[Users] Cannot connect to guest with spice console; SSL validate error
Hi, I seems very difficult to get this working. I have a Fedora 17 client, installed spice-xpi and tried to access console from User Portal but console never shows up. engine.log prints: 2012-08-07 15:56:18,738 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] Running command: SetVmTicketCommand internal: false. Entities affected : ID: 2ad22641-7aeb-4d1b-999e-2c0563376641 Type: VM 2012-08-07 15:56:18,771 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] START, SetVmTicketVDSCommand(vdsId = acfc94c0-d7e1-11e1-b35e-b38016c320bb, vmId=2ad22641-7aeb-4d1b-999e-2c0563376641, ticket=NvbcLbRR/7Vx, validTime=120,m userName=karli, userId=de526322-d046-4a06-911e-546e7159556e), log id: 3d61fa94 2012-08-07 15:56:18,816 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] FINISH, SetVmTicketVDSCommand, log id: 3d61fa94
From the F17 client with "ovirt-shell" installed from ovirt-3.1 repo: $ console milli (window briefly flashes and disappeares again) warning: could not fetch host certificate info cause used backend/sdk does not support it. warning: host identity will not be validated.
And have also used "spicec" directly from F17 client: # spicec -h cirrus2-1.slu.se -p 5900 -s 5901 -w v36BkUumraDG (The first ticket had by this time expired, so this is a new one) (flashes) Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 140059992839392:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error: # spicec -h cirrus2-1.slu.se -p 5900 -w v36BkUumraDG (flashes) Warning: connect error 5 - need secured connection # rpm -qa | egrep '(ovirt|vdsm)' ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch vdsm-cli-4.10.0-5.fc17.noarch ovirt-engine-config-3.1.0-1.fc17.noarch ovirt-engine-userportal-3.1.0-1.fc17.noarch vdsm-4.10.0-5.fc17.x86_64 ovirt-log-collector-3.1.0-0.git10d719.fc17.noarch ovirt-engine-sdk-3.1.0.4-1.fc17.noarch ovirt-engine-restapi-3.1.0-1.fc17.noarch ovirt-engine-backend-3.1.0-1.fc17.noarch ovirt-engine-3.1.0-1.fc17.noarch ovirt-engine-webadmin-portal-3.1.0-1.fc17.noarch ovirt-engine-notification-service-3.1.0-1.fc17.noarch ovirt-engine-dbscripts-3.1.0-1.fc17.noarch vdsm-python-4.10.0-5.fc17.x86_64 ovirt-engine-genericapi-3.1.0-1.fc17.noarch ovirt-engine-tools-common-3.1.0-1.fc17.noarch ovirt-engine-cli-3.1.0.6-1.fc17.noarch vdsm-xmlrpc-4.10.0-5.fc17.noarch vdsm-bootstrap-4.10.0-5.fc17.noarch ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch ovirt-engine-setup-3.1.0-1.fc17.noarch The engine is installed with SSL as enabled by default, the hosts too. VDSM and libvirt are all active and validate fine towards the engine; have status "UP" and so on, but can't get SPICE console working. VNC works of course, but SPICE would be much cooler:) How do I get console working with SPICE? Best Regards Karli Sjöberg
I don't know if this is the same issue but for some reason my CA cert for spice was a blank file. I copied another one from the vdsm directory (mostly guessing) and it worked. cp /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-spice/ca-cert.pem ________________________________________ From: users-bounces@ovirt.org [users-bounces@ovirt.org] on behalf of Karli Sjöberg [Karli.Sjoberg@slu.se] Sent: Tuesday, August 07, 2012 10:10 AM To: users@oVirt.org Subject: [Users] Cannot connect to guest with spice console; SSL validate error Hi, I seems very difficult to get this working. I have a Fedora 17 client, installed spice-xpi and tried to access console from User Portal but console never shows up. engine.log prints: 2012-08-07 15:56:18,738 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] Running command: SetVmTicketCommand internal: false. Entities affected : ID: 2ad22641-7aeb-4d1b-999e-2c0563376641 Type: VM 2012-08-07 15:56:18,771 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] START, SetVmTicketVDSCommand(vdsId = acfc94c0-d7e1-11e1-b35e-b38016c320bb, vmId=2ad22641-7aeb-4d1b-999e-2c0563376641, ticket=NvbcLbRR/7Vx, validTime=120,m userName=karli, userId=de526322-d046-4a06-911e-546e7159556e), log id: 3d61fa94 2012-08-07 15:56:18,816 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] FINISH, SetVmTicketVDSCommand, log id: 3d61fa94
From the F17 client with "ovirt-shell" installed from ovirt-3.1 repo: $ console milli (window briefly flashes and disappeares again) warning: could not fetch host certificate info cause used backend/sdk does not support it. warning: host identity will not be validated.
