Re: [Users] spicec not connect | SSL Error

Hello again, I figured out, this resolve my question # curl -X POST -H "Accept: application/xml" -H "Content-type: application/xml" -u admin@internal:pass --cacert ca.crt -d "<action><ticket><expiry>120</expiry></ticket></action>" https://vm-srv:8443/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <action> <ticket> <value>+e/OUQvquJx4</value> <expiry>120</expiry> </ticket> <status> <state>complete</state> </status> </action>

Artem 2012/8/7 Artem <artem(a)e-inet.ru&gt;: > Hi all, thaks for lot, it's work > > 1) get CA to client "wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt" > 2) set "vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} > ${VALIDITY_SECONDS}" on kvm host > 3) and connect to consle use this line "spicec --ca-file ${CA_FILE} -w > ${PASSWORD} -h vm-srv -s ${SECURE_PORT}" successfully > > but how to install "setVmTicket" without login as root on kvm host, > how to make it through the post request? > > > 2012/8/6 David Jaša <djasa(a)redhat.com&gt;: >> @Itamar - this is recurring problem, what about creating a wiki page for >> it? >> >> @Artem: >> >> Artem píše v Po 06. 08. 2012 v 01:30 +0400: >>> yes engine and kvm(qemu-kvm) installed on same machine (vm-srv) >>> >>> i change host-subject but.. >>> >>> # spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL, >>> CN=vm-srv" --secure-channels=all >> >> 1) your command line is missing '--ca-file $CA_FILE' altoghether >> >> 2) you don't mention password >> >> 3) you shouldn't need to specify host subject at all because your host >> (-h) matches name of server in CN field of host subject. If you override >> it anyway, strip white spaces after commas in it: >> --host-subject='C=US,O=ICL,CN=vm-srv' >> >> 4) you could omit -p and --secure-channels altogether in order to >> achieve tls-only connection, but you can hit >> https://bugzilla.redhat.com/show_bug.cgi?id=723582 then >> >> So you should do (out of my head, may contain typos): >> get CA: >> * on engine, it is found here: >> CA_FILE=/etc/pki/ovirt-engine/ca.pem >> * on host, it's here: >> CA_FILE=/etc/pki/vdsm/libvirt-spice/ca-cert.pem >> * on any other host, get it from engine web interface: >> wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt >> >> on the host, get UUID of the VM: >> $ VM_UUID="$(ps -ef | grep ${VM_NAME} | sed -e 's/^.*-uuid[ \t]\+\([ \t]\+\)[ \t].*$/\1/')" >> >> as root on the host, set ticket (password and its period of validity): >> # vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS} >> (doing it via REST API is cleaner but more cumbersome for me) >> >> if the hostname you're connecting does not match what is in CN field of >> Subject of the server cert, get the subject without spaces after commas >> on the host: >> $ grep Subject: ${SERVER_CERT_FILE} | sed -e 's/^.*Subject:[ \t]*\(.*\)$/\1/;s/,[ \t]*/,/' >> >> connect to the spice-server: >> $ spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT} >> OR, with newer, shinier and overall better client :) >> # yum install virt-viewer >> $ remote-viewer --spice-ca-file /etc/pki/ovirt-engine/ca.pem spice://vm-srv/?tls-port=${SECURE_PORT} >> (you'll have to provide the password through the pop-up dialog) >> >> if you need to provide host subject (host name/IP not matching the one from server cert Subject): >> $ spicec --host-subject ${HOST_SUBJECT} [...] >> OR >> $ remote-viewer --spice-host-subject ${HOST_SUBJECT} [...] >> >> David >> >> >>> Error: subject mismatch: #entries cert=2, input=3 >>> Error: failed to connect w/SSL, ssl_error >>> error:00000001:lib(0):func(0):reason(1) >>> 3079539240:error:14090086:SSL >>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify >>> failed:s3_clnt.c:1063: >>> Warning: SSL Error: >>> >>> >>> 2012/8/6 Itamar Heim <iheim(a)redhat.com&gt;: >>>> On 08/06/2012 12:07 AM, Artem wrote: >>>>> >>>>> hmm... not sure if understood correctly... >>>>> >>>>> vm-srv this KVM host.. (server) and I connect from another machine to vm >>>>> on kvm. >>>> >>>> >>>> did you install the engine and kvm host on same machine? >>>> >>>> >>>>> >>>>> this subject name i get in .spicec/spice_truststore.pem >>>> >>>> >>>> yes, spice trusts the CA, but client needs to validate the target host >>>> certificate. >>>> (if you run engine and host on same machine, try: >>>> "C=US, O=ICL, CN=vm-srv" >>>> (assuming you added the host with hostname of vm-srv to engine. if you added >>>> it with fqdn or ip, use them under last CN) >>>> >>>> >>>>> >>>>> ////////////////////////////////// >>>>> # cat .spicec/spice_truststore.pem >>>>> Certificate: >>>>> Data: >>>>> Version: 3 (0x2) >>>>> Serial Number: 1 (0x1) >>>>> Signature Algorithm: sha1WithRSAEncryption >>>>> Issuer: C=US, O=ICL, CN=CA-vm-srv.15064 >>>>> Validity >>>>> Not Before: Jul 28 03:42:06 2012 >>>>> Not After : Jul 26 23:42:07 2022 GMT >>>>> Subject: C=US, O=ICL, CN=CA-vm-srv.15064 >>>>> Subject Public Key Info: >>>>> Public Key Algorithm: rsaEncryption >>>>> Public-Key: (2048 bit) >>>>> Modulus: >>>>> /////////////////////////////////////////// >>>>> >>>>> 2012/8/6 Itamar Heim <iheim(a)redhat.com&gt;: >>>>>> >>>>>> this looks like the subject name of the CA, not the host running the >>>>>> virtual >>>>>> machine? >>>> >>>> >>>> >>> _______________________________________________ >>> Users mailing list >>> Users(a)ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users >> >> -- >> >> David Jaša, RHCE >> >> SPICE QE based in Brno >> GPG Key: 22C33E24 >> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 >> >> >>