[Users] [vdsm] SPICE SSL Woes
I can't seem to get this secure spice session to work. Any help is appreciated, already burnt 20 hours on this. Spice versions: spice-server-0.10.1 spice-client 0.12.0 spice-xpi 2.7 spicec: I set the password to abcd using a bash script found on this mailing list, valid for 1200 seconds. ============================================= # spicec --password abcd --secure-channels all -h 10.20.20.2 --secure-port 5902 --ca-file cacert.pem Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 139833084392776:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error: ============================================= spice-xpi: spice-xpi.log ============================================= built and installed latest (which is great has better debugging output: 2012-10-02 07:58:26,805 DEBUG nsPluginInstance::SetHostIP: 10.20.20.2 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetPort: 5901 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetTitle: Test:%d - Press SHIFT+F12 to Release Cursor 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetDynamicMenu: 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetFullScreen: 0 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetPassword: Password set 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetNumberOfMonitors: 1 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetUsbListenPort: 0 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetAdminConsole: 1 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetSecurePort: 5902 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: original channels: smain,sinputs,scursor,splayback,srecord,sdisplay 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: modified channels: main,inputs,cursor,playback,record,display 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetGuestHostName: Test 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetCipherSuite: DEFAULT 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetHostSubject: O=Best Company,CN=10.20.20.2 2012-10-02 07:58:26,812 DEBUG nsPluginInstance::SetTrustStore: Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Validity Not Before: Sep 6 21:49:14 2012 Not After : Sep 6 03:49:15 2022 GMT Subject: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:bc:70:bd:bc:a0:07:7a:99:5e:84:c6:91:70:30: 3e:f0:2a:c9:96:cb:ac:d5:f4:e7:a4:8d:85:c2:2d: 39:12:fa:2f:3f:3c:bf:bb:ed:90:31:28:ae:38:49: 68:e2:4a:ca:89:21:4c:1c:b5:72:ca:e5:c7:3d:d8: 64:95:22:98:45:67:50:43:dd:8e:cb:9e:39:d4:9b: 11:16:71:e1:d9:81:1e:4d:1c:2c:9c:6d:7c:d1:43: a1:af:4a:83:77:e8:ad:0d:92:cb:fa:45:b8:d3:b6: 50:99:3e:4e:a7:91:30:57:ce:a7:5b:62:95:7f:9b: fd:26:05:a9:e0:8e:45:2b:e3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF Authority Information Access: CA Issuers - URI:http://ovirt-engine.example.com:80/ca.crt X509v3 Authority Key Identifier: keyid:87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF DirName:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 serial:01 X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption a1:a9:17:91:ba:6e:0d:15:ce:28:e0:b8:7f:3c:5e:ba:6e:8d: 31:91:bf:99:0c:74:5f:95:86:e6:90:fd:3c:13:3a:64:9e:40: f7:4f:e0:45:b8:8e:27:b3:23:d4:75:bb:be:5f:73:4f:48:e4: 8c:6d:11:eb:76:70:81:c7:a5:8a:35:0b:ef:a5:cf:3d:ae:fd: 1f:94:b7:e4:c3:4c:7f:fb:5b:09:eb:e8:b1:35:3c:b8:ba:e8: b7:d0:5f:8a:98:b5:9a:6c:24:53:2a:49:61:0e:7c:5e:b3:d2: d4:c3:dd:ca:b9:57:a3:f0:e4:9c:d6:3d:43:40:9d:dd:ff:cd: 94:be -----BEGIN CERTIFICATE----- MIIDCDCCAnGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2 ZWlwLm5ldC4yODIwMjAiFxExMjA5MDYyMTQ5MTQrMDcwMBcNMjIwOTA2MDM0OTE1 WjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEf MB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMjCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAvHC9vKAHeplehMaRcDA+8CrJlsus1fTnpI2Fwi05EvovPzy/ u+2QMSiuOElo4krKiSFMHLVyyuXHPdhklSKYRWdQQ92Oy5451JsRFnHh2YEeTRws nG180UOhr0qDd+itDZLL+kW407ZQmT5Op5EwV86nW2KVf5v9JgWp4I5FK+MCAwEA AaOB9TCB8jAdBgNVHQ4EFgQUh5MnCOVNK87sVSzmxMDuMgyHIr8wOgYIKwYBBQUH AQEELjAsMCoGCCsGAQUFBzAChh5odHRwOi8vY20uaml2ZWlwLm5ldDo4MC9jYS5j cnQwdAYDVR0jBG0wa4AUh5MnCOVNK87sVSzmxMDuMgyHIr+hUKROMEwxCzAJBgNV BAYTAlVTMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMR8wHQYDVQQDExZD QS1jbS5qaXZlaXAubmV0LjI4MjAyggEBMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P AQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAKGpF5G6bg0VzijguH88XrpujTGR v5kMdF+VhuaQ/TwTOmSeQPdP4EW4jiezI9R1u75fc09I5IxtEet2cIHHpYo1C++l zz2u/R+Ut+TDTH/7Wwnr6LE1PLi66LfQX4qYtZpsJFMqSWEOfF6z0tTD3cq5V6Pw 5JzWPUNAnd3/zZS+ -----END CERTIFICATE----- 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetHotKeys: release-cursor=shift+f12,toggle-fullscreen=shift+f11 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetNoTaskMgrExecution: 0 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetSendCtrlAltDelete: 0 2012-10-02 07:58:26,814 DEBUG nsPluginInstance::SetUsbAutoShare: 1 2012-10-02 07:58:26,815 DEBUG nsPluginInstance::SetUsbFilter: -1,-1,-1,-1,0 2012-10-02 07:58:26,816 INFO nsPluginInstance::Connect: SPICE_XPI_SOCKET: /tmp/spicec-8ym5mJ/spice-xpi 2012-10-02 07:58:26,816 INFO nsPluginInstance::Connect: SPICE_FOREIGN_MENU_SOCKET: /tmp/spicec-8ym5mJ/spice-foreign 2012-10-02 07:58:26,816 DEBUG nsPluginInstance::Connect: Controller pid: 50483 2012-10-02 07:58:26,816 DEBUG QErrorHandler: Something went wrong: connect error, 2 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error 2012-10-02 07:58:26,817 INFO nsPluginInstance::Connect: Launching /usr/libexec/spice-xpi-client 2012-10-02 07:58:26,817 DEBUG QErrorHandler: Something went wrong: connect error, 2 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error 2012-10-02 07:58:27,818 DEBUG SpiceController::Connect: Connected! 2012-10-02 07:58:29,821 INFO nsPluginInstance::Connect: Initiating connection with controller 2012-10-02 07:59:05,999 DEBUG nsPluginInstance::ControllerWaitHelper: Controller finished, pid: 50483, exit code: 0 2012-10-02 07:59:05,999 ERROR nsPluginInstance::CallOnDisconnected: could not get browser window, when trying to call OnDisconnected ============================================= Openssl test: ============================================= [root@centos6 ~]# openssl s_client -connect 10.20.20.2:5902 -CAfile cacert.pem CONNECTED(00000003) depth=1 C = US, O = Best Company, CN = CA-ovirt-engine.example.com.28202 verify return:1 depth=0 O = Best Company, CN = 10.20.20.2 verify error:num=9:certificate is not yet valid notBefore=Oct 4 01:40:57 2012 verify return:1 depth=0 O = Best Company, CN = 10.20.20.2 notBefore=Oct 4 01:40:57 2012 verify return:1 --- Certificate chain 0 s:/O=Best Company/CN=10.20.20.2 i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 1 s:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 --- Server certificate -----BEGIN CERTIFICATE----- MIIDDTCCAnagAwIBAgIBBzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2 ZWlwLm5ldC4yODIwMjAiFxExMjEwMDQwMTQwNTctMDYwMBcNMTcxMDA0MDc0MDU4 WjAzMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMRMwEQYDVQQDEwoxMC4y MC4yMC4yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfxg43vrorGXoui5Cs 69xeS/R31r2FkfE3UO57BzKbToBY88Hj7dUkFjlFVwg3/eUIBh0jYQ5Qq5Q4Kl9p Oy4/58VwqRd6P/C3a9LgF1rdvXEnmtNZyoXNmvFeTgpEF+165hr6aPXmMqXqaSEv ab/mFdxVKM6FwgUWQb/uW3Rp3QIDAQABo4IBEjCCAQ4wHQYDVR0OBBYEFIhzxNFR sbDS9hLGOID0RLPlYrLPMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAoYeaHR0 cDovL2NtLmppdmVpcC5uZXQ6ODAvY2EuY3J0MHQGA1UdIwRtMGuAFIeTJwjlTSvO 7FUs5sTA7jIMhyK/oVCkTjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBD b21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMoIB ATAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEF BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAayUoWzI77OMVGa1QeWKQ VF/iwu5URB8sbsmFk9NmfUOtIYsVsmdMsoDSYQsL7mEe0SA5GOXpS1sThdXsU1uf 9bZ+dyrmCBmg0/cPOiXA8R1GgS+Bwjc+MxEOuXzTmumfW19hlbKbRXRwgx+vRgDv JbUNV6jXUHqhBeGnsVhiLrQ= -----END CERTIFICATE----- subject=/O=Best Company/CN=10.20.20.2 issuer=/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 --- No client certificate CA names sent --- SSL handshake has read 1884 bytes and written 311 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 9747FACA4B5CC4542E050F4B8534E1B71234BC5F99F3221D284BC53D0A5CB746 Session-ID-ctx: Master-Key: 7A579DA9F75E76C63F3FDFCB5BBE42EE28AEF5211C5AC5ECAE8679166C98FBB5AD00BFC4B8AC5D7E214A3B0069CF50E7 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket: 0000 - ae f2 91 79 e4 94 85 a2-02 60 aa 91 54 a5 3f 13 ...y.....`..T.?. 0010 - 90 b4 78 20 27 5a 52 61-78 a1 4d db 73 25 c0 f8 ..x 'ZRax.M.s%.. 0020 - 65 7f 43 76 72 35 08 96-0d 32 c4 72 eb ae c4 a9 e.Cvr5...2.r.... 0030 - 83 78 7f 48 8c c6 a9 38-78 ea 90 60 52 62 0e 4d .x.H...8x..`Rb.M 0040 - 7c 3e 41 62 63 2d 27 b3-bc ba bb b7 87 ac 12 df |>Abc-'......... 0050 - 04 61 3d c8 8f cd 14 e4-51 bf 74 66 2c a0 a6 70 .a=.....Q.tf,..p 0060 - 3e d2 5f 4c 63 10 80 83-18 d7 4e 08 e0 5b c5 5a >._Lc.....N..[.Z 0070 - 75 94 27 de 1e 8e 61 e9-64 af 52 eb 1e 98 00 e2 u.'...a.d.R..... 0080 - 4f 80 8c 1f ec 40 b7 25-7b 72 a3 1a 99 8a 6a ca O....@.%{r....j. 0090 - 90 80 f9 1e 5f 99 96 0a-3e bb 4f b6 86 d1 49 0c ...._...>.O...I. Start Time: 1349186957 Timeout : 300 (sec) Verify return code: 9 (certificate is not yet valid) --- =============================================
On 10/05/2012 10:26 AM, Bret Palsson wrote:
I can't seem to get this secure spice session to work. Any help is appreciated, already burnt 20 hours on this.