And have also used "spicec" directly from F17 client: # spicec -h cirrus2-1.slu.se -p 5900 -s 5901 -w v36BkUumraDG (The first ticket had by this time expired, so this is a new one) (flashes) Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 140059992839392:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error: # spicec -h cirrus2-1.slu.se -p 5900 -w v36BkUumraDG (flashes) Warning: connect error 5 - need secured connection # rpm -qa | egrep '(ovirt|vdsm)' ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch vdsm-cli-4.10.0-5.fc17.noarch ovirt-engine-config-3.1.0-1.fc17.noarch ovirt-engine-userportal-3.1.0-1.fc17.noarch vdsm-4.10.0-5.fc17.x86_64 ovirt-log-collector-3.1.0-0.git10d719.fc17.noarch ovirt-engine-sdk-3.1.0.4-1.fc17.noarch ovirt-engine-restapi-3.1.0-1.fc17.noarch ovirt-engine-backend-3.1.0-1.fc17.noarch ovirt-engine-3.1.0-1.fc17.noarch ovirt-engine-webadmin-portal-3.1.0-1.fc17.noarch ovirt-engine-notification-service-3.1.0-1.fc17.noarch ovirt-engine-dbscripts-3.1.0-1.fc17.noarch vdsm-python-4.10.0-5.fc17.x86_64 ovirt-engine-genericapi-3.1.0-1.fc17.noarch ovirt-engine-tools-common-3.1.0-1.fc17.noarch ovirt-engine-cli-3.1.0.6-1.fc17.noarch vdsm-xmlrpc-4.10.0-5.fc17.noarch vdsm-bootstrap-4.10.0-5.fc17.noarch ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch ovirt-engine-setup-3.1.0-1.fc17.noarch The engine is installed with SSL as enabled by default, the hosts too. VDSM and libvirt are all active and validate fine towards the engine; have status "UP" and so on, but can't get SPICE console working. VNC works of course, but SPICE would be much cooler:) How do I get console working with SPICE? Best Regards Karli Sjöberg _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 08/07/2012 05:10 PM, Karli Sjöberg wrote:
Hi,
I seems very difficult to get this working. I have a Fedora 17 client, installed spice-xpi and tried to access console from User Portal but console never shows up. engine.log prints: 2012-08-07 15:56:18,738 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] Running command: SetVmTicketCommand internal: false. Entities affected : ID: 2ad22641-7aeb-4d1b-999e-2c0563376641 Type: VM 2012-08-07 15:56:18,771 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] START, SetVmTicketVDSCommand(vdsId = acfc94c0-d7e1-11e1-b35e-b38016c320bb, vmId=2ad22641-7aeb-4d1b-999e-2c0563376641, ticket=NvbcLbRR/7Vx, validTime=120,m userName=karli, userId=de526322-d046-4a06-911e-546e7159556e), log id: 3d61fa94 2012-08-07 15:56:18,816 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] FINISH, SetVmTicketVDSCommand, log id: 3d61fa94
From the F17 client with "ovirt-shell" installed from ovirt-3.1 repo: $ console milli (window briefly flashes and disappeares again) warning: could not fetch host certificate info cause used backend/sdk does not support it. warning: host identity will not be validated.
