Re: [Users] [vdsm] SPICE SSL Woes

Friday, 5 October 2012

Fixed. It was that each server had the wrong time.
ovirt-engine: was off by a day
ovirt-node: off by 12 hours
spicec: was 3 days behind.

Updated ntpd on all machines and everything works as expected. Nothing was wrong with the
certs.

Thank you for you help!

-Bret

On Oct 5, 2012, at 8:19 AM, David Jaša <djasa(a)redhat.com&gt; wrote:

...
 Itamar Heim píše v Pá 05. 10. 2012 v 15:56 +0200:
> On 10/05/2012 10:57 AM, Juan Hernandez wrote:
>> On 10/05/2012 10:26 AM, Bret Palsson wrote:
>>> I can't seem to get this secure spice session to work. Any help is
appreciated, already burnt 20 hours on this.
>>> 
>>> Spice versions:
>>> spice-server-0.10.1
>>> spice-client 0.12.0
>>> spice-xpi 2.7
>> 
>> The certificates that you get from the server in both examples are
>> different. Copy the text between "-----BEGIN CERTIFICATE-----" and
>> "-----END CERTIFICATE-----" to a file "cert.pem" and then run
the
>> following command to see what is inside:
>> 
>> openssl x509 -in cert.pem -noout -text
>> 
>> In both cases looks like the certificate fails to verify. I would
>> suggest to take that "cert.pem" file and the "ca.pem" file
from the
>> engine (/etc/pki/ovirt-engine/ca.pem) and verify it like this:
>> 
>> openssl verify -CAfile ca.pem cert.pem
>> 
>> It should say:
>> 
>> ca.pem: OK
>> 
>> The message you get when you test with openssl is this:
>> 
>> Verify return code: 9 (certificate is not yet valid)
>> 
>> That probably means that you have some kind of data/time problem. Make
>> sure that all your machines (engine, nodes, clients) are correctly
>> synchronized.
>> 
>> If you still have problems please share the certificate that you get
>> when connectiong with "openssl s_client" and the certificate of the CA
>> of the engine (/etc/pki/ovirt-engine/ca.pem).
>> 
>>> spicec: I set the password to abcd using a bash script found on this mailing
list, valid for 1200 seconds.
>>> =============================================
>>> # spicec --password abcd --secure-channels all -h 10.20.20.2 --secure-port
5902 --ca-file cacert.pem
>>> Error: failed to connect w/SSL, ssl_error
error:00000001:lib(0):func(0):reason(1)
>>> 139833084392776:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063:
>>> Warning: SSL Error:
>>> =============================================
>>> 
>>> spice-xpi: spice-xpi.log
>>> =============================================
>>> built and installed latest (which is great has better debugging output:
>>> 2012-10-02 07:58:26,805 DEBUG nsPluginInstance::SetHostIP: 10.20.20.2
>>> 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetPort: 5901
>>> 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetTitle: Test:%d - Press
SHIFT+F12 to Release Cursor
>>> 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetDynamicMenu:
>>> 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetFullScreen: 0
>>> 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetPassword: Password set
>>> 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetNumberOfMonitors: 1
>>> 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetUsbListenPort: 0
>>> 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetAdminConsole: 1
>>> 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetSecurePort: 5902
>>> 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: original
channels: smain,sinputs,scursor,splayback,srecord,sdisplay
>>> 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: modified