Spice versions: spice-server-0.10.1 spice-client 0.12.0 spice-xpi 2.7
The certificates that you get from the server in both examples are different. Copy the text between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" to a file "cert.pem" and then run the following command to see what is inside: openssl x509 -in cert.pem -noout -text In both cases looks like the certificate fails to verify. I would suggest to take that "cert.pem" file and the "ca.pem" file from the engine (/etc/pki/ovirt-engine/ca.pem) and verify it like this: openssl verify -CAfile ca.pem cert.pem It should say: ca.pem: OK The message you get when you test with openssl is this: Verify return code: 9 (certificate is not yet valid) That probably means that you have some kind of data/time problem. Make sure that all your machines (engine, nodes, clients) are correctly synchronized. If you still have problems please share the certificate that you get when connectiong with "openssl s_client" and the certificate of the CA of the engine (/etc/pki/ovirt-engine/ca.pem).
spicec: I set the password to abcd using a bash script found on this mailing list, valid for 1200 seconds. ============================================= # spicec --password abcd --secure-channels all -h 10.20.20.2 --secure-port 5902 --ca-file cacert.pem Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 139833084392776:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error: =============================================
spice-xpi: spice-xpi.log ============================================= built and installed latest (which is great has better debugging output: 2012-10-02 07:58:26,805 DEBUG nsPluginInstance::SetHostIP: 10.20.20.2 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetPort: 5901 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetTitle: Test:%d - Press SHIFT+F12 to Release Cursor 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetDynamicMenu: 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetFullScreen: 0 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetPassword: Password set 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetNumberOfMonitors: 1 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetUsbListenPort: 0 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetAdminConsole: 1 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetSecurePort: 5902 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: original channels: smain,sinputs,scursor,splayback,srecord,sdisplay 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: modified channels: main,inputs,cursor,playback,record,display 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetGuestHostName: Test 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetCipherSuite: DEFAULT 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetHostSubject: O=Best Company,CN=10.20.20.2 2012-10-02 07:58:26,812 DEBUG nsPluginInstance::SetTrustStore: Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Validity Not Before: Sep 6 21:49:14 2012 Not After : Sep 6 03:49:15 2022 GMT Subject: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:bc:70:bd:bc:a0:07:7a:99:5e:84:c6:91:70:30: 3e:f0:2a:c9:96:cb:ac:d5:f4:e7:a4:8d:85:c2:2d: 39:12:fa:2f:3f:3c:bf:bb:ed:90:31:28:ae:38:49: 68:e2:4a:ca:89:21:4c:1c:b5:72:ca:e5:c7:3d:d8: 64:95:22:98:45:67:50:43:dd:8e:cb:9e:39:d4:9b: 11:16:71:e1:d9:81:1e:4d:1c:2c:9c:6d:7c:d1:43: a1:af:4a:83:77:e8:ad:0d:92:cb:fa:45:b8:d3:b6: 50:99:3e:4e:a7:91:30:57:ce:a7:5b:62:95:7f:9b: fd:26:05:a9:e0:8e:45:2b:e3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF Authority Information Access: CA Issuers - URI:http://ovirt-engine.example.com:80/ca.crt
X509v3 Authority Key Identifier: keyid:87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF DirName:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 serial:01
X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption a1:a9:17:91:ba:6e:0d:15:ce:28:e0:b8:7f:3c:5e:ba:6e:8d: 31:91:bf:99:0c:74:5f:95:86:e6:90:fd:3c:13:3a:64:9e:40: f7:4f:e0:45:b8:8e:27:b3:23:d4:75:bb:be:5f:73:4f:48:e4: 8c:6d:11:eb:76:70:81:c7:a5:8a:35:0b:ef:a5:cf:3d:ae:fd: 1f:94:b7:e4:c3:4c:7f:fb:5b:09:eb:e8:b1:35:3c:b8:ba:e8: b7:d0:5f:8a:98:b5:9a:6c:24:53:2a:49:61:0e:7c:5e:b3:d2: d4:c3:dd:ca:b9:57:a3:f0:e4:9c:d6:3d:43:40:9d:dd:ff:cd: 94:be -----BEGIN CERTIFICATE----- MIIDCDCCAnGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2 ZWlwLm5ldC4yODIwMjAiFxExMjA5MDYyMTQ5MTQrMDcwMBcNMjIwOTA2MDM0OTE1 WjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEf MB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMjCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAvHC9vKAHeplehMaRcDA+8CrJlsus1fTnpI2Fwi05EvovPzy/ u+2QMSiuOElo4krKiSFMHLVyyuXHPdhklSKYRWdQQ92Oy5451JsRFnHh2YEeTRws nG180UOhr0qDd+itDZLL+kW407ZQmT5Op5EwV86nW2KVf5v9JgWp4I5FK+MCAwEA AaOB9TCB8jAdBgNVHQ4EFgQUh5MnCOVNK87sVSzmxMDuMgyHIr8wOgYIKwYBBQUH AQEELjAsMCoGCCsGAQUFBzAChh5odHRwOi8vY20uaml2ZWlwLm5ldDo4MC9jYS5j cnQwdAYDVR0jBG0wa4AUh5MnCOVNK87sVSzmxMDuMgyHIr+hUKROMEwxCzAJBgNV BAYTAlVTMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMR8wHQYDVQQDExZD QS1jbS5qaXZlaXAubmV0LjI4MjAyggEBMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P AQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAKGpF5G6bg0VzijguH88XrpujTGR v5kMdF+VhuaQ/TwTOmSeQPdP4EW4jiezI9R1u75fc09I5IxtEet2cIHHpYo1C++l zz2u/R+Ut+TDTH/7Wwnr6LE1PLi66LfQX4qYtZpsJFMqSWEOfF6z0tTD3cq5V6Pw 5JzWPUNAnd3/zZS+ -----END CERTIFICATE-----
2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetHotKeys: release-cursor=shift+f12,toggle-fullscreen=shift+f11 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetNoTaskMgrExecution: 0 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetSendCtrlAltDelete: 0 2012-10-02 07:58:26,814 DEBUG nsPluginInstance::SetUsbAutoShare: 1 2012-10-02 07:58:26,815 DEBUG nsPluginInstance::SetUsbFilter: -1,-1,-1,-1,0 2012-10-02 07:58:26,816 INFO nsPluginInstance::Connect: SPICE_XPI_SOCKET: /tmp/spicec-8ym5mJ/spice-xpi 2012-10-02 07:58:26,816 INFO nsPluginInstance::Connect: SPICE_FOREIGN_MENU_SOCKET: /tmp/spicec-8ym5mJ/spice-foreign 2012-10-02 07:58:26,816 DEBUG nsPluginInstance::Connect: Controller pid: 50483 2012-10-02 07:58:26,816 DEBUG QErrorHandler: Something went wrong: connect error, 2 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error 2012-10-02 07:58:26,817 INFO nsPluginInstance::Connect: Launching /usr/libexec/spice-xpi-client 2012-10-02 07:58:26,817 DEBUG QErrorHandler: Something went wrong: connect error, 2 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error 2012-10-02 07:58:27,818 DEBUG SpiceController::Connect: Connected! 2012-10-02 07:58:29,821 INFO nsPluginInstance::Connect: Initiating connection with controller 2012-10-02 07:59:05,999 DEBUG nsPluginInstance::ControllerWaitHelper: Controller finished, pid: 50483, exit code: 0 2012-10-02 07:59:05,999 ERROR nsPluginInstance::CallOnDisconnected: could not get browser window, when trying to call OnDisconnected
=============================================