And have also used "spicec" directly from F17 client: # spicec -h cirrus2-1.slu.se -p 5900 -s 5901 -w v36BkUumraDG (The first ticket had by this time expired, so this is a new one) (flashes) Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 140059992839392:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error: # spicec -h cirrus2-1.slu.se -p 5900 -w v36BkUumraDG (flashes) Warning: connect error 5 - need secured connection
I wrote a simple script that collects the parameter needed to for spicec in case of secure connection, I was using it on RHEL6, it probably will be easy to convert it to Fedora if it does not already work OTB: #!/bin/bash # Usage: ./spice_to_vm.sh host vm_name PASSWORD="root_password_to_the_host" SECONDS="1200" ssh-copy-id root@$1 >& /dev/null ID=`ssh root@$1 vdsClient -s 0 list table | awk '{print $1":"$3":"}' | grep ":$2:" | sed -e 's/\:.*//g'` ssh root@$1 vdsClient -s 0 setVmTicket $ID $PASSWORD $SECONDS keep >& /dev/null PORT=`ssh root@$1 vdsClient -s 0 getVmStats $ID | grep displaySecurePort | awk '{print $3}'` SUBJECT=`ssh root@$1 openssl x509 -noout -text -in /etc/pki/vdsm/certs/vdsmcert.pem | grep Subject: | cut -f 10- -d " " | sed -e 's/\ //g'` scp root@$1:/etc/pki/vdsm/certs/cacert.pem /tmp/cacert.pem >& /dev/null COMMAND="sudo /usr/libexec/spicec --host-subject \"$SUBJECT\" --password $PASSWORD --secure-channels all -h $1 --secure-port $PORT --ca-file /tmp/cacert.pem" echo $COMMAND
# rpm -qa | egrep '(ovirt|vdsm)' ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch vdsm-cli-4.10.0-5.fc17.noarch ovirt-engine-config-3.1.0-1.fc17.noarch ovirt-engine-userportal-3.1.0-1.fc17.noarch vdsm-4.10.0-5.fc17.x86_64 ovirt-log-collector-3.1.0-0.git10d719.fc17.noarch ovirt-engine-sdk-3.1.0.4-1.fc17.noarch ovirt-engine-restapi-3.1.0-1.fc17.noarch ovirt-engine-backend-3.1.0-1.fc17.noarch ovirt-engine-3.1.0-1.fc17.noarch ovirt-engine-webadmin-portal-3.1.0-1.fc17.noarch ovirt-engine-notification-service-3.1.0-1.fc17.noarch ovirt-engine-dbscripts-3.1.0-1.fc17.noarch vdsm-python-4.10.0-5.fc17.x86_64 ovirt-engine-genericapi-3.1.0-1.fc17.noarch ovirt-engine-tools-common-3.1.0-1.fc17.noarch ovirt-engine-cli-3.1.0.6-1.fc17.noarch vdsm-xmlrpc-4.10.0-5.fc17.noarch vdsm-bootstrap-4.10.0-5.fc17.noarch ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch ovirt-engine-setup-3.1.0-1.fc17.noarch
The engine is installed with SSL as enabled by default, the hosts too. VDSM and libvirt are all active and validate fine towards the engine; have status "UP" and so on, but can't get SPICE console working. VNC works of course, but SPICE would be much cooler:) How do I get console working with SPICE?
Best Regards Karli Sjöberg _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Thanks, Rami Vaknin, QE @ Red Hat, TLV, IL.
On 08/07/2012 05:23 PM, Rami Vaknin wrote:
On 08/07/2012 05:10 PM, Karli Sjöberg wrote:
Hi,
I seems very difficult to get this working. I have a Fedora 17 client, installed spice-xpi and tried to access console from User Portal but console never shows up. engine.log prints: 2012-08-07 15:56:18,738 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] Running command: SetVmTicketCommand internal: false. Entities affected : ID: 2ad22641-7aeb-4d1b-999e-2c0563376641 Type: VM 2012-08-07 15:56:18,771 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] START, SetVmTicketVDSCommand(vdsId = acfc94c0-d7e1-11e1-b35e-b38016c320bb, vmId=2ad22641-7aeb-4d1b-999e-2c0563376641, ticket=NvbcLbRR/7Vx, validTime=120,m userName=karli, userId=de526322-d046-4a06-911e-546e7159556e), log id: 3d61fa94 2012-08-07 15:56:18,816 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] FINISH, SetVmTicketVDSCommand, log id: 3d61fa94
From the F17 client with "ovirt-shell" installed from ovirt-3.1 repo: $ console milli (window briefly flashes and disappeares again) warning: could not fetch host certificate info cause used backend/sdk does not support it. warning: host identity will not be validated.