channels: main,inputs,cursor,playback,record,display
>>> 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetGuestHostName: Test
>>> 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetCipherSuite: DEFAULT
>>> 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetHostSubject: O=Best
Company,CN=10.20.20.2
>>> 2012-10-02 07:58:26,812 DEBUG nsPluginInstance::SetTrustStore: Certificate:
>>>    Data:
>>>        Version: 3 (0x2)
>>>        Serial Number: 1 (0x1)
>>>        Signature Algorithm: sha1WithRSAEncryption
>>>        Issuer: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202
>>>        Validity
>>>            Not Before: Sep  6 21:49:14 2012
>>>            Not After : Sep  6 03:49:15 2022 GMT
>>>        Subject: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202
>>>        Subject Public Key Info:
>>>            Public Key Algorithm: rsaEncryption
>>>                Public-Key: (1024 bit)
>>>                Modulus:
>>>                    00:bc:70:bd:bc:a0:07:7a:99:5e:84:c6:91:70:30:
>>>                    3e:f0:2a:c9:96:cb:ac:d5:f4:e7:a4:8d:85:c2:2d:
>>>                    39:12:fa:2f:3f:3c:bf:bb:ed:90:31:28:ae:38:49:
>>>                    68:e2:4a:ca:89:21:4c:1c:b5:72:ca:e5:c7:3d:d8:
>>>                    64:95:22:98:45:67:50:43:dd:8e:cb:9e:39:d4:9b:
>>>                    11:16:71:e1:d9:81:1e:4d:1c:2c:9c:6d:7c:d1:43:
>>>                    a1:af:4a:83:77:e8:ad:0d:92:cb:fa:45:b8:d3:b6:
>>>                    50:99:3e:4e:a7:91:30:57:ce:a7:5b:62:95:7f:9b:
>>>                    fd:26:05:a9:e0:8e:45:2b:e3
>>>                Exponent: 65537 (0x10001)
>>>        X509v3 extensions:
>>>            X509v3 Subject Key Identifier:
>>>                87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF
>>>            Authority Information Access:
>>>                CA Issuers - URI:http://ovirt-engine.example.com:80/ca.crt
>>> 
>>>            X509v3 Authority Key Identifier:
>>>               
keyid:87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF
>>>                DirName:/C=US/O=Best
Company/CN=CA-ovirt-engine.example.com.28202
>>>                serial:01
>>> 
>>>            X509v3 Basic Constraints: critical
>>>                CA:TRUE
>>>            X509v3 Key Usage: critical
>>>                Certificate Sign, CRL Sign
>>>    Signature Algorithm: sha1WithRSAEncryption
>>>        a1:a9:17:91:ba:6e:0d:15:ce:28:e0:b8:7f:3c:5e:ba:6e:8d:
>>>        31:91:bf:99:0c:74:5f:95:86:e6:90:fd:3c:13:3a:64:9e:40:
>>>        f7:4f:e0:45:b8:8e:27:b3:23:d4:75:bb:be:5f:73:4f:48:e4:
>>>        8c:6d:11:eb:76:70:81:c7:a5:8a:35:0b:ef:a5:cf:3d:ae:fd:
>>>        1f:94:b7:e4:c3:4c:7f:fb:5b:09:eb:e8:b1:35:3c:b8:ba:e8:
>>>        b7:d0:5f:8a:98:b5:9a:6c:24:53:2a:49:61:0e:7c:5e:b3:d2:
>>>        d4:c3:dd:ca:b9:57:a3:f0:e4:9c:d6:3d:43:40:9d:dd:ff:cd:
>>>        94:be
>>> -----BEGIN CERTIFICATE-----
>>> MIIDCDCCAnGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc
>>> MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2
>>> ZWlwLm5ldC4yODIwMjAiFxExMjA5MDYyMTQ5MTQrMDcwMBcNMjIwOTA2MDM0OTE1
>>> WjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEf
>>> MB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMjCBnzANBgkqhkiG9w0BAQEF
>>> AAOBjQAwgYkCgYEAvHC9vKAHeplehMaRcDA+8CrJlsus1fTnpI2Fwi05EvovPzy/
>>> u+2QMSiuOElo4krKiSFMHLVyyuXHPdhklSKYRWdQQ92Oy5451JsRFnHh2YEeTRws
>>> nG180UOhr0qDd+itDZLL+kW407ZQmT5Op5EwV86nW2KVf5v9JgWp4I5FK+MCAwEA
>>> AaOB9TCB8jAdBgNVHQ4EFgQUh5MnCOVNK87sVSzmxMDuMgyHIr8wOgYIKwYBBQUH