Openssl test: ============================================= [root@centos6 ~]# openssl s_client -connect 10.20.20.2:5902 -CAfile cacert.pem CONNECTED(00000003) depth=1 C = US, O = Best Company, CN = CA-ovirt-engine.example.com.28202 verify return:1 depth=0 O = Best Company, CN = 10.20.20.2 verify error:num=9:certificate is not yet valid notBefore=Oct 4 01:40:57 2012 verify return:1 depth=0 O = Best Company, CN = 10.20.20.2 notBefore=Oct 4 01:40:57 2012 verify return:1 --- Certificate chain 0 s:/O=Best Company/CN=10.20.20.2 i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 1 s:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 --- Server certificate -----BEGIN CERTIFICATE----- MIIDDTCCAnagAwIBAgIBBzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2 ZWlwLm5ldC4yODIwMjAiFxExMjEwMDQwMTQwNTctMDYwMBcNMTcxMDA0MDc0MDU4 WjAzMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMRMwEQYDVQQDEwoxMC4y MC4yMC4yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfxg43vrorGXoui5Cs 69xeS/R31r2FkfE3UO57BzKbToBY88Hj7dUkFjlFVwg3/eUIBh0jYQ5Qq5Q4Kl9p Oy4/58VwqRd6P/C3a9LgF1rdvXEnmtNZyoXNmvFeTgpEF+165hr6aPXmMqXqaSEv ab/mFdxVKM6FwgUWQb/uW3Rp3QIDAQABo4IBEjCCAQ4wHQYDVR0OBBYEFIhzxNFR sbDS9hLGOID0RLPlYrLPMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAoYeaHR0 cDovL2NtLmppdmVpcC5uZXQ6ODAvY2EuY3J0MHQGA1UdIwRtMGuAFIeTJwjlTSvO 7FUs5sTA7jIMhyK/oVCkTjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBD b21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMoIB ATAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEF BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAayUoWzI77OMVGa1QeWKQ VF/iwu5URB8sbsmFk9NmfUOtIYsVsmdMsoDSYQsL7mEe0SA5GOXpS1sThdXsU1uf 9bZ+dyrmCBmg0/cPOiXA8R1GgS+Bwjc+MxEOuXzTmumfW19hlbKbRXRwgx+vRgDv JbUNV6jXUHqhBeGnsVhiLrQ= -----END CERTIFICATE----- subject=/O=Best Company/CN=10.20.20.2 issuer=/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 --- No client certificate CA names sent --- SSL handshake has read 1884 bytes and written 311 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 9747FACA4B5CC4542E050F4B8534E1B71234BC5F99F3221D284BC53D0A5CB746 Session-ID-ctx: Master-Key: 7A579DA9F75E76C63F3FDFCB5BBE42EE28AEF5211C5AC5ECAE8679166C98FBB5AD00BFC4B8AC5D7E214A3B0069CF50E7 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket: 0000 - ae f2 91 79 e4 94 85 a2-02 60 aa 91 54 a5 3f 13 ...y.....`..T.?. 0010 - 90 b4 78 20 27 5a 52 61-78 a1 4d db 73 25 c0 f8 ..x 'ZRax.M.s%.. 0020 - 65 7f 43 76 72 35 08 96-0d 32 c4 72 eb ae c4 a9 e.Cvr5...2.r.... 0030 - 83 78 7f 48 8c c6 a9 38-78 ea 90 60 52 62 0e 4d .x.H...8x..`Rb.M 0040 - 7c 3e 41 62 63 2d 27 b3-bc ba bb b7 87 ac 12 df |>Abc-'......... 0050 - 04 61 3d c8 8f cd 14 e4-51 bf 74 66 2c a0 a6 70 .a=.....Q.tf,..p 0060 - 3e d2 5f 4c 63 10 80 83-18 d7 4e 08 e0 5b c5 5a >._Lc.....N..[.Z 0070 - 75 94 27 de 1e 8e 61 e9-64 af 52 eb 1e 98 00 e2 u.'...a.d.R..... 0080 - 4f 80 8c 1f ec 40 b7 25-7b 72 a3 1a 99 8a 6a ca O....@.%{r....j. 0090 - 90 80 f9 1e 5f 99 96 0a-3e bb 4f b6 86 d1 49 0c ...._...>.O...I.
Start Time: 1349186957 Timeout : 300 (sec) Verify return code: 9 (certificate is not yet valid) ---
=============================================
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
On 10/05/2012 10:57 AM, Juan Hernandez wrote:
On 10/05/2012 10:26 AM, Bret Palsson wrote:
I can't seem to get this secure spice session to work. Any help is appreciated, already burnt 20 hours on this.
Spice versions: spice-server-0.10.1 spice-client 0.12.0 spice-xpi 2.7
The certificates that you get from the server in both examples are different. Copy the text between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" to a file "cert.pem" and then run the following command to see what is inside:
openssl x509 -in cert.pem -noout -text
In both cases looks like the certificate fails to verify. I would suggest to take that "cert.pem" file and the "ca.pem" file from the engine (/etc/pki/ovirt-engine/ca.pem) and verify it like this:
openssl verify -CAfile ca.pem cert.pem
It should say:
ca.pem: OK
The message you get when you test with openssl is this:
Verify return code: 9 (certificate is not yet valid)
That probably means that you have some kind of data/time problem. Make sure that all your machines (engine, nodes, clients) are correctly synchronized.
If you still have problems please share the certificate that you get when connectiong with "openssl s_client" and the certificate of the CA of the engine (/etc/pki/ovirt-engine/ca.pem).
spicec: I set the password to abcd using a bash script found on this mailing list, valid for 1200 seconds. ============================================= # spicec --password abcd --secure-channels all -h 10.20.20.2 --secure-port 5902 --ca-file cacert.pem Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 139833084392776:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error: =============================================
spice-xpi: spice-xpi.log ============================================= built and installed latest (which is great has better debugging output: 2012-10-02 07:58:26,805 DEBUG nsPluginInstance::SetHostIP: 10.20.20.2 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetPort: 5901 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetTitle: Test:%d - Press SHIFT+F12 to Release Cursor 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetDynamicMenu: 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetFullScreen: 0 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetPassword: Password set 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetNumberOfMonitors: 1 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetUsbListenPort: 0 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetAdminConsole: 1 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetSecurePort: 5902 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: original channels: smain,sinputs,scursor,splayback,srecord,sdisplay 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: modified channels: main,inputs,cursor,playback,record,display 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetGuestHostName: Test 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetCipherSuite: DEFAULT 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetHostSubject: O=Best Company,CN=10.20.20.2 2012-10-02 07:58:26,812 DEBUG nsPluginInstance::SetTrustStore: Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Validity Not Before: Sep 6 21:49:14 2012 Not After : Sep 6 03:49:15 2022 GMT Subject: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:bc:70:bd:bc:a0:07:7a:99:5e:84:c6:91:70:30: 3e:f0:2a:c9:96:cb:ac:d5:f4:e7:a4:8d:85:c2:2d: 39:12:fa:2f:3f:3c:bf:bb:ed:90:31:28:ae:38:49: 68:e2:4a:ca:89:21:4c:1c:b5:72:ca:e5:c7:3d:d8: 64:95:22:98:45:67:50:43:dd:8e:cb:9e:39:d4:9b: 11:16:71:e1:d9:81:1e:4d:1c:2c:9c:6d:7c:d1:43: a1:af:4a:83:77:e8:ad:0d:92:cb:fa:45:b8:d3:b6: 50:99:3e:4e:a7:91:30:57:ce:a7:5b:62:95:7f:9b: fd:26:05:a9:e0:8e:45:2b:e3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF Authority Information Access: CA Issuers - URI:http://ovirt-engine.example.com:80/ca.crt
X509v3 Authority Key Identifier: keyid:87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF DirName:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 serial:01