And have also used "spicec" directly from F17 client: # spicec -h cirrus2-1.slu.se -p 5900 -s 5901 -w v36BkUumraDG (The first ticket had by this time expired, so this is a new one) (flashes) Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 140059992839392:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error: # spicec -h cirrus2-1.slu.se -p 5900 -w v36BkUumraDG (flashes) Warning: connect error 5 - need secured connection
I wrote a simple script that collects the parameter needed to for spicec in case of secure connection, I was using it on RHEL6, it probably will be easy to convert it to Fedora if it does not already work OTB:
#!/bin/bash
# Usage: ./spice_to_vm.sh host vm_name
PASSWORD="root_password_to_the_host" SECONDS="1200"
ssh-copy-id root@$1 >& /dev/null
ID=`ssh root@$1 vdsClient -s 0 list table | awk '{print $1":"$3":"}' | grep ":$2:" | sed -e 's/\:.*//g'` ssh root@$1 vdsClient -s 0 setVmTicket $ID $PASSWORD $SECONDS keep >& /dev/null
you should really setvmticket via restapi rather than directly to the host.
PORT=`ssh root@$1 vdsClient -s 0 getVmStats $ID | grep displaySecurePort | awk '{print $3}'` SUBJECT=`ssh root@$1 openssl x509 -noout -text -in /etc/pki/vdsm/certs/vdsmcert.pem | grep Subject: | cut -f 10- -d " " | sed -e 's/\ //g'`
scp root@$1:/etc/pki/vdsm/certs/cacert.pem /tmp/cacert.pem >& /dev/null COMMAND="sudo /usr/libexec/spicec --host-subject \"$SUBJECT\" --password $PASSWORD --secure-channels all -h $1 --secure-port $PORT --ca-file /tmp/cacert.pem"
echo $COMMAND
# rpm -qa | egrep '(ovirt|vdsm)' ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch vdsm-cli-4.10.0-5.fc17.noarch ovirt-engine-config-3.1.0-1.fc17.noarch ovirt-engine-userportal-3.1.0-1.fc17.noarch vdsm-4.10.0-5.fc17.x86_64 ovirt-log-collector-3.1.0-0.git10d719.fc17.noarch ovirt-engine-sdk-3.1.0.4-1.fc17.noarch ovirt-engine-restapi-3.1.0-1.fc17.noarch ovirt-engine-backend-3.1.0-1.fc17.noarch ovirt-engine-3.1.0-1.fc17.noarch ovirt-engine-webadmin-portal-3.1.0-1.fc17.noarch ovirt-engine-notification-service-3.1.0-1.fc17.noarch ovirt-engine-dbscripts-3.1.0-1.fc17.noarch vdsm-python-4.10.0-5.fc17.x86_64 ovirt-engine-genericapi-3.1.0-1.fc17.noarch ovirt-engine-tools-common-3.1.0-1.fc17.noarch ovirt-engine-cli-3.1.0.6-1.fc17.noarch vdsm-xmlrpc-4.10.0-5.fc17.noarch vdsm-bootstrap-4.10.0-5.fc17.noarch ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch ovirt-engine-setup-3.1.0-1.fc17.noarch
The engine is installed with SSL as enabled by default, the hosts too. VDSM and libvirt are all active and validate fine towards the engine; have status "UP" and so on, but can't get SPICE console working. VNC works of course, but SPICE would be much cooler:) How do I get console working with SPICE?
Best Regards Karli Sjöberg _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--_000_CFC743BDE7CA451DB319DDE839A54220sluse_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable 7 aug 2012 kl. 16.23 skrev Rami Vaknin: On 08/07/2012 05:10 PM, Karli Sj=F6berg wrote: Hi, I seems very difficult to get this working. I have a Fedora 17 client, inst= alled spice-xpi and tried to access console from User Portal but console ne= ver shows up. engine.log prints: 2012-08-07 15:56:18,738 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand= ] (ajp--0.0.0.0-8009-13) [2a8bc3f4] Running command: SetVmTicketCommand int= ernal: false. Entities affected : ID: 2ad22641-7aeb-4d1b-999e-2c0563376641= Type: VM 2012-08-07 15:56:18,771 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.Se= tVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] START, SetVmTicketVD= SCommand(vdsId =3D acfc94c0-d7e1-11e1-b35e-b38016c320bb, vmId=3D2ad22641-7a= eb-4d1b-999e-2c0563376641, ticket=3DNvbcLbRR/7Vx, validTime=3D120,m userNam= e=3Dkarli, userId=3Dde526322-d046-4a06-911e-546e7159556e), log id: 3d61fa94 2012-08-07 15:56:18,816 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.Se= tVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] FINISH, SetVmTicketV= DSCommand, log id: 3d61fa94
From the F17 client with "ovirt-shell" installed from ovirt-3.1 repo: $ console milli (window briefly flashes and disappeares again) warning: could not fetch host certificate info cause used backend/sdk does = not support it. warning: host identity will not be validated.
