On Wed, Feb 9, 2022 at 9:20 AM Gilboa Davara <gilboad@gmail.com> wrote:

On Wed, Feb 9, 2022 at 7:52 AM Patrick Hibbs <hibbsncc1701@gmail.com> wrote:
The certificates used in SPICE connections are stored on the VM hosts. By default they are at /etc/pki/vdsm/libvirt-spice, and configured by VDSM in /etc/libvirt/qemu.conf. Their default names are ca-cert.pem, server-cert.pem, and server-key.pem. Using openssl x509 -noout -text -in </path/to/cert-file> should show you the certificate's expiration info.

Note: Don't try to change anything, it will be overwritten by VDSM on the next host update / reinstall.

As for remote-viewer, if you run it manually from the console with "remote-viewer --debug </path/to/console.vv>" or "remote-viewer --verbose </path/to/console.vv>" it will print log information about the connection it's trying to establish.

-Patrick Hibbs

Hello,

You must have missed my answer above. (Understandable, given the length of this thread...)
I replaced and verified /etc/pki/vdsm/libvirt-spice/server-cert.pem
Restarted all the services on the host.

$ openssl x509 -in /etc/pki/vdsm/libvirt-spice/server-cert.pem -noout -dates
notBefore=Feb 7 13:59:14 2022 GMT
notAfter=Feb 7 13:59:14 2027 GMT
$ openssl x509 -in /etc/pki/vdsm/libvirt-spice/ca-cert.pem -noout -dates
notBefore=Dec 26 16:25:01 2020 GMT
notAfter=Dec 25 16:25:01 2030 GMT

However, remote-viewer still fails:
$ remote-viewer --debug console.vv
...
(remote-viewer:14874): Spice-WARNING **: 18:14:33.500: ../subprojects/spice-common/common/ssl_verify.c:506:openssl
_verify: ssl: subject 'O=localdomain,CN=gilboa-wx-srv.localdomain' verification failed

The main problem here is that while we assume the problem is expired certificates, it can be something else (Subject, CN, etc).
The error is not informative..

- Gilboa.

Seems that openvswitch is also using the old certificates.

Seems that https://access.redhat.com/solutions/3532921 is missing a couple of certificates..

(I don't even see it in https://www.ovirt.org/develop/release-management/features/infra/pki.html).

- Gilboa

On Wed, 2022-02-09 at 06:58 +0200, Gilboa Davara wrote:

On Wed, Feb 9, 2022 at 1:05 AM Strahil Nikolov <hunter86_bg@yahoo.com> wrote:
I have no clue , but I would give vdsm.service a restart.

Thanks again for the prompt response.
Tried that, restarted all services and the all the VMS, didn't work.

Any idea how I can verify the certificate information actually being used by qemu for the spice console?
remote-viewer just fails, without giving any meaningful error message.

- Gilboa

Best Regards,
Strahil Nikolov

On Tue, Feb 8, 2022 at 18:19, Gilboa Davara
<gilboad@gmail.com> wrote:
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/2GAQH44QD6KTS4RHXQBDWL6PNI6OKCS3/

_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/OG57VT2XGDTY2MFOJFFUCZAMXS22W4OG/

_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/AKQVBARD4EWIS3PCQYLX7AH575XRDYAD/