X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption a1:a9:17:91:ba:6e:0d:15:ce:28:e0:b8:7f:3c:5e:ba:6e:8d: 31:91:bf:99:0c:74:5f:95:86:e6:90:fd:3c:13:3a:64:9e:40: f7:4f:e0:45:b8:8e:27:b3:23:d4:75:bb:be:5f:73:4f:48:e4: 8c:6d:11:eb:76:70:81:c7:a5:8a:35:0b:ef:a5:cf:3d:ae:fd: 1f:94:b7:e4:c3:4c:7f:fb:5b:09:eb:e8:b1:35:3c:b8:ba:e8: b7:d0:5f:8a:98:b5:9a:6c:24:53:2a:49:61:0e:7c:5e:b3:d2: d4:c3:dd:ca:b9:57:a3:f0:e4:9c:d6:3d:43:40:9d:dd:ff:cd: 94:be -----BEGIN CERTIFICATE----- MIIDCDCCAnGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2 ZWlwLm5ldC4yODIwMjAiFxExMjA5MDYyMTQ5MTQrMDcwMBcNMjIwOTA2MDM0OTE1 WjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEf MB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMjCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAvHC9vKAHeplehMaRcDA+8CrJlsus1fTnpI2Fwi05EvovPzy/ u+2QMSiuOElo4krKiSFMHLVyyuXHPdhklSKYRWdQQ92Oy5451JsRFnHh2YEeTRws nG180UOhr0qDd+itDZLL+kW407ZQmT5Op5EwV86nW2KVf5v9JgWp4I5FK+MCAwEA AaOB9TCB8jAdBgNVHQ4EFgQUh5MnCOVNK87sVSzmxMDuMgyHIr8wOgYIKwYBBQUH AQEELjAsMCoGCCsGAQUFBzAChh5odHRwOi8vY20uaml2ZWlwLm5ldDo4MC9jYS5j cnQwdAYDVR0jBG0wa4AUh5MnCOVNK87sVSzmxMDuMgyHIr+hUKROMEwxCzAJBgNV BAYTAlVTMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMR8wHQYDVQQDExZD QS1jbS5qaXZlaXAubmV0LjI4MjAyggEBMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P AQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAKGpF5G6bg0VzijguH88XrpujTGR v5kMdF+VhuaQ/TwTOmSeQPdP4EW4jiezI9R1u75fc09I5IxtEet2cIHHpYo1C++l zz2u/R+Ut+TDTH/7Wwnr6LE1PLi66LfQX4qYtZpsJFMqSWEOfF6z0tTD3cq5V6Pw 5JzWPUNAnd3/zZS+ -----END CERTIFICATE-----
2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetHotKeys: release-cursor=shift+f12,toggle-fullscreen=shift+f11 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetNoTaskMgrExecution: 0 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetSendCtrlAltDelete: 0 2012-10-02 07:58:26,814 DEBUG nsPluginInstance::SetUsbAutoShare: 1 2012-10-02 07:58:26,815 DEBUG nsPluginInstance::SetUsbFilter: -1,-1,-1,-1,0 2012-10-02 07:58:26,816 INFO nsPluginInstance::Connect: SPICE_XPI_SOCKET: /tmp/spicec-8ym5mJ/spice-xpi 2012-10-02 07:58:26,816 INFO nsPluginInstance::Connect: SPICE_FOREIGN_MENU_SOCKET: /tmp/spicec-8ym5mJ/spice-foreign 2012-10-02 07:58:26,816 DEBUG nsPluginInstance::Connect: Controller pid: 50483 2012-10-02 07:58:26,816 DEBUG QErrorHandler: Something went wrong: connect error, 2 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error 2012-10-02 07:58:26,817 INFO nsPluginInstance::Connect: Launching /usr/libexec/spice-xpi-client 2012-10-02 07:58:26,817 DEBUG QErrorHandler: Something went wrong: connect error, 2 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error 2012-10-02 07:58:27,818 DEBUG SpiceController::Connect: Connected! 2012-10-02 07:58:29,821 INFO nsPluginInstance::Connect: Initiating connection with controller 2012-10-02 07:59:05,999 DEBUG nsPluginInstance::ControllerWaitHelper: Controller finished, pid: 50483, exit code: 0 2012-10-02 07:59:05,999 ERROR nsPluginInstance::CallOnDisconnected: could not get browser window, when trying to call OnDisconnected
=============================================
Openssl test: ============================================= [root@centos6 ~]# openssl s_client -connect 10.20.20.2:5902 -CAfile cacert.pem CONNECTED(00000003) depth=1 C = US, O = Best Company, CN = CA-ovirt-engine.example.com.28202 verify return:1 depth=0 O = Best Company, CN = 10.20.20.2 verify error:num=9:certificate is not yet valid notBefore=Oct 4 01:40:57 2012 verify return:1 depth=0 O = Best Company, CN = 10.20.20.2 notBefore=Oct 4 01:40:57 2012 verify return:1 --- Certificate chain 0 s:/O=Best Company/CN=10.20.20.2 i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 1 s:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 --- Server certificate -----BEGIN CERTIFICATE----- MIIDDTCCAnagAwIBAgIBBzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2 ZWlwLm5ldC4yODIwMjAiFxExMjEwMDQwMTQwNTctMDYwMBcNMTcxMDA0MDc0MDU4 WjAzMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMRMwEQYDVQQDEwoxMC4y MC4yMC4yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfxg43vrorGXoui5Cs 69xeS/R31r2FkfE3UO57BzKbToBY88Hj7dUkFjlFVwg3/eUIBh0jYQ5Qq5Q4Kl9p Oy4/58VwqRd6P/C3a9LgF1rdvXEnmtNZyoXNmvFeTgpEF+165hr6aPXmMqXqaSEv ab/mFdxVKM6FwgUWQb/uW3Rp3QIDAQABo4IBEjCCAQ4wHQYDVR0OBBYEFIhzxNFR sbDS9hLGOID0RLPlYrLPMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAoYeaHR0 cDovL2NtLmppdmVpcC5uZXQ6ODAvY2EuY3J0MHQGA1UdIwRtMGuAFIeTJwjlTSvO 7FUs5sTA7jIMhyK/oVCkTjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBD b21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMoIB ATAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEF BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAayUoWzI77OMVGa1QeWKQ VF/iwu5URB8sbsmFk9NmfUOtIYsVsmdMsoDSYQsL7mEe0SA5GOXpS1sThdXsU1uf 9bZ+dyrmCBmg0/cPOiXA8R1GgS+Bwjc+MxEOuXzTmumfW19hlbKbRXRwgx+vRgDv JbUNV6jXUHqhBeGnsVhiLrQ= -----END CERTIFICATE----- subject=/O=Best Company/CN=10.20.20.2 issuer=/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 --- No client certificate CA names sent --- SSL handshake has read 1884 bytes and written 311 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 9747FACA4B5CC4542E050F4B8534E1B71234BC5F99F3221D284BC53D0A5CB746 Session-ID-ctx: Master-Key: 7A579DA9F75E76C63F3FDFCB5BBE42EE28AEF5211C5AC5ECAE8679166C98FBB5AD00BFC4B8AC5D7E214A3B0069CF50E7 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket: 0000 - ae f2 91 79 e4 94 85 a2-02 60 aa 91 54 a5 3f 13 ...y.....`..T.?. 0010 - 90 b4 78 20 27 5a 52 61-78 a1 4d db 73 25 c0 f8 ..x 'ZRax.M.s%.. 0020 - 65 7f 43 76 72 35 08 96-0d 32 c4 72 eb ae c4 a9 e.Cvr5...2.r.... 0030 - 83 78 7f 48 8c c6 a9 38-78 ea 90 60 52 62 0e 4d .x.H...8x..`Rb.M 0040 - 7c 3e 41 62 63 2d 27 b3-bc ba bb b7 87 ac 12 df |>Abc-'......... 0050 - 04 61 3d c8 8f cd 14 e4-51 bf 74 66 2c a0 a6 70 .a=.....Q.tf,..p 0060 - 3e d2 5f 4c 63 10 80 83-18 d7 4e 08 e0 5b c5 5a >._Lc.....N..[.Z 0070 - 75 94 27 de 1e 8e 61 e9-64 af 52 eb 1e 98 00 e2 u.'...a.d.R..... 0080 - 4f 80 8c 1f ec 40 b7 25-7b 72 a3 1a 99 8a 6a ca O....@.%{r....j. 0090 - 90 80 f9 1e 5f 99 96 0a-3e bb 4f b6 86 d1 49 0c ...._...>.O...I.
Start Time: 1349186957 Timeout : 300 (sec) Verify return code: 9 (certificate is not yet valid) ---
=============================================
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
also note that the host certificate is based on the hostname in the engine, so you must give the spice client the host name to validate it with.
Itamar Heim píše v Pá 05. 10. 2012 v 15:56 +0200:
On 10/05/2012 10:57 AM, Juan Hernandez wrote:
On 10/05/2012 10:26 AM, Bret Palsson wrote:
I can't seem to get this secure spice session to work. Any help is appreciated, already burnt 20 hours on this.
Spice versions: spice-server-0.10.1 spice-client 0.12.0 spice-xpi 2.7
The certificates that you get from the server in both examples are different. Copy the text between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" to a file "cert.pem" and then run the following command to see what is inside:
openssl x509 -in cert.pem -noout -text
In both cases looks like the certificate fails to verify. I would suggest to take that "cert.pem" file and the "ca.pem" file from the engine (/etc/pki/ovirt-engine/ca.pem) and verify it like this:
openssl verify -CAfile ca.pem cert.pem
It should say:
ca.pem: OK
The message you get when you test with openssl is this:
Verify return code: 9 (certificate is not yet valid)
That probably means that you have some kind of data/time problem. Make sure that all your machines (engine, nodes, clients) are correctly synchronized.