<br></blockquote><blockquote type=3D"cite">I seems very difficult to get t= his working. I have a Fedora 17 client, installed spice-xpi and tried to ac= cess console from User Portal but console never shows up. engine.log prints= :<br></blockquote><blockquote type=3D"cite">2012-08-07 15:56:18,738 INFO &n= bsp;[org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--0.0.0.0-8009-13) [= 2a8bc3f4] Running command: SetVmTicketCommand internal: false. Entities aff= ected : ID: 2ad22641-7aeb-4d1b-999e-2c0563376641 Type: VM<br></blockq= uote><blockquote type=3D"cite">2012-08-07 15:56:18,771 INFO [org.ovir= t.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009= -13) [2a8bc3f4] START, SetVmTicketVDSCommand(vdsId =3D acfc94c0-d7e1-11e1-b= 35e-b38016c320bb, vmId=3D2ad22641-7aeb-4d1b-999e-2c0563376641, ticket=3DNvb= cLbRR/7Vx, validTime=3D120,m userName=3Dkarli, userId=3Dde526322-d046-4a06-= 911e-546e7159556e), log id: 3d61fa94<br></blockquote><blockquote type=3D"ci= te">2012-08-07 15:56:18,816 INFO [org.ovirt.engine.core.vdsbroker.vds= broker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] FINISH, Set= VmTicketVDSCommand, log id: 3d61fa94<br></blockquote><blockquote type=3D"ci= te"><br></blockquote><blockquote type=3D"cite"> From the F17 client with "o= virt-shell" installed from ovirt-3.1 repo:<br></blockquote><blockquote type= =3D"cite">$ console milli<br></blockquote><blockquote type=3D"cite">(window= briefly flashes and disappeares again)<br></blockquote><blockquote type=3D= "cite">warning: could not fetch host certificate info cause used backend/sd= k does not support it.<br></blockquote><blockquote type=3D"cite">warning: h= ost identity will not be validated.<br></blockquote><blockquote type=3D"cit= e"><br></blockquote><blockquote type=3D"cite">And have also used "spicec" d= irectly from F17 client:<br></blockquote><blockquote type=3D"cite"># spicec= -h <a href=3D"http://cirrus2-1.slu.se">cirrus2-1.slu.se</a> -p 5900 -s 590= 1 -w v36BkUumraDG (The first ticket had by this time expired, so this is a = new one)<br></blockquote><blockquote type=3D"cite">(flashes)<br></blockquot= e><blockquote type=3D"cite">Error: failed to connect w/SSL, ssl_error error= :00000001:lib(0):func(0):reason(1)<br></blockquote><blockquote type=3D"cite= ">140059992839392:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:c= ertificate verify failed:s3_clnt.c:1063:<br></blockquote><blockquote type= =3D"cite">Warning: SSL Error:<br></blockquote><blockquote type=3D"cite"># s=
And have also used "spicec" directly from F17 client: # spicec -h cirrus2-1.slu.se<http://cirrus2-1.slu.se> -p 5900 -s 5901 -w v3= 6BkUumraDG (The first ticket had by this time expired, so this is a new one= ) (flashes) Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):rea= son(1) 140059992839392:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:cer= tificate verify failed:s3_clnt.c:1063: Warning: SSL Error: # spicec -h cirrus2-1.slu.se<http://cirrus2-1.slu.se> -p 5900 -w v36BkUumra= DG (flashes) Warning: connect error 5 - need secured connection I wrote a simple script that collects the parameter needed to for spicec in case of secure connection, I was using it on RHEL6, it probably will be easy to convert it to Fedora if it does not already work OTB: #!/bin/bash # Usage: ./spice_to_vm.sh host vm_name PASSWORD=3D"root_password_to_the_host" SECONDS=3D"1200" ssh-copy-id root@$1 >& /dev/null ID=3D`ssh root@$1 vdsClient -s 0 list table | awk '{print $1":"$3":"}' | grep ":$2:" | sed -e 's/\:.