On Thu, Dec 13, 2012 at 12:53 PM, Cristian Falcas
<cristi.falcas(a)gmail.com>wrote:
On Thu, Dec 13, 2012 at 12:43 PM, Cristian Falcas <cristi.falcas(a)gmail.com
> wrote:
>
>
>
> On Thu, Dec 13, 2012 at 2:07 AM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
>
>>
>>
>> ----- Original Message -----
>> > From: "Cristian Falcas" <cristi.falcas(a)gmail.com>
>> > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>> > Cc: "Roy Golan" <rgolan(a)redhat.com>, users(a)ovirt.org,
"Juan Antonio
>> Hernandez Fernandez" <jhernand(a)redhat.com>,
>> > "David Jaša" <djasa(a)redhat.com>, "Itamar Heim"
<iheim(a)redhat.com>
>> > Sent: Thursday, December 13, 2012 2:01:22 AM
>> > Subject: Re: Spice issues with latest vdsm (was Re: [Users] Cannot
>> find suitable CPU model for given data)
>> >
>> >
>> >
>> >
>> >
>> >
>> > On Thu, Dec 13, 2012 at 12:13 AM, Alon Bar-Lev < alonbl(a)redhat.com >
>> > wrote:
>> >
>> >
>> >
>> >
>> >
>> > ----- Original Message -----
>> > > From: "Cristian Falcas" < cristi.falcas(a)gmail.com >
>> > > To: "Itamar Heim" < iheim(a)redhat.com >
>> > > Cc: "Roy Golan" < rgolan(a)redhat.com >, users(a)ovirt.org
, "Alon
>> > > Bar-Lev" < alonbl(a)redhat.com >, "Juan Antonio
Hernandez
>> > > Fernandez" < jhernand(a)redhat.com >, "David Jaša"
< djasa(a)redhat.com
>> > > >
>> > > Sent: Wednesday, December 12, 2012 11:21:32 PM
>> > > Subject: Re: Spice issues with latest vdsm (was Re: [Users] Cannot
>> > > find suitable CPU model for given data)
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > On Wed, Dec 12, 2012 at 11:14 PM, Itamar Heim < iheim(a)redhat.com
>
>> > > wrote:
>> > >
>> > >
>> > > On 12/12/2012 10:39 PM, Cristian Falcas wrote:
>> > >
>> > >
>> > > Hi,
>> > >
>> > > i don't know if I should start a new thread for the spice
problems.
>> > > Here
>> > > goes some improvements:
>> > >
>> > > I created the certificates like per
https://gist.github.com/
>> > > 1655511
>> > > . i
>> > > copied the public one to my home:
>> > > cp /etc/pki/vdsm/libvirt-spice/ ca-cert.pem
>> > > ~cristi/.spice/spice_ truststore.pem
>> > >
>> > > I had the same problem as in
>> > >
https://bugzilla.redhat.com/ show_bug.cgi?id=880182 . For this I
>> >
>> > > needed
>> > > to downgrade libcacard twice (until I had the same version as in
>> > > the
>> > > bug)
>> > >
>> > > Now spice works with virt-manager.
>> > >
>> > > Can someone tell me where do I need to copy the certificate on
>> > > ovirt
>> > > in
>> > > order to make spice working over there also?
>> > >
>> > > with which version of boostrap on the engine did you add this host.
>> > >
>> > >
>> > > vdsm-bootstrap-4.10.3-0.3.git47b71e8.fc17.noarch
>> > >
>> > > And otopi packages installed:
>> > >
>> > > otopi-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch
>> > > otopi-java-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch
>> > >
>> > >
>> >
>> > Any reason to perform certificate enrollment manually?
>> >
>> > Alon
>> >
>> >
>> > It's still not working with the handmade certificates.
>> >
>> > I tried to create them because of those errors:
>> >
>> > libvirt log:
>> >
>> > ((null):9248): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not
>> > load certificates from /etc/pki/vdsm/libvirt-spice/
>> > server-cert.pem
>> > ((null):9248): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not
>> > use private key file
>> > ((null):9248): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not
>> > use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem
>> >
>> > [root@localhost Ovirt]# ls -la
>> > /etc/pki/vdsm/libvirt-spice/server-cert.pem
>> > ls: cannot access /etc/pki/vdsm/libvirt-spice/server-cert.pem: No
>> > such file or directory
>> > [root@localhost Ovirt]# ls -la
>> > /etc/pki/vdsm/libvirt-spice/ca-cert.pem
>> > ls: cannot access /etc/pki/vdsm/libvirt-spice/ca-cert.pem: No such
>> > file or directory
>> >
>> >
>> > Spice log:
>> >
>> > 1355334879 INFO [8950:8950] Application::main: starting 0.12.0
>> > 1355334879 INFO [8950:8950] Application::main: command line: spicec
>> > --controller
>> > 1355334879 INFO [8950:8950] init_key_map: using evdev mapping
>> > 1355334879 INFO [8950:8950] MultyMonScreen::MultyMonScreen:
>> > platform_win: 77594625
>> > 1355334879 INFO [8950:8950] GUI::GUI:
>> > 1355334879 INFO [8950:8950] ForeignMenu::ForeignMenu: Creating a
>> > foreign menu connection /tmp/SpiceForeignMenu-8950.uds
>> > 1355334879 INFO [8950:8950] Controller::Controller: Creating a
>> > controller connection /tmp/spicec-9GS5mA/spice-xpi
>> > 1355334882 INFO [8950:8952] RedPeer::connect_secure: Connected to
>> >
cristifalcas.no-ip.org 5902
>> > 1355334882 ERROR [8950:8952] RedPeer::connect_secure: failed to
>> > connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
>> > 1355334882 WARN [8950:8952] RedChannel::run: SSL Error:
>> > error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
>> > failure
>> > 1355334882 INFO [8950:8950] main: Spice client terminated (exitcode =
>> > 7)
>> >
>> >
>> >
>> >
>> > I've done this without an improvment:
>> >
>> > [root@localhost Ovirt]# /lib/systemd/systemd-vdsmd reconfigure
>> > Configuring libvirt for vdsm...
>> > [root@localhost Ovirt]# systemctl restart libvirtd.service
>> > vdsmd.service
>> >
>>
>> Why don't you deply the host again? It should create the certificate
>> correctly.
>>
>> But before you can do this, you must remove whatever certificates you
>> put including symlinks at /etc/pki /etc/libvirt as libvirt will not start
>> if there are invalid certificates.
>>
>> Alon.
>>
>
> I already did this. Also, i removed all configuration files from host and
> ovirt, reinstalled ovirt-engine, removed vdsm,libvirt,qemu on host.
>
> I still got this when I start the machine:
> ((null):5004): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not
> load certificates from /etc/pki/vdsm/libvirt-spice/server-cert.pem
> ((null):5004): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not use
> private key file
> ((null):5004): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not use
> CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem
>
> And this when I try to connect:
>
> ((null):5004): Spice-Warning **: reds.c:2913:reds_handle_ssl_accept:
> SSL_accept failed, error=1
>
> Best regards,
> Cristian falcas
>
Also, spice is working with virt-manager without any modifications from my
side.
qemu.conf is configured with this:
spice_tls=1
save_image_format="lzop"
spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice"
But that directory is not created and so, no certificates can be found
there.
Also, the latest nightly doesn't use vdsm-bootstrap anymore (it wasn't
installed).
Maybe the otopi is not doing all the jobs from vdsm-bootstrap?
Are there any steps to create the cetificates needed by qemu/spice?
Best regards,