If you still have problems please share the certificate that you get when connectiong with "openssl s_client" and the certificate of the CA of the engine (/etc/pki/ovirt-engine/ca.pem).
spicec: I set the password to abcd using a bash script found on this mailing list, valid for 1200 seconds. ============================================= # spicec --password abcd --secure-channels all -h 10.20.20.2 --secure-port 5902 --ca-file cacert.pem Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 139833084392776:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error: =============================================
spice-xpi: spice-xpi.log ============================================= built and installed latest (which is great has better debugging output: 2012-10-02 07:58:26,805 DEBUG nsPluginInstance::SetHostIP: 10.20.20.2 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetPort: 5901 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetTitle: Test:%d - Press SHIFT+F12 to Release Cursor 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetDynamicMenu: 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetFullScreen: 0 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetPassword: Password set 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetNumberOfMonitors: 1 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetUsbListenPort: 0 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetAdminConsole: 1 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetSecurePort: 5902 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: original channels: smain,sinputs,scursor,splayback,srecord,sdisplay 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: modified channels: main,inputs,cursor,playback,record,display 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetGuestHostName: Test 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetCipherSuite: DEFAULT 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetHostSubject: O=Best Company,CN=10.20.20.2 2012-10-02 07:58:26,812 DEBUG nsPluginInstance::SetTrustStore: Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Validity Not Before: Sep 6 21:49:14 2012 Not After : Sep 6 03:49:15 2022 GMT Subject: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:bc:70:bd:bc:a0:07:7a:99:5e:84:c6:91:70:30: 3e:f0:2a:c9:96:cb:ac:d5:f4:e7:a4:8d:85:c2:2d: 39:12:fa:2f:3f:3c:bf:bb:ed:90:31:28:ae:38:49: 68:e2:4a:ca:89:21:4c:1c:b5:72:ca:e5:c7:3d:d8: 64:95:22:98:45:67:50:43:dd:8e:cb:9e:39:d4:9b: 11:16:71:e1:d9:81:1e:4d:1c:2c:9c:6d:7c:d1:43: a1:af:4a:83:77:e8:ad:0d:92:cb:fa:45:b8:d3:b6: 50:99:3e:4e:a7:91:30:57:ce:a7:5b:62:95:7f:9b: fd:26:05:a9:e0:8e:45:2b:e3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF Authority Information Access: CA Issuers - URI:http://ovirt-engine.example.com:80/ca.crt
X509v3 Authority Key Identifier: keyid:87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF DirName:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 serial:01
X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption a1:a9:17:91:ba:6e:0d:15:ce:28:e0:b8:7f:3c:5e:ba:6e:8d: 31:91:bf:99:0c:74:5f:95:86:e6:90:fd:3c:13:3a:64:9e:40: f7:4f:e0:45:b8:8e:27:b3:23:d4:75:bb:be:5f:73:4f:48:e4: 8c:6d:11:eb:76:70:81:c7:a5:8a:35:0b:ef:a5:cf:3d:ae:fd: 1f:94:b7:e4:c3:4c:7f:fb:5b:09:eb:e8:b1:35:3c:b8:ba:e8: b7:d0:5f:8a:98:b5:9a:6c:24:53:2a:49:61:0e:7c:5e:b3:d2: d4:c3:dd:ca:b9:57:a3:f0:e4:9c:d6:3d:43:40:9d:dd:ff:cd: 94:be -----BEGIN CERTIFICATE----- MIIDCDCCAnGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2 ZWlwLm5ldC4yODIwMjAiFxExMjA5MDYyMTQ5MTQrMDcwMBcNMjIwOTA2MDM0OTE1 WjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEf MB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMjCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAvHC9vKAHeplehMaRcDA+8CrJlsus1fTnpI2Fwi05EvovPzy/ u+2QMSiuOElo4krKiSFMHLVyyuXHPdhklSKYRWdQQ92Oy5451JsRFnHh2YEeTRws nG180UOhr0qDd+itDZLL+kW407ZQmT5Op5EwV86nW2KVf5v9JgWp4I5FK+MCAwEA AaOB9TCB8jAdBgNVHQ4EFgQUh5MnCOVNK87sVSzmxMDuMgyHIr8wOgYIKwYBBQUH AQEELjAsMCoGCCsGAQUFBzAChh5odHRwOi8vY20uaml2ZWlwLm5ldDo4MC9jYS5j cnQwdAYDVR0jBG0wa4AUh5MnCOVNK87sVSzmxMDuMgyHIr+hUKROMEwxCzAJBgNV BAYTAlVTMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMR8wHQYDVQQDExZD QS1jbS5qaXZlaXAubmV0LjI4MjAyggEBMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P AQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAKGpF5G6bg0VzijguH88XrpujTGR v5kMdF+VhuaQ/TwTOmSeQPdP4EW4jiezI9R1u75fc09I5IxtEet2cIHHpYo1C++l zz2u/R+Ut+TDTH/7Wwnr6LE1PLi66LfQX4qYtZpsJFMqSWEOfF6z0tTD3cq5V6Pw 5JzWPUNAnd3/zZS+ -----END CERTIFICATE-----
2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetHotKeys: release-cursor=shift+f12,toggle-fullscreen=shift+f11 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetNoTaskMgrExecution: 0 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetSendCtrlAltDelete: 0 2012-10-02 07:58:26,814 DEBUG nsPluginInstance::SetUsbAutoShare: 1 2012-10-02 07:58:26,815 DEBUG nsPluginInstance::SetUsbFilter: -1,-1,-1,-1,0 2012-10-02 07:58:26,816 INFO nsPluginInstance::Connect: SPICE_XPI_SOCKET: /tmp/spicec-8ym5mJ/spice-xpi 2012-10-02 07:58:26,816 INFO nsPluginInstance::Connect: SPICE_FOREIGN_MENU_SOCKET: /tmp/spicec-8ym5mJ/spice-foreign 2012-10-02 07:58:26,816 DEBUG nsPluginInstance::Connect: Controller pid: 50483 2012-10-02 07:58:26,816 DEBUG QErrorHandler: Something went wrong: connect error, 2 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error 2012-10-02 07:58:26,817 INFO nsPluginInstance::Connect: Launching /usr/libexec/spice-xpi-client 2012-10-02 07:58:26,817 DEBUG QErrorHandler: Something went wrong: connect error, 2 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error 2012-10-02 07:58:27,818 DEBUG SpiceController::Connect: Connected! 2012-10-02 07:58:29,821 INFO nsPluginInstance::Connect: Initiating connection with controller 2012-10-02 07:59:05,999 DEBUG nsPluginInstance::ControllerWaitHelper: Controller finished, pid: 50483, exit code: 0 2012-10-02 07:59:05,999 ERROR nsPluginInstance::CallOnDisconnected: could not get browser window, when trying to call OnDisconnected
=============================================
Openssl test: ============================================= [root@centos6 ~]# openssl s_client -connect 10.20.20.2:5902 -CAfile cacert.pem CONNECTED(00000003) depth=1 C = US, O = Best Company, CN = CA-ovirt-engine.example.com.28202 verify return:1 depth=0 O = Best Company, CN = 10.20.20.2 verify error:num=9:certificate is not yet valid notBefore=Oct 4 01:40:57 2012 verify return:1 depth=0 O = Best Company, CN = 10.20.20.2 notBefore=Oct 4 01:40:57 2012 verify return:1 --- Certificate chain 0 s:/O=Best Company/CN=10.20.20.2 i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 1 s:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 --- Server certificate -----BEGIN CERTIFICATE----- MIIDDTCCAnagAwIBAgIBBzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2 ZWlwLm5ldC4yODIwMjAiFxExMjEwMDQwMTQwNTctMDYwMBcNMTcxMDA0MDc0MDU4 WjAzMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMRMwEQYDVQQDEwoxMC4y MC4yMC4yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfxg43vrorGXoui5Cs 69xeS/R31r2FkfE3UO57BzKbToBY88Hj7dUkFjlFVwg3/eUIBh0jYQ5Qq5Q4Kl9p Oy4/58VwqRd6P/C3a9LgF1rdvXEnmtNZyoXNmvFeTgpEF+165hr6aPXmMqXqaSEv ab/mFdxVKM6FwgUWQb/uW3Rp3QIDAQABo4IBEjCCAQ4wHQYDVR0OBBYEFIhzxNFR sbDS9hLGOID0RLPlYrLPMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAoYeaHR0 cDovL2NtLmppdmVpcC5uZXQ6ODAvY2EuY3J0MHQGA1UdIwRtMGuAFIeTJwjlTSvO 7FUs5sTA7jIMhyK/oVCkTjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBD b21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMoIB ATAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEF BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAayUoWzI77OMVGa1QeWKQ VF/iwu5URB8sbsmFk9NmfUOtIYsVsmdMsoDSYQsL7mEe0SA5GOXpS1sThdXsU1uf 9bZ+dyrmCBmg0/cPOiXA8R1GgS+Bwjc+MxEOuXzTmumfW19hlbKbRXRwgx+vRgDv JbUNV6jXUHqhBeGnsVhiLrQ= -----END CERTIFICATE----- subject=/O=Best Company/CN=10.20.20.2 issuer=/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 --- No client certificate CA names sent --- SSL handshake has read 1884 bytes and written 311 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 9747FACA4B5CC4542E050F4B8534E1B71234BC5F99F3221D284BC53D0A5CB746 Session-ID-ctx: Master-Key: 7A579DA9F75E76C63F3FDFCB5BBE42EE28AEF5211C5AC5ECAE8679166C98FBB5AD00BFC4B8AC5D7E214A3B0069CF50E7 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket: 0000 - ae f2 91 79 e4 94 85 a2-02 60 aa 91 54 a5 3f 13 ...y.....`..T.?. 0010 - 90 b4 78 20 27 5a 52 61-78 a1 4d db 73 25 c0 f8 ..x 'ZRax.M.s%.. 0020 - 65 7f 43 76 72 35 08 96-0d 32 c4 72 eb ae c4 a9 e.Cvr5...2.r.... 0030 - 83 78 7f 48 8c c6 a9 38-78 ea 90 60 52 62 0e 4d .x.H...8x..`Rb.M 0040 - 7c 3e 41 62 63 2d 27 b3-bc ba bb b7 87 ac 12 df |>Abc-'......... 0050 - 04 61 3d c8 8f cd 14 e4-51 bf 74 66 2c a0 a6 70 .a=.....Q.tf,..p 0060 - 3e d2 5f 4c 63 10 80 83-18 d7 4e 08 e0 5b c5 5a >._Lc.....N..[.Z 0070 - 75 94 27 de 1e 8e 61 e9-64 af 52 eb 1e 98 00 e2 u.'...a.d.R..... 0080 - 4f 80 8c 1f ec 40 b7 25-7b 72 a3 1a 99 8a 6a ca O....@.%{r....j. 0090 - 90 80 f9 1e 5f 99 96 0a-3e bb 4f b6 86 d1 49 0c ...._...>.O...I.
