----- Original Message -----
From: "Cristian Falcas" <cristi.falcas@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Roy Golan" <rgolan@redhat.com>, users@ovirt.org, "Juan Antonio Hernandez Fernandez" <jhernand@redhat.com>, "David Jaša" <djasa@redhat.com>, "Itamar Heim" <iheim@redhat.com> Sent: Thursday, December 13, 2012 12:53:01 PM Subject: Re: Spice issues with latest vdsm (was Re: [Users] Cannot find suitable CPU model for given data)
On Thu, Dec 13, 2012 at 12:43 PM, Cristian Falcas < cristi.falcas@gmail.com > wrote:
On Thu, Dec 13, 2012 at 2:07 AM, Alon Bar-Lev < alonbl@redhat.com > wrote:
----- Original Message -----
From: "Cristian Falcas" < cristi.falcas@gmail.com >
To: "Alon Bar-Lev" < alonbl@redhat.com > Cc: "Roy Golan" < rgolan@redhat.com >, users@ovirt.org , "Juan Antonio Hernandez Fernandez" < jhernand@redhat.com >, "David Jaša" < djasa@redhat.com >, "Itamar Heim" < iheim@redhat.com
Sent: Thursday, December 13, 2012 2:01:22 AM Subject: Re: Spice issues with latest vdsm (was Re: [Users] Cannot find suitable CPU model for given data)
On Thu, Dec 13, 2012 at 12:13 AM, Alon Bar-Lev < alonbl@redhat.com
wrote:
----- Original Message -----
From: "Cristian Falcas" < cristi.falcas@gmail.com > To: "Itamar Heim" < iheim@redhat.com >
Cc: "Roy Golan" < rgolan@redhat.com >, users@ovirt.org , "Alon Bar-Lev" < alonbl@redhat.com >, "Juan Antonio Hernandez Fernandez" < jhernand@redhat.com >, "David Jaša" < djasa@redhat.com
Sent: Wednesday, December 12, 2012 11:21:32 PM Subject: Re: Spice issues with latest vdsm (was Re: [Users] Cannot find suitable CPU model for given data)
On Wed, Dec 12, 2012 at 11:14 PM, Itamar Heim < iheim@redhat.com
wrote:
On 12/12/2012 10:39 PM, Cristian Falcas wrote:
Hi,
i don't know if I should start a new thread for the spice problems. Here goes some improvements:
I created the certificates like per https://gist.github.com/ 1655511 . i copied the public one to my home: cp /etc/pki/vdsm/libvirt-spice/ ca-cert.pem ~cristi/.spice/spice_ truststore.pem
I had the same problem as in https://bugzilla.redhat.com/ show_bug.cgi?id=880182 . For this I
needed to downgrade libcacard twice (until I had the same version as in the bug)
Now spice works with virt-manager.
Can someone tell me where do I need to copy the certificate on ovirt in order to make spice working over there also?
with which version of boostrap on the engine did you add this host.
vdsm-bootstrap-4.10.3-0.3.git47b71e8.fc17.noarch
And otopi packages installed:
otopi-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch otopi-java-0.0.0-0.5.master.20121211.git9052d0f.fc17.noarch
Any reason to perform certificate enrollment manually?
Alon
It's still not working with the handmade certificates.
I tried to create them because of those errors:
libvirt log:
((null):9248): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not load certificates from /etc/pki/vdsm/libvirt-spice/ server-cert.pem ((null):9248): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not use private key file ((null):9248): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem
[root@localhost Ovirt]# ls -la /etc/pki/vdsm/libvirt-spice/server-cert.pem ls: cannot access /etc/pki/vdsm/libvirt-spice/server-cert.pem: No such file or directory [root@localhost Ovirt]# ls -la /etc/pki/vdsm/libvirt-spice/ca-cert.pem ls: cannot access /etc/pki/vdsm/libvirt-spice/ca-cert.pem: No such file or directory
Spice log:
1355334879 INFO [8950:8950] Application::main: starting 0.12.0 1355334879 INFO [8950:8950] Application::main: command line: spicec --controller 1355334879 INFO [8950:8950] init_key_map: using evdev mapping 1355334879 INFO [8950:8950] MultyMonScreen::MultyMonScreen: platform_win: 77594625 1355334879 INFO [8950:8950] GUI::GUI: 1355334879 INFO [8950:8950] ForeignMenu::ForeignMenu: Creating a foreign menu connection /tmp/SpiceForeignMenu-8950.uds 1355334879 INFO [8950:8950] Controller::Controller: Creating a controller connection /tmp/spicec-9GS5mA/spice-xpi 1355334882 INFO [8950:8952] RedPeer::connect_secure: Connected to cristifalcas.no-ip.org 5902 1355334882 ERROR [8950:8952] RedPeer::connect_secure: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 1355334882 WARN [8950:8952] RedChannel::run: SSL Error: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure 1355334882 INFO [8950:8950] main: Spice client terminated (exitcode = 7)
I've done this without an improvment:
[root@localhost Ovirt]# /lib/systemd/systemd-vdsmd reconfigure Configuring libvirt for vdsm... [root@localhost Ovirt]# systemctl restart libvirtd.service vdsmd.service
Why don't you deply the host again? It should create the certificate correctly.
But before you can do this, you must remove whatever certificates you put including symlinks at /etc/pki /etc/libvirt as libvirt will not start if there are invalid certificates.
Alon.
I already did this. Also, i removed all configuration files from host and ovirt, reinstalled ovirt-engine, removed vdsm,libvirt,qemu on host.
I still got this when I start the machine: ((null):5004): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not load certificates from /etc/pki/vdsm/libvirt-spice/server-cert.pem ((null):5004): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not use private key file ((null):5004): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not use CA file /etc/pki/vdsm/libvirt-spice/ca-cert.pem
And this when I try to connect:
((null):5004): Spice-Warning **: reds.c:2913:reds_handle_ssl_accept: SSL_accept failed, error=1
Best regards, Cristian falcas
Also, spice is working with virt-manager without any modifications from my side.
OK, thanks, I think I found the missing bit. Alon.