[ovirt-users] Spice Client Connection Issues Using aSpice

--_000_BLUPR02MB100378235058BDDF660037FFAC90BLUPR02MB100namprd_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, I am having trouble connecting to my guest vm (Kali Linux) which is running= spice. My engine is running version: 4.2.1.7-1.el7.centos. I am using oVirt Node as my host running version: 4.2.1.1. I have taken the following steps to try and get everything running properly= . 1. Download the root CA certificate https://ovirtengine.lan/ovirt-engine= /services/pki-resource?resource=3Dca-certificate&format=3DX509-PEM-CA 2. Edit the vm and define the graphical console entries. Video type is = set to QXL, Graphics protocol is spice, USB support is enabled. 3. Install the guest agent in Debian per the instructions here - https:/= /www.ovirt.org/documentation/how-to/guest-agent/install-the-guest-agent-in-= debian/ It is my understanding that installing the guest agent will also i= nstall the virt IO device drivers. 4. Install the spice-vdagent per the instructions here - https://www.ovi= rt.org/documentation/how-to/guest-agent/install-the-spice-guest-agent/ 5. On the aSpice client I have imported the CA certficate from step 1 a= bove. I defined the connection using the IP of my Node and TLS port 5901. To troubleshoot my connection issues I confirmed the port being used to lis= ten. virsh # domdisplay Kali spice://172.30.42.12?tls-port=3D5901 I see the following when attempting to connect. tail -f /var/log/libvirt/qemu/Kali.log 140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert int= ernal error:s3_pkt.c:1493:SSL alert number 80 ((null):27595): Spice-Warning **: reds_stream.c:379:reds_stream_ssl_accept:= SSL_accept failed, error=3D1 I came across some documentation that states in the caveat section "Certifi= cate of spice SSL should be separate certificate." https://www.ovirt.org/develop/release-management/features/infra/pki/ Is this still the case for version 4? The document references version 3.2 = and 3.3. If so, how do I generate a new certificate for use with spice? P= lease let me know if you require further info to troubleshoot, I am happy t= o provide it. Many thanks in advance. <https://www.ovirt.org/develop/release-management/features/infra/pki/> --_000_BLUPR02MB100378235058BDDF660037FFAC90BLUPR02MB100namprd_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <style type=3D"text/css" style=3D"display:none;"><!-- P {margin-top:0;margi= n-bottom:0;} --></style> </head> <body dir=3D"ltr"> <div id=3D"divtagdefaultwrapper" style=3D"font-size:12pt;color:#000000;font= -family:Calibri,Helvetica,sans-serif;" dir=3D"ltr"> <p style=3D"margin-top:0;margin-bottom:0">Hello,</p> <p style=3D"margin-top:0;margin-bottom:0">I am having trouble connecting to= my guest vm (Kali Linux) which is running spice. My engine is running vers= ion:&nbsp;<span class=3D"gwt-InlineLabel GNEKTHVBIXB"></span><span class=3D= "gwt-InlineLabel">4.2.1.7-1.el7.centos</span>.</p> <p style=3D"margin-top:0;margin-bottom:0">I am using oVirt Node as my host = running version:<span> 4.2.1.1.&nbsp; <br> </span></p> <p style=3D"margin-top:0;margin-bottom:0"><span><br> </span></p> <p style=3D"margin-top:0;margin-bottom:0"><span>I have taken the following = steps to try and get everything running properly.</span></p> <ol style=3D"margin-bottom: 0px; margin-top: 0px;"> <li><span>Download the root CA certificate&nbsp;<a href=3D"https://ovirteng= ine.lan/ovirt-engine/services/pki-resource?resource=3Dca-certificate&amp;fo= rmat=3DX509-PEM-CA" class=3D"OWAAutoLink" id=3D"LPlnk141717" previewremoved= =3D"true">https://ovirtengine.lan/ovirt-engine/services/pki-resource?resour= ce=3Dca-certificate&amp;format=3DX509-PEM-CA</a></span></li><li><span>Edit = the vm and define the graphical console entries.&nbsp; Video type is set to= QXL, Graphics protocol is spice, USB support is enabled.</span></li><li><s= pan>Install the guest agent in Debian per the instructions here - <a href= =3D"https://www.ovirt.org/documentation/how-to/guest-agent/install-the-gues= t-agent-in-debian/" class=3D"OWAAutoLink" id=3D"LPlnk263752" previewremoved= =3D"true"> https://www.ovirt.org/documentation/how-to/guest-agent/install-the-guest-ag= ent-in-debian/</a>&nbsp; It is my understanding that installing the guest a= gent will also install the virt IO device drivers.<br> </span></li><li><span>Install the spice-vdagent per the instructions here -= <a href=3D"https://www.ovirt.org/documentation/how-to/guest-agent/insta... the-spice-guest-agent/" class=3D"OWAAutoLink" id=3D"LPlnk313725" previewrem= oved=3D"true"> https://www.ovirt.org/documentation/how-to/guest-agent/install-the-spice-gu= est-agent/</a></span></li><li><span>&nbsp;On the aSpice client I have impor= ted the CA certficate from step 1 above.&nbsp; I defined the connection usi= ng the IP of my Node and TLS port 5901.</span></li></ol> <span><br> To troubleshoot my connection issues I confirmed the port being used to lis= ten.&nbsp; <br> <div>virsh # domdisplay Kali<br> <span>spice://172.30.42.12?tls-port=3D5901</span></div> <br> I see the following when attempting to connect.<br> tail -f <span>/var/log/libvirt/qemu</span>/Kali.log<br> <br> <div> <div>140400191081600:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 aler= t internal error:s3_pkt.c:1493:SSL alert number 80<br> ((null):27595): Spice-Warning **: reds_stream.c:379:reds_stream_ssl_accept:= SSL_accept failed, error=3D1<br> <br> I came across some documentation that states in the caveat section &quot;<s= pan>Certificate of spice SSL should be separate certificate.&quot;</span><b= r> <a href=3D"https://www.ovirt.org/develop/release-management/features/in... pki/" class=3D"OWAAutoLink" id=3D"LPlnk743161" previewremoved=3D"true">http= s://www.ovirt.org/develop/release-management/features/infra/pki/</a>... <br> Is this still the case for version 4?&nbsp; The document references version= 3.2 and 3.3.&nbsp; If so, how do I generate a new certificate for use with= spice?&nbsp; Please let me know if you require further info to troubleshoo= t, I am happy to provide it.&nbsp; Many thanks in advance.<br> <a href=3D"https://www.ovirt.org/develop/release-management/features/in... pki/" class=3D"OWAAutoLink" id=3D"LPlnk743161" previewremoved=3D"true"></a>= <br> <br> </div> <br> <br> </div> <br> </span><br> <span><br> <br> </span> <p style=3D"margin-top:0;margin-bottom:0"><br> </p> </div> </body> </html> --_000_BLUPR02MB100378235058BDDF660037FFAC90BLUPR02MB100namprd_--