Start Time: 1349186957 Timeout : 300 (sec) Verify return code: 9 (certificate is not yet valid) ---
=============================================
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
also note that the host certificate is based on the hostname in the engine, so you must give the spice client the host name to validate it with.
that is not issue in this case because Bret specified host the same way as it is in CN of server cert. Bret, one more thing: did you try to put the host in maintenance mode and then click "Reinstall" in the host Action Items in webadmin? That way, server certificates should get regenerated and SSL should Just Work. David
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
Fixed. It was that each server had the wrong time. ovirt-engine: was off by a day ovirt-node: off by 12 hours spicec: was 3 days behind. Updated ntpd on all machines and everything works as expected. Nothing was wrong with the certs. Thank you for you help! -Bret On Oct 5, 2012, at 8:19 AM, David Jaša <djasa@redhat.com> wrote:
Itamar Heim píše v Pá 05. 10. 2012 v 15:56 +0200:
On 10/05/2012 10:57 AM, Juan Hernandez wrote:
On 10/05/2012 10:26 AM, Bret Palsson wrote:
I can't seem to get this secure spice session to work. Any help is appreciated, already burnt 20 hours on this.
Spice versions: spice-server-0.10.1 spice-client 0.12.0 spice-xpi 2.7
The certificates that you get from the server in both examples are different. Copy the text between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" to a file "cert.pem" and then run the following command to see what is inside:
openssl x509 -in cert.pem -noout -text
In both cases looks like the certificate fails to verify. I would suggest to take that "cert.pem" file and the "ca.pem" file from the engine (/etc/pki/ovirt-engine/ca.pem) and verify it like this:
openssl verify -CAfile ca.pem cert.pem
It should say:
ca.pem: OK
The message you get when you test with openssl is this:
Verify return code: 9 (certificate is not yet valid)
That probably means that you have some kind of data/time problem. Make sure that all your machines (engine, nodes, clients) are correctly synchronized.
If you still have problems please share the certificate that you get when connectiong with "openssl s_client" and the certificate of the CA of the engine (/etc/pki/ovirt-engine/ca.pem).
spicec: I set the password to abcd using a bash script found on this mailing list, valid for 1200 seconds. ============================================= # spicec --password abcd --secure-channels all -h 10.20.20.2 --secure-port 5902 --ca-file cacert.pem Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 139833084392776:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error: =============================================
spice-xpi: spice-xpi.log ============================================= built and installed latest (which is great has better debugging output: 2012-10-02 07:58:26,805 DEBUG nsPluginInstance::SetHostIP: 10.20.20.2 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetPort: 5901 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetTitle: Test:%d - Press SHIFT+F12 to Release Cursor 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetDynamicMenu: 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetFullScreen: 0 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetPassword: Password set 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetNumberOfMonitors: 1 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetUsbListenPort: 0 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetAdminConsole: 1 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetSecurePort: 5902 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: original channels: smain,sinputs,scursor,splayback,srecord,sdisplay 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: modified channels: main,inputs,cursor,playback,record,display 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetGuestHostName: Test 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetCipherSuite: DEFAULT 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetHostSubject: O=Best Company,CN=10.20.20.2 2012-10-02 07:58:26,812 DEBUG nsPluginInstance::SetTrustStore: Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Validity Not Before: Sep 6 21:49:14 2012 Not After : Sep 6 03:49:15 2022 GMT Subject: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:bc:70:bd:bc:a0:07:7a:99:5e:84:c6:91:70:30: 3e:f0:2a:c9:96:cb:ac:d5:f4:e7:a4:8d:85:c2:2d: 39:12:fa:2f:3f:3c:bf:bb:ed:90:31:28:ae:38:49: 68:e2:4a:ca:89:21:4c:1c:b5:72:ca:e5:c7:3d:d8: 64:95:22:98:45:67:50:43:dd:8e:cb:9e:39:d4:9b: 11:16:71:e1:d9:81:1e:4d:1c:2c:9c:6d:7c:d1:43: a1:af:4a:83:77:e8:ad:0d:92:cb:fa:45:b8:d3:b6: 50:99:3e:4e:a7:91:30:57:ce:a7:5b:62:95:7f:9b: fd:26:05:a9:e0:8e:45:2b:e3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF Authority Information Access: CA Issuers - URI:http://ovirt-engine.example.com:80/ca.crt
X509v3 Authority Key Identifier: keyid:87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF DirName:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 serial:01
X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption a1:a9:17:91:ba:6e:0d:15:ce:28:e0:b8:7f:3c:5e:ba:6e:8d: 31:91:bf:99:0c:74:5f:95:86:e6:90:fd:3c:13:3a:64:9e:40: f7:4f:e0:45:b8:8e:27:b3:23:d4:75:bb:be:5f:73:4f:48:e4: 8c:6d:11:eb:76:70:81:c7:a5:8a:35:0b:ef:a5:cf:3d:ae:fd: 1f:94:b7:e4:c3:4c:7f:fb:5b:09:eb:e8:b1:35:3c:b8:ba:e8: b7:d0:5f:8a:98:b5:9a:6c:24:53:2a:49:61:0e:7c:5e:b3:d2: d4:c3:dd:ca:b9:57:a3:f0:e4:9c:d6:3d:43:40:9d:dd:ff:cd: 94:be -----BEGIN CERTIFICATE----- MIIDCDCCAnGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2 ZWlwLm5ldC4yODIwMjAiFxExMjA5MDYyMTQ5MTQrMDcwMBcNMjIwOTA2MDM0OTE1 WjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEf MB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMjCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAvHC9vKAHeplehMaRcDA+8CrJlsus1fTnpI2Fwi05EvovPzy/ u+2QMSiuOElo4krKiSFMHLVyyuXHPdhklSKYRWdQQ92Oy5451JsRFnHh2YEeTRws nG180UOhr0qDd+itDZLL+kW407ZQmT5Op5EwV86nW2KVf5v9JgWp4I5FK+MCAwEA AaOB9TCB8jAdBgNVHQ4EFgQUh5MnCOVNK87sVSzmxMDuMgyHIr8wOgYIKwYBBQUH AQEELjAsMCoGCCsGAQUFBzAChh5odHRwOi8vY20uaml2ZWlwLm5ldDo4MC9jYS5j cnQwdAYDVR0jBG0wa4AUh5MnCOVNK87sVSzmxMDuMgyHIr+hUKROMEwxCzAJBgNV BAYTAlVTMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMR8wHQYDVQQDExZD QS1jbS5qaXZlaXAubmV0LjI4MjAyggEBMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P AQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAKGpF5G6bg0VzijguH88XrpujTGR v5kMdF+VhuaQ/TwTOmSeQPdP4EW4jiezI9R1u75fc09I5IxtEet2cIHHpYo1C++l zz2u/R+Ut+TDTH/7Wwnr6LE1PLi66LfQX4qYtZpsJFMqSWEOfF6z0tTD3cq5V6Pw 5JzWPUNAnd3/zZS+ -----END CERTIFICATE-----
