error:s3_pkt.c:1493:SSL alert number 80<br>
> > > ((null):27595): Spice-Warning **:<br>
> > > reds_stream.c:379:reds_stream_ssl_accept: SSL_accept failed,<br>
> > > error=1<br>
> > > <br>
> > > I came across some documentation that states in the caveat<br>
> > > section "Certificate of spice SSL should be separate<br>
> > > certificate."<br>
> > > <a href="https://www.ovirt.org/develop/release-management/features/infra/p" id="LPlnk306127" previewremoved="true">
https://www.ovirt.org/develop/release-management/features/infra/p</a><br>
> > > ki/<br>
> > > <br>
> > > Is this still the case for version 4? The document references<br>
> > > version 3.2 and 3.3. If so, how do I generate a new certificate<br>
> > > for use with spice? Please let me know if you require further<br>
> > > info to troubleshoot, I am happy to provide it. Many thanks in<br>
> > > advance.<br>
> > > <br>
> > > <br>
> > > <br>
> > > <br>
> > > <br>
> > > <br>
> > > <br>
> > > <br>
> > > <br>
> > > <br>
> > > _______________________________________________<br>
> > > Users mailing list<br>
> > > Users@ovirt.org<br>
> > > <a href="http://lists.ovirt.org/mailman/listinfo/users" id="LPlnk439922" previewremoved="true">
http://lists.ovirt.org/mailman/listinfo/users</a>
<div id="LPBorder_GT_15191689794020.9506041758926115" style="margin-bottom: 20px; overflow: auto; width: 100%; text-indent: 0px;">
<table id="LPContainer_15191689793980.020877905619313797" style="width: 90%; background-color: rgb(255, 255, 255); position: relative; overflow: auto; padding-top: 20px; padding-bottom: 20px; margin-top: 20px; border-top: 1px dotted rgb(200, 200, 200); border-bottom: 1px dotted rgb(200, 200, 200);" role="presentation" cellspacing="0">
<tbody>
<tr style="border-spacing: 0px;" valign="top">
<td id="TextCell_15191689794000.745711158074434" style="vertical-align: top; position: relative; padding: 0px; display: table-cell;" colspan="2">
<div id="LPRemovePreviewContainer_15191689794000.6616147681997978"></div>
<div id="LPTitle_15191689794000.998721573314241" style="top: 0px; color: rgb(0, 120, 215); font-weight: 400; font-size: 21px; font-family: "wf_segoe-ui_light", "Segoe UI Light", "Segoe WP Light", "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; line-height: 21px;">
<a id="LPUrlAnchor_15191689794000.39103588621365026" style="text-decoration: none;" href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">Users Info Page - lists.ovirt.org Mailing Lists</a></div>
<div id="LPMetadata_15191689794010.7935502771020931" style="margin: 10px 0px 16px; color: rgb(102, 102, 102); font-weight: 400; font-family: "wf_segoe-ui_normal", "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; font-size: 14px; line-height: 14px;">
lists.ovirt.org</div>
<div id="LPDescription_15191689794010.9775418907289667" style="display: block; color: rgb(102, 102, 102); font-weight: 400; font-family: "wf_segoe-ui_normal", "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; font-size: 14px; line-height: 20px; max-height: 100px; overflow: hidden;">
If you have a question about oVirt, this is where you can start getting answers. To see the collection of prior postings to the list, visit the Users Archives.</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
> > > <br>
> <br>
> _______________________________________________<br>
> Users mailing list<br>
> Users@ovirt.org<br>
> <a href="http://lists.ovirt.org/mailman/listinfo/users" id="LPlnk378649" previewremoved="true">
http://lists.ovirt.org/mailman/listinfo/users</a></div>
<div id="LPBorder_GT_15191689794330.830208412449906" style="margin-bottom: 20px; overflow: auto; width: 100%; text-indent: 0px;">
<table id="LPContainer_15191689794290.19160292129344736" style="width: 90%; background-color: rgb(255, 255, 255); position: relative; overflow: auto; padding-top: 20px; padding-bottom: 20px; margin-top: 20px; border-top: 1px dotted rgb(200, 200, 200); border-bottom: 1px dotted rgb(200, 200, 200);" role="presentation" cellspacing="0">
<tbody>
<tr style="border-spacing: 0px;" valign="top">
<td id="TextCell_15191689794300.8164774816413748" style="vertical-align: top; position: relative; padding: 0px; display: table-cell;" colspan="2">
<div id="LPRemovePreviewContainer_15191689794300.9561033892326608"></div>
<div id="LPTitle_15191689794310.4201760885913921" style="top: 0px; color: rgb(0, 120, 215); font-weight: 400; font-size: 21px; font-family: "wf_segoe-ui_light", "Segoe UI Light", "Segoe WP Light", "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; line-height: 21px;">
<a id="LPUrlAnchor_15191689794310.759099477830945" style="text-decoration: none;" href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">Users Info Page - lists.ovirt.org Mailing Lists</a></div>
<div id="LPMetadata_15191689794320.8467953153034486" style="margin: 10px 0px 16px; color: rgb(102, 102, 102); font-weight: 400; font-family: "wf_segoe-ui_normal", "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; font-size: 14px; line-height: 14px;">
lists.ovirt.org</div>
<div id="LPDescription_15191689794320.8773237228541786" style="display: block; color: rgb(102, 102, 102); font-weight: 400; font-family: "wf_segoe-ui_normal", "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; font-size: 14px; line-height: 20px; max-height: 100px; overflow: hidden;">
If you have a question about oVirt, this is where you can start getting answers. To see the collection of prior postings to the list, visit the Users Archives.</div>
</td>
</tr>
</tbody>
</table>
</div>
</span></font></div>
</div>
</div>
</body>
</html>