>>> AQEELjAsMCoGCCsGAQUFBzAChh5odHRwOi8vY20uaml2ZWlwLm5ldDo4MC9jYS5j
>>> cnQwdAYDVR0jBG0wa4AUh5MnCOVNK87sVSzmxMDuMgyHIr+hUKROMEwxCzAJBgNV
>>> BAYTAlVTMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMR8wHQYDVQQDExZD
>>> QS1jbS5qaXZlaXAubmV0LjI4MjAyggEBMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P
>>> AQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAKGpF5G6bg0VzijguH88XrpujTGR
>>> v5kMdF+VhuaQ/TwTOmSeQPdP4EW4jiezI9R1u75fc09I5IxtEet2cIHHpYo1C++l
>>> zz2u/R+Ut+TDTH/7Wwnr6LE1PLi66LfQX4qYtZpsJFMqSWEOfF6z0tTD3cq5V6Pw
>>> 5JzWPUNAnd3/zZS+
>>> -----END CERTIFICATE-----
>>> 
>>> 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetHotKeys:
release-cursor=shift+f12,toggle-fullscreen=shift+f11
>>> 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetNoTaskMgrExecution: 0
>>> 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetSendCtrlAltDelete: 0
>>> 2012-10-02 07:58:26,814 DEBUG nsPluginInstance::SetUsbAutoShare: 1
>>> 2012-10-02 07:58:26,815 DEBUG nsPluginInstance::SetUsbFilter: -1,-1,-1,-1,0
>>> 2012-10-02 07:58:26,816 INFO  nsPluginInstance::Connect: SPICE_XPI_SOCKET:
/tmp/spicec-8ym5mJ/spice-xpi
>>> 2012-10-02 07:58:26,816 INFO  nsPluginInstance::Connect:
SPICE_FOREIGN_MENU_SOCKET: /tmp/spicec-8ym5mJ/spice-foreign
>>> 2012-10-02 07:58:26,816 DEBUG nsPluginInstance::Connect: Controller pid:
50483
>>> 2012-10-02 07:58:26,816 DEBUG QErrorHandler: Something went wrong: connect
error, 2
>>> 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error
>>> 2012-10-02 07:58:26,817 INFO  nsPluginInstance::Connect: Launching
/usr/libexec/spice-xpi-client
>>> 2012-10-02 07:58:26,817 DEBUG QErrorHandler: Something went wrong: connect
error, 2
>>> 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error
>>> 2012-10-02 07:58:27,818 DEBUG SpiceController::Connect: Connected!
>>> 2012-10-02 07:58:29,821 INFO  nsPluginInstance::Connect: Initiating
connection with controller
>>> 2012-10-02 07:59:05,999 DEBUG nsPluginInstance::ControllerWaitHelper:
Controller finished, pid: 50483, exit code: 0
>>> 2012-10-02 07:59:05,999 ERROR nsPluginInstance::CallOnDisconnected: could not
get browser window, when trying to call OnDisconnected
>>> 
>>> =============================================
>>> 
>>> 
>>> 
>>> Openssl test:
>>> =============================================
>>> [root@centos6 ~]# openssl s_client -connect 10.20.20.2:5902 -CAfile
cacert.pem
>>> CONNECTED(00000003)
>>> depth=1 C = US, O = Best Company, CN = CA-ovirt-engine.example.com.28202
>>> verify return:1
>>> depth=0 O = Best Company, CN = 10.20.20.2
>>> verify error:num=9:certificate is not yet valid
>>> notBefore=Oct  4 01:40:57 2012
>>> verify return:1
>>> depth=0 O = Best Company, CN = 10.20.20.2
>>> notBefore=Oct  4 01:40:57 2012
>>> verify return:1
>>> ---
>>> Certificate chain
>>> 0 s:/O=Best Company/CN=10.20.20.2
>>>   i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202
>>> 1 s:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202
>>>   i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202
>>> ---
>>> Server certificate
>>> -----BEGIN CERTIFICATE-----
>>> MIIDDTCCAnagAwIBAgIBBzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc
>>> MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2
>>> ZWlwLm5ldC4yODIwMjAiFxExMjEwMDQwMTQwNTctMDYwMBcNMTcxMDA0MDc0MDU4
>>> WjAzMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMRMwEQYDVQQDEwoxMC4y
>>> MC4yMC4yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfxg43vrorGXoui5Cs
>>> 69xeS/R31r2FkfE3UO57BzKbToBY88Hj7dUkFjlFVwg3/eUIBh0jYQ5Qq5Q4Kl9p