2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetHotKeys: release-cursor=shift+f12,toggle-fullscreen=shift+f11 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetNoTaskMgrExecution: 0 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetSendCtrlAltDelete: 0 2012-10-02 07:58:26,814 DEBUG nsPluginInstance::SetUsbAutoShare: 1 2012-10-02 07:58:26,815 DEBUG nsPluginInstance::SetUsbFilter: -1,-1,-1,-1,0 2012-10-02 07:58:26,816 INFO nsPluginInstance::Connect: SPICE_XPI_SOCKET: /tmp/spicec-8ym5mJ/spice-xpi 2012-10-02 07:58:26,816 INFO nsPluginInstance::Connect: SPICE_FOREIGN_MENU_SOCKET: /tmp/spicec-8ym5mJ/spice-foreign 2012-10-02 07:58:26,816 DEBUG nsPluginInstance::Connect: Controller pid: 50483 2012-10-02 07:58:26,816 DEBUG QErrorHandler: Something went wrong: connect error, 2 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error 2012-10-02 07:58:26,817 INFO nsPluginInstance::Connect: Launching /usr/libexec/spice-xpi-client 2012-10-02 07:58:26,817 DEBUG QErrorHandler: Something went wrong: connect error, 2 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error 2012-10-02 07:58:27,818 DEBUG SpiceController::Connect: Connected! 2012-10-02 07:58:29,821 INFO nsPluginInstance::Connect: Initiating connection with controller 2012-10-02 07:59:05,999 DEBUG nsPluginInstance::ControllerWaitHelper: Controller finished, pid: 50483, exit code: 0 2012-10-02 07:59:05,999 ERROR nsPluginInstance::CallOnDisconnected: could not get browser window, when trying to call OnDisconnected
=============================================
Openssl test: ============================================= [root@centos6 ~]# openssl s_client -connect 10.20.20.2:5902 -CAfile cacert.pem CONNECTED(00000003) depth=1 C = US, O = Best Company, CN = CA-ovirt-engine.example.com.28202 verify return:1 depth=0 O = Best Company, CN = 10.20.20.2 verify error:num=9:certificate is not yet valid notBefore=Oct 4 01:40:57 2012 verify return:1 depth=0 O = Best Company, CN = 10.20.20.2 notBefore=Oct 4 01:40:57 2012 verify return:1 --- Certificate chain 0 s:/O=Best Company/CN=10.20.20.2 i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 1 s:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 --- Server certificate -----BEGIN CERTIFICATE----- MIIDDTCCAnagAwIBAgIBBzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2 ZWlwLm5ldC4yODIwMjAiFxExMjEwMDQwMTQwNTctMDYwMBcNMTcxMDA0MDc0MDU4 WjAzMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMRMwEQYDVQQDEwoxMC4y MC4yMC4yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfxg43vrorGXoui5Cs 69xeS/R31r2FkfE3UO57BzKbToBY88Hj7dUkFjlFVwg3/eUIBh0jYQ5Qq5Q4Kl9p Oy4/58VwqRd6P/C3a9LgF1rdvXEnmtNZyoXNmvFeTgpEF+165hr6aPXmMqXqaSEv ab/mFdxVKM6FwgUWQb/uW3Rp3QIDAQABo4IBEjCCAQ4wHQYDVR0OBBYEFIhzxNFR sbDS9hLGOID0RLPlYrLPMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAoYeaHR0 cDovL2NtLmppdmVpcC5uZXQ6ODAvY2EuY3J0MHQGA1UdIwRtMGuAFIeTJwjlTSvO 7FUs5sTA7jIMhyK/oVCkTjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBD b21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMoIB ATAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEF BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAayUoWzI77OMVGa1QeWKQ VF/iwu5URB8sbsmFk9NmfUOtIYsVsmdMsoDSYQsL7mEe0SA5GOXpS1sThdXsU1uf 9bZ+dyrmCBmg0/cPOiXA8R1GgS+Bwjc+MxEOuXzTmumfW19hlbKbRXRwgx+vRgDv JbUNV6jXUHqhBeGnsVhiLrQ= -----END CERTIFICATE----- subject=/O=Best Company/CN=10.20.20.2 issuer=/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 --- No client certificate CA names sent --- SSL handshake has read 1884 bytes and written 311 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 9747FACA4B5CC4542E050F4B8534E1B71234BC5F99F3221D284BC53D0A5CB746 Session-ID-ctx: Master-Key: 7A579DA9F75E76C63F3FDFCB5BBE42EE28AEF5211C5AC5ECAE8679166C98FBB5AD00BFC4B8AC5D7E214A3B0069CF50E7 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket: 0000 - ae f2 91 79 e4 94 85 a2-02 60 aa 91 54 a5 3f 13 ...y.....`..T.?. 0010 - 90 b4 78 20 27 5a 52 61-78 a1 4d db 73 25 c0 f8 ..x 'ZRax.M.s%.. 0020 - 65 7f 43 76 72 35 08 96-0d 32 c4 72 eb ae c4 a9 e.Cvr5...2.r.... 0030 - 83 78 7f 48 8c c6 a9 38-78 ea 90 60 52 62 0e 4d .x.H...8x..`Rb.M 0040 - 7c 3e 41 62 63 2d 27 b3-bc ba bb b7 87 ac 12 df |>Abc-'......... 0050 - 04 61 3d c8 8f cd 14 e4-51 bf 74 66 2c a0 a6 70 .a=.....Q.tf,..p 0060 - 3e d2 5f 4c 63 10 80 83-18 d7 4e 08 e0 5b c5 5a >._Lc.....N..[.Z 0070 - 75 94 27 de 1e 8e 61 e9-64 af 52 eb 1e 98 00 e2 u.'...a.d.R..... 0080 - 4f 80 8c 1f ec 40 b7 25-7b 72 a3 1a 99 8a 6a ca O....@.%{r....j. 0090 - 90 80 f9 1e 5f 99 96 0a-3e bb 4f b6 86 d1 49 0c ...._...>.O...I.
Start Time: 1349186957 Timeout : 300 (sec) Verify return code: 9 (certificate is not yet valid) ---
=============================================
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
also note that the host certificate is based on the hostname in the engine, so you must give the spice client the host name to validate it with.
that is not issue in this case because Bret specified host the same way as it is in CN of server cert.
Bret, one more thing: did you try to put the host in maintenance mode and then click "Reinstall" in the host Action Items in webadmin? That way, server certificates should get regenerated and SSL should Just Work.
David
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--
David Jaša, RHCE
SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 10/05/2012 07:20 PM, Bret Palsson wrote:
Fixed. It was that each server had the wrong time. ovirt-engine: was off by a day ovirt-node: off by 12 hours spicec: was 3 days behind.
Updated ntpd on all machines and everything works as expected. Nothing was wrong with the certs.
good news are upstream should have a new warning on time sync issues for ovirt 3.2.
Thank you for you help!
-Bret
On Oct 5, 2012, at 8:19 AM, David Jaša <djasa@redhat.com> wrote:
Itamar Heim píše v Pá 05. 10. 2012 v 15:56 +0200:
On 10/05/2012 10:57 AM, Juan Hernandez wrote:
On 10/05/2012 10:26 AM, Bret Palsson wrote:
I can't seem to get this secure spice session to work. Any help is appreciated, already burnt 20 hours on this.
Spice versions: spice-server-0.10.1 spice-client 0.12.0 spice-xpi 2.7
The certificates that you get from the server in both examples are different. Copy the text between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" to a file "cert.pem" and then run the following command to see what is inside:
openssl x509 -in cert.pem -noout -text
In both cases looks like the certificate fails to verify. I would suggest to take that "cert.pem" file and the "ca.pem" file from the engine (/etc/pki/ovirt-engine/ca.pem) and verify it like this:
openssl verify -CAfile ca.pem cert.pem
It should say:
ca.pem: OK
The message you get when you test with openssl is this:
Verify return code: 9 (certificate is not yet valid)
That probably means that you have some kind of data/time problem. Make sure that all your machines (engine, nodes, clients) are correctly synchronized.
If you still have problems please share the certificate that you get when connectiong with "openssl s_client" and the certificate of the CA of the engine (/etc/pki/ovirt-engine/ca.pem).