*//g'` ssh root@$1 vdsClient -s 0 setVmTicket $ID $PASSWORD $SECONDS keep >& /dev/null PORT=3D`ssh root@$1 vdsClient -s 0 getVmStats $ID | grep displaySecurePort | awk '{print $3}'` SUBJECT=3D`ssh root@$1 openssl x509 -noout -text -in /etc/pki/vdsm/certs/vdsmcert.pem | grep Subject: | cut -f 10- -d " " | sed -e 's/\ //g'` scp root@$1:/etc/pki/vdsm/certs/cacert.pem /tmp/cacert.pem >& /dev/null COMMAND=3D"sudo /usr/libexec/spicec --host-subject \"$SUBJECT\" --password $PASSWORD --secure-channels all -h $1 --secure-port $PORT --ca-file /tmp/cacert.pem" echo $COMMAND Thank you so much, this helped me realize what the issue was. I had at firs= t added the hosts to my engine with a "black" address on the storage networ= k. But I changed the "display network" to the public network, so that you c= an connect to a console from anywhere. This made the certificate of the hos= ts invalid, as the "--host-subject" doesn=B4t match the address that you co= nnect to: # spicec --host-subject "O=3Dslu,CN=3Dcirrus2-2.sto.slu.se" --password RFes= feuIGHhd -h cirrus2-2.slu.se<http://cirrus2-2.slu.se> -s 5903 So this means that changing your display network breaks SPICE consoles. Les= s than good, I would say. I was able to solve this by removing the hosts from engine and adding them = again, but with the public address instead, so now the connection address a= nd host subject match. I logged in to the admin portal, clicked for console= and voil=E1, console appears. BUT if I log in to the user portal with the = same credentials and click for console on the same guest(or any other), a c= onsole screen briefly flashes and then disappears:( Bug. /Karli # rpm -qa | egrep '(ovirt|vdsm)' ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch vdsm-cli-4.10.0-5.fc17.noarch ovirt-engine-config-3.1.0-1.fc17.noarch ovirt-engine-userportal-3.1.0-1.fc17.noarch vdsm-4.10.0-5.fc17.x86_64 ovirt-log-collector-3.1.0-0.git10d719.fc17.noarch ovirt-engine-sdk-3.1.0.4-1.fc17.noarch ovirt-engine-restapi-3.1.0-1.fc17.noarch ovirt-engine-backend-3.1.0-1.fc17.noarch ovirt-engine-3.1.0-1.fc17.noarch ovirt-engine-webadmin-portal-3.1.0-1.fc17.noarch ovirt-engine-notification-service-3.1.0-1.fc17.noarch ovirt-engine-dbscripts-3.1.0-1.fc17.noarch vdsm-python-4.10.0-5.fc17.x86_64 ovirt-engine-genericapi-3.1.0-1.fc17.noarch ovirt-engine-tools-common-3.1.0-1.fc17.noarch ovirt-engine-cli-3.1.0.6-1.fc17.noarch vdsm-xmlrpc-4.10.0-5.fc17.noarch vdsm-bootstrap-4.10.0-5.fc17.noarch ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch ovirt-engine-setup-3.1.0-1.fc17.noarch The engine is installed with SSL as enabled by default, the hosts too. VDSM= and libvirt are all active and validate fine towards the engine; have stat= us "UP" and so on, but can't get SPICE console working. VNC works of course= , but SPICE would be much cooler:) How do I get console working with SPICE? Best Regards Karli Sj=F6berg _______________________________________________ Users mailing list Users@ovirt.org<mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users -- Thanks, Rami Vaknin, QE @ Red Hat, TLV, IL. Med V=E4nliga H=E4lsningar ---------------------------------------------------------------------------= ---- Karli Sj=F6berg Swedish University of Agricultural Sciences Box 7079 (Visiting Address Kron=E5sv=E4gen 8) S-750 07 Uppsala, Sweden Phone: +46-(0)18-67 15 66 karli.sjoberg@slu.se<mailto:karli.sjoberg@adm.slu.se> --_000_CFC743BDE7CA451DB319DDE839A54220sluse_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html><head></head><body