>>> Oy4/58VwqRd6P/C3a9LgF1rdvXEnmtNZyoXNmvFeTgpEF+165hr6aPXmMqXqaSEv
>>> ab/mFdxVKM6FwgUWQb/uW3Rp3QIDAQABo4IBEjCCAQ4wHQYDVR0OBBYEFIhzxNFR
>>> sbDS9hLGOID0RLPlYrLPMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAoYeaHR0
>>> cDovL2NtLmppdmVpcC5uZXQ6ODAvY2EuY3J0MHQGA1UdIwRtMGuAFIeTJwjlTSvO
>>> 7FUs5sTA7jIMhyK/oVCkTjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBD
>>> b21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMoIB
>>> ATAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEF
>>> BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAayUoWzI77OMVGa1QeWKQ
>>> VF/iwu5URB8sbsmFk9NmfUOtIYsVsmdMsoDSYQsL7mEe0SA5GOXpS1sThdXsU1uf
>>> 9bZ+dyrmCBmg0/cPOiXA8R1GgS+Bwjc+MxEOuXzTmumfW19hlbKbRXRwgx+vRgDv
>>> JbUNV6jXUHqhBeGnsVhiLrQ=
>>> -----END CERTIFICATE-----
>>> subject=/O=Best Company/CN=10.20.20.2
>>> issuer=/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 1884 bytes and written 311 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>>> Server public key is 1024 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>    Protocol  : TLSv1
>>>    Cipher    : AES256-SHA
>>>    Session-ID:
9747FACA4B5CC4542E050F4B8534E1B71234BC5F99F3221D284BC53D0A5CB746
>>>    Session-ID-ctx:
>>>    Master-Key:
7A579DA9F75E76C63F3FDFCB5BBE42EE28AEF5211C5AC5ECAE8679166C98FBB5AD00BFC4B8AC5D7E214A3B0069CF50E7
>>>    Key-Arg   : None
>>>    Krb5 Principal: None
>>>    PSK identity: None
>>>    PSK identity hint: None
>>>    TLS session ticket:
>>>    0000 - ae f2 91 79 e4 94 85 a2-02 60 aa 91 54 a5 3f 13   ...y.....`..T.?.
>>>    0010 - 90 b4 78 20 27 5a 52 61-78 a1 4d db 73 25 c0 f8   ..x
'ZRax.M.s%..
>>>    0020 - 65 7f 43 76 72 35 08 96-0d 32 c4 72 eb ae c4 a9   e.Cvr5...2.r....
>>>    0030 - 83 78 7f 48 8c c6 a9 38-78 ea 90 60 52 62 0e 4d   .x.H...8x..`Rb.M
>>>    0040 - 7c 3e 41 62 63 2d 27 b3-bc ba bb b7 87 ac 12 df  
|>Abc-'.........
>>>    0050 - 04 61 3d c8 8f cd 14 e4-51 bf 74 66 2c a0 a6 70   .a=.....Q.tf,..p
>>>    0060 - 3e d2 5f 4c 63 10 80 83-18 d7 4e 08 e0 5b c5 5a  
>._Lc.....N..[.Z
>>>    0070 - 75 94 27 de 1e 8e 61 e9-64 af 52 eb 1e 98 00 e2  
u.'...a.d.R.....
>>>    0080 - 4f 80 8c 1f ec 40 b7 25-7b 72 a3 1a 99 8a 6a ca   O....@.%{r....j.
>>>    0090 - 90 80 f9 1e 5f 99 96 0a-3e bb 4f b6 86 d1 49 0c  
...._...>.O...I.
>>> 
>>>    Start Time: 1349186957
>>>    Timeout   : 300 (sec)
>>>    Verify return code: 9 (certificate is not yet valid)
>>> ---
>>> 
>>> =============================================
>>> 
>>> 
>>> _______________________________________________
>>> Users mailing list
>>> Users(a)ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>> 
>> 
>> 
> 
> also note that the host certificate is based on the hostname in the 
> engine, so you must give the spice client the host name to validate it with.

 that is not issue in this case because Bret specified host the same way
 as it is in CN of server cert.

 Bret, one more thing: did you try to put the host in maintenance mode
 and then click "Reinstall" in the host Action Items in webadmin? That
 way, server certificates should get regenerated and SSL should Just
 Work.

 David

> 
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

 -- 

 David Jaša, RHCE

 SPICE QE based in Brno
 GPG Key:     22C33E24 
 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24

 _______________________________________________
 Users mailing list
 Users(a)ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Re: [Users] [vdsm] SPICE SSL Woes