spicec: I set the password to abcd using a bash script found on this mailing list, valid for 1200 seconds. ============================================= # spicec --password abcd --secure-channels all -h 10.20.20.2 --secure-port 5902 --ca-file cacert.pem Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 139833084392776:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error: =============================================
spice-xpi: spice-xpi.log ============================================= built and installed latest (which is great has better debugging output: 2012-10-02 07:58:26,805 DEBUG nsPluginInstance::SetHostIP: 10.20.20.2 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetPort: 5901 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetTitle: Test:%d - Press SHIFT+F12 to Release Cursor 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetDynamicMenu: 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetFullScreen: 0 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetPassword: Password set 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetNumberOfMonitors: 1 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetUsbListenPort: 0 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetAdminConsole: 1 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetSecurePort: 5902 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: original channels: smain,sinputs,scursor,splayback,srecord,sdisplay 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: modified channels: main,inputs,cursor,playback,record,display 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetGuestHostName: Test 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetCipherSuite: DEFAULT 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetHostSubject: O=Best Company,CN=10.20.20.2 2012-10-02 07:58:26,812 DEBUG nsPluginInstance::SetTrustStore: Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Validity Not Before: Sep 6 21:49:14 2012 Not After : Sep 6 03:49:15 2022 GMT Subject: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:bc:70:bd:bc:a0:07:7a:99:5e:84:c6:91:70:30: 3e:f0:2a:c9:96:cb:ac:d5:f4:e7:a4:8d:85:c2:2d: 39:12:fa:2f:3f:3c:bf:bb:ed:90:31:28:ae:38:49: 68:e2:4a:ca:89:21:4c:1c:b5:72:ca:e5:c7:3d:d8: 64:95:22:98:45:67:50:43:dd:8e:cb:9e:39:d4:9b: 11:16:71:e1:d9:81:1e:4d:1c:2c:9c:6d:7c:d1:43: a1:af:4a:83:77:e8:ad:0d:92:cb:fa:45:b8:d3:b6: 50:99:3e:4e:a7:91:30:57:ce:a7:5b:62:95:7f:9b: fd:26:05:a9:e0:8e:45:2b:e3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF Authority Information Access: CA Issuers - URI:http://ovirt-engine.example.com:80/ca.crt
X509v3 Authority Key Identifier: keyid:87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF DirName:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 serial:01
X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption a1:a9:17:91:ba:6e:0d:15:ce:28:e0:b8:7f:3c:5e:ba:6e:8d: 31:91:bf:99:0c:74:5f:95:86:e6:90:fd:3c:13:3a:64:9e:40: f7:4f:e0:45:b8:8e:27:b3:23:d4:75:bb:be:5f:73:4f:48:e4: 8c:6d:11:eb:76:70:81:c7:a5:8a:35:0b:ef:a5:cf:3d:ae:fd: 1f:94:b7:e4:c3:4c:7f:fb:5b:09:eb:e8:b1:35:3c:b8:ba:e8: b7:d0:5f:8a:98:b5:9a:6c:24:53:2a:49:61:0e:7c:5e:b3:d2: d4:c3:dd:ca:b9:57:a3:f0:e4:9c:d6:3d:43:40:9d:dd:ff:cd: 94:be -----BEGIN CERTIFICATE----- MIIDCDCCAnGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2 ZWlwLm5ldC4yODIwMjAiFxExMjA5MDYyMTQ5MTQrMDcwMBcNMjIwOTA2MDM0OTE1 WjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEf MB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMjCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAvHC9vKAHeplehMaRcDA+8CrJlsus1fTnpI2Fwi05EvovPzy/ u+2QMSiuOElo4krKiSFMHLVyyuXHPdhklSKYRWdQQ92Oy5451JsRFnHh2YEeTRws nG180UOhr0qDd+itDZLL+kW407ZQmT5Op5EwV86nW2KVf5v9JgWp4I5FK+MCAwEA AaOB9TCB8jAdBgNVHQ4EFgQUh5MnCOVNK87sVSzmxMDuMgyHIr8wOgYIKwYBBQUH AQEELjAsMCoGCCsGAQUFBzAChh5odHRwOi8vY20uaml2ZWlwLm5ldDo4MC9jYS5j cnQwdAYDVR0jBG0wa4AUh5MnCOVNK87sVSzmxMDuMgyHIr+hUKROMEwxCzAJBgNV BAYTAlVTMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMR8wHQYDVQQDExZD QS1jbS5qaXZlaXAubmV0LjI4MjAyggEBMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P AQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAKGpF5G6bg0VzijguH88XrpujTGR v5kMdF+VhuaQ/TwTOmSeQPdP4EW4jiezI9R1u75fc09I5IxtEet2cIHHpYo1C++l zz2u/R+Ut+TDTH/7Wwnr6LE1PLi66LfQX4qYtZpsJFMqSWEOfF6z0tTD3cq5V6Pw 5JzWPUNAnd3/zZS+ -----END CERTIFICATE-----
2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetHotKeys: release-cursor=shift+f12,toggle-fullscreen=shift+f11 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetNoTaskMgrExecution: 0 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetSendCtrlAltDelete: 0 2012-10-02 07:58:26,814 DEBUG nsPluginInstance::SetUsbAutoShare: 1 2012-10-02 07:58:26,815 DEBUG nsPluginInstance::SetUsbFilter: -1,-1,-1,-1,0 2012-10-02 07:58:26,816 INFO nsPluginInstance::Connect: SPICE_XPI_SOCKET: /tmp/spicec-8ym5mJ/spice-xpi 2012-10-02 07:58:26,816 INFO nsPluginInstance::Connect: SPICE_FOREIGN_MENU_SOCKET: /tmp/spicec-8ym5mJ/spice-foreign 2012-10-02 07:58:26,816 DEBUG nsPluginInstance::Connect: Controller pid: 50483 2012-10-02 07:58:26,816 DEBUG QErrorHandler: Something went wrong: connect error, 2 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error 2012-10-02 07:58:26,817 INFO nsPluginInstance::Connect: Launching /usr/libexec/spice-xpi-client 2012-10-02 07:58:26,817 DEBUG QErrorHandler: Something went wrong: connect error, 2 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error 2012-10-02 07:58:27,818 DEBUG SpiceController::Connect: Connected! 2012-10-02 07:58:29,821 INFO nsPluginInstance::Connect: Initiating connection with controller 2012-10-02 07:59:05,999 DEBUG nsPluginInstance::ControllerWaitHelper: Controller finished, pid: 50483, exit code: 0 2012-10-02 07:59:05,999 ERROR nsPluginInstance::CallOnDisconnected: could not get browser window, when trying to call OnDisconnected
=============================================
Openssl test: ============================================= [root@centos6 ~]# openssl s_client -connect 10.20.20.2:5902 -CAfile cacert.pem CONNECTED(00000003) depth=1 C = US, O = Best Company, CN = CA-ovirt-engine.example.com.28202 verify return:1 depth=0 O = Best Company, CN = 10.20.20.2 verify error:num=9:certificate is not yet valid notBefore=Oct 4 01:40:57 2012 verify return:1 depth=0 O = Best Company, CN = 10.20.20.2 notBefore=Oct 4 01:40:57 2012 verify return:1 --- Certificate chain 0 s:/O=Best Company/CN=10.20.20.2 i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 1 s:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 --- Server certificate -----BEGIN CERTIFICATE----- MIIDDTCCAnagAwIBAgIBBzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2 ZWlwLm5ldC4yODIwMjAiFxExMjEwMDQwMTQwNTctMDYwMBcNMTcxMDA0MDc0MDU4 WjAzMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMRMwEQYDVQQDEwoxMC4y MC4yMC4yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfxg43vrorGXoui5Cs 69xeS/R31r2FkfE3UO57BzKbToBY88Hj7dUkFjlFVwg3/eUIBh0jYQ5Qq5Q4Kl9p Oy4/58VwqRd6P/C3a9LgF1rdvXEnmtNZyoXNmvFeTgpEF+165hr6aPXmMqXqaSEv ab/mFdxVKM6FwgUWQb/uW3Rp3QIDAQABo4IBEjCCAQ4wHQYDVR0OBBYEFIhzxNFR sbDS9hLGOID0RLPlYrLPMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAoYeaHR0 cDovL2NtLmppdmVpcC5uZXQ6ODAvY2EuY3J0MHQGA1UdIwRtMGuAFIeTJwjlTSvO 7FUs5sTA7jIMhyK/oVCkTjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBD b21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMoIB ATAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEF BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAayUoWzI77OMVGa1QeWKQ VF/iwu5URB8sbsmFk9NmfUOtIYsVsmdMsoDSYQsL7mEe0SA5GOXpS1sThdXsU1uf 9bZ+dyrmCBmg0/cPOiXA8R1GgS+Bwjc+MxEOuXzTmumfW19hlbKbRXRwgx+vRgDv JbUNV6jXUHqhBeGnsVhiLrQ= -----END CERTIFICATE----- subject=/O=Best Company/CN=10.20.20.2 issuer=/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 --- No client certificate CA names sent --- SSL handshake has read 1884 bytes and written 311 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 9747FACA4B5CC4542E050F4B8534E1B71234BC5F99F3221D284BC53D0A5CB746 Session-ID-ctx: Master-Key: 7A579DA9F75E76C63F3FDFCB5BBE42EE28AEF5211C5AC5ECAE8679166C98FBB5AD00BFC4B8AC5D7E214A3B0069CF50E7 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket: 0000 - ae f2 91 79 e4 94 85 a2-02 60 aa 91 54 a5 3f 13 ...y.....`..T.?. 0010 - 90 b4 78 20 27 5a 52 61-78 a1 4d db 73 25 c0 f8 ..x 'ZRax.M.s%.. 0020 - 65 7f 43 76 72 35 08 96-0d 32 c4 72 eb ae c4 a9 e.Cvr5...2.r.... 0030 - 83 78 7f 48 8c c6 a9 38-78 ea 90 60 52 62 0e 4d .x.H...8x..`Rb.M 0040 - 7c 3e 41 62 63 2d 27 b3-bc ba bb b7 87 ac 12 df |>Abc-'......... 0050 - 04 61 3d c8 8f cd 14 e4-51 bf 74 66 2c a0 a6 70 .a=.....Q.tf,..p 0060 - 3e d2 5f 4c 63 10 80 83-18 d7 4e 08 e0 5b c5 5a >._Lc.....N..[.Z 0070 - 75 94 27 de 1e 8e 61 e9-64 af 52 eb 1e 98 00 e2 u.'...a.d.R..... 0080 - 4f 80 8c 1f ec 40 b7 25-7b 72 a3 1a 99 8a 6a ca O....@.%{r....j. 0090 - 90 80 f9 1e 5f 99 96 0a-3e bb 4f b6 86 d1 49 0c ...._...>.O...I.
Start Time: 1349186957 Timeout : 300 (sec) Verify return code: 9 (certificate is not yet valid) ---
=============================================
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
also note that the host certificate is based on the hostname in the engine, so you must give the spice client the host name to validate it with.
that is not issue in this case because Bret specified host the same way as it is in CN of server cert.
Bret, one more thing: did you try to put the host in maintenance mode and then click "Reinstall" in the host Action Items in webadmin? That way, server certificates should get regenerated and SSL should Just Work.
David
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--
David Jaša, RHCE
SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (5)
-
Bret Palsson -
Bret Palsson -
David Jaša -
Itamar Heim -
Juan Hernandez