style=3D"word-wrap: break-word; -webkit-nbsp-mode:= space; -webkit-line-break: after-white-space; "><br><div><div>7 aug 2012 k= l. 16.23 skrev Rami Vaknin:</div><br class=3D"Apple-interchange-newline"><b= lockquote type=3D"cite"><div>On 08/07/2012 05:10 PM, Karli Sj=F6berg wrote:= <br><blockquote type=3D"cite">Hi,<br></blockquote><blockquote type=3D"cite"= picec -h <a href=3D"http://cirrus2-1.slu.se">cirrus2-1.slu.se</a> -p 5900 -= w v36BkUumraDG<br></blockquote><blockquote type=3D"cite">(flashes)<br></blo= ckquote><blockquote type=3D"cite">Warning: connect error 5 - need secured c= onnection<br></blockquote><br>I wrote a simple script that collects the par= ameter needed to for spicec <br>in case of secure connection, I was using i= t on RHEL6, it probably will <br>be easy to convert it to Fedora if it does= not already work OTB:<br><br>#!/bin/bash<br><br># Usage: ./spice_to_vm.sh = host vm_name<br><br>PASSWORD=3D"root_password_to_the_host"<br>SECONDS=3D"12= 00"<br><br>ssh-copy-id root@$1 >& /dev/null<br><br>ID=3D`ssh root@$1= vdsClient -s 0 list table | awk '{print $1":"$3":"}' | <br>grep ":$2:" | s= ed -e 's/\:.*//g'`<br>ssh root@$1 vdsClient -s 0 setVmTicket $ID $PASSWORD = $SECONDS keep >& <br>/dev/null<br><br>PORT=3D`ssh root@$1 vdsClient = -s 0 getVmStats $ID | grep displaySecurePort <br>| awk '{print $3}'`<br>SUB= JECT=3D`ssh root@$1 openssl x509 -noout -text -in <br>/etc/pki/vdsm/certs/v= dsmcert.pem | grep Subject: | cut -f 10- -d " " | <br>sed -e 's/\ //g'`<br>= <br>scp root@$1:/etc/pki/vdsm/certs/cacert.pem /tmp/cacert.pem >& /d= ev/null<br>COMMAND=3D"sudo /usr/libexec/spicec --host-subject \"$SUBJECT\" = --password <br>$PASSWORD --secure-channels all -h $1 --secure-port $PORT --= ca-file <br>/tmp/cacert.pem"<br><br>echo $COMMAND<br></div></blockquote><di= v><br></div>Thank you so much, this helped me realize what the issue was. I= had at first added the hosts to my engine with a "black" address on the st= orage network. But I changed the "display network" to the public network, s= o that you can connect to a console from anywhere. This made the certificat= e of the hosts invalid, as the "<span class=3D"Apple-style-span" style=3D"f= ont-size: 12px; ">--host-subject" doesn=B4t match the address that you conn= ect to:</span></div><div><br></div><div># <span class=3D"Apple-style-s= pan" style=3D"font-size: 12px; ">spicec --host-subject "O=3Dslu,CN=3Dcirrus= 2-2.sto.slu.se" --password RFesfeuIGHhd -h </span><span class=3D"Apple-styl= e-span" style=3D"font-size: 12px; "><a href=3D"http://cirrus2-2.slu.se">cir= rus2-2.slu.se</a></span><span class=3D"Apple-style-span" style=3D"font-size= : 12px; "> -s 5903</span></div><div><br></div><div>So this means that chang= ing your display network breaks SPICE consoles. Less than good, I would say= .</div><div><br></div><div>I was able to solve this by removing the hosts f= rom engine and adding them again, but with the public address instead, so n= ow the connection address and host subject match. I logged in to the admin = portal, clicked for console and voil=E1, console appears. BUT if I log in t= o the <b>user</b> portal with the same credentials and click for console on= the same guest(or any other), a console screen briefly flashes and then di= sappears:( Bug.</div><div><br></div><div>/Karli</div><div><br><blockquote t= ype=3D"cite"><div><br><blockquote type=3D"cite"><br></blockquote><blockquot= e type=3D"cite"># rpm -qa | egrep '(ovirt|vdsm)'<br></blockquote><blockquot= e type=3D"cite">ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch<br></blo= ckquote><blockquote type=3D"cite">vdsm-cli-4.10.0-5.fc17.noarch<br></blockq= uote><blockquote type=3D"cite">ovirt-engine-config-3.1.0-1.fc17.noarch<br><= /blockquote><blockquote type=3D"cite">ovirt-engine-userportal-3.1.0-1.fc17.= noarch<br></blockquote><blockquote type=3D"cite">vdsm-4.10.0-5.fc17.x86_64<= br></blockquote><blockquote type=3D"cite">ovirt-log-collector-3.1.0-0.git10= d719.fc17.noarch<br></blockquote><blockquote type=3D"cite">ovirt-engine-sdk= -3.1.0.4-1.fc17.noarch<br></blockquote><blockquote type=3D"cite">ovirt-engi= ne-restapi-3.1.0-1.fc17.noarch<br></blockquote><blockquote type=3D"cite">ov= irt-engine-backend-3.1.0-1.fc17.noarch<br></blockquote><blockquote type=3D"= cite">ovirt-engine-3.1.0-1.fc17.noarch<br></blockquote><blockquote type=3D"= cite">ovirt-engine-webadmin-portal-3.1.0-1.fc17.noarch<br></blockquote><blo= ckquote type=3D"cite">ovirt-engine-notification-service-3.1.0-1.fc17.noarch= <br></blockquote><blockquote type=3D"cite">ovirt-engine-dbscripts-3.1.0-1.f= c17.noarch<br></blockquote><blockquote type=3D"cite">vdsm-python-4.10.0-5.f= c17.x86_64<br></blockquote><blockquote type=3D"cite">ovirt-engine-genericap= i-3.1.0-1.fc17.noarch<br></blockquote><blockquote type=3D"cite">ovirt-engin= e-tools-common-3.1.0-1.fc17.noarch<br></blockquote><blockquote type=3D"cite= ">ovirt-engine-cli-3.1.0.6-1.fc17.noarch<br></blockquote><blockquote type= =3D"cite">vdsm-xmlrpc-4.10.0-5.fc17.noarch<br></blockquote><blockquote type= =3D"cite">vdsm-bootstrap-4.10.0-5.fc17.noarch<br></blockquote><blockquote t= ype=3D"cite">ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch<br></blockquo= te><blockquote type=3D"cite">ovirt-engine-setup-3.1.0-1.fc17.noarch<br></bl= ockquote><blockquote type=3D"cite"><br></blockquote><blockquote type=3D"cit= e"><br></blockquote><blockquote type=3D"cite">The engine is installed with = SSL as enabled by default, the hosts too. VDSM and libvirt are all active a= nd validate fine towards the engine; have status "UP" and so on, but can't = get SPICE console working. VNC works of course, but SPICE would be much coo= ler:) How do I get console working with SPICE?<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite">Best Regards<br></= blockquote><blockquote type=3D"cite">Karli Sj=F6berg<br></blockquote><block= quote type=3D"cite">_______________________________________________<br></bl= ockquote><blockquote type=3D"cite">Users mailing list<br></blockquote><bloc= kquote type=3D"cite"><a href=3D"mailto:Users@ovirt.org">Users@ovirt.org</a>= <br></blockquote><blockquote type=3D"cite"><a href=3D"http://lists.ovirt.or= g/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a>= <br></blockquote><br><br>-- <br><br>Thanks,<br><br>Rami Vaknin, QE @ Red Ha= t, TLV, IL.<br><br></div></blockquote></div><br><div> <div><br class=3D"Apple-interchange-newline"><br></div><div>Med V=E4nliga H= =E4lsningar<br>------------------------------------------------------------= -------------------<br>Karli Sj=F6berg<br>Swedish University of Agricultura= l Sciences<br>Box 7079 (Visiting Address Kron=E5sv=E4gen 8)<br>S-750 07 Upp= sala, Sweden<br>Phone: +46-(0)18-67 15 66</div><div><a href=3D"mailto= :karli.sjoberg@adm.slu.se">karli.sjoberg@slu.se</a></div> </div> <br></body></html>= --_000_CFC743BDE7CA451DB319DDE839A54220sluse_--
participants (4)
-
Itamar Heim -
Jacob Wyatt -
Karli Sjöberg -
Rami Vaknin