[Users] spicec not connect | SSL Error

Itamar Heim iheim at redhat.com
Sun Aug 5 21:40:37 UTC 2012 

On 08/06/2012 12:30 AM, Artem wrote:
> yes engine and kvm(qemu-kvm) installed  on same machine (vm-srv)

what do you get for:
cat /etc/pki/vdsm/certs/vdsmcert.pem  | grep Subject
?

>
> i change host-subject but..
>
> # spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL,
> CN=vm-srv" --secure-channels=all
> Error: subject mismatch: #entries cert=2, input=3
> Error: failed to connect w/SSL, ssl_error
> error:00000001:lib(0):func(0):reason(1)
> 3079539240:error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed:s3_clnt.c:1063:
> Warning: SSL Error:
>
>
> 2012/8/6 Itamar Heim <iheim at redhat.com>:
>> On 08/06/2012 12:07 AM, Artem wrote:
>>>
>>> hmm... not sure if understood correctly...
>>>
>>> vm-srv this KVM host.. (server) and I connect from another machine to vm
>>> on kvm.
>>
>>
>> did you install the engine and kvm host on same machine?
>>
>>
>>>
>>> this subject name i get in .spicec/spice_truststore.pem
>>
>>
>> yes, spice trusts the CA, but client needs to validate the target host
>> certificate.
>> (if you run engine and host on same machine, try:
>> "C=US, O=ICL, CN=vm-srv"
>> (assuming you added the host with hostname of vm-srv to engine. if you added
>> it with fqdn or ip, use them under last CN)
>>
>>
>>>
>>> //////////////////////////////////
>>> # cat .spicec/spice_truststore.pem
>>> Certificate:
>>>       Data:
>>>           Version: 3 (0x2)
>>>           Serial Number: 1 (0x1)
>>>           Signature Algorithm: sha1WithRSAEncryption
>>>           Issuer: C=US, O=ICL, CN=CA-vm-srv.15064
>>>           Validity
>>>               Not Before: Jul 28 03:42:06 2012
>>>               Not After : Jul 26 23:42:07 2022 GMT
>>>           Subject: C=US, O=ICL, CN=CA-vm-srv.15064
>>>           Subject Public Key Info:
>>>               Public Key Algorithm: rsaEncryption
>>>                   Public-Key: (2048 bit)
>>>                   Modulus:
>>> ///////////////////////////////////////////
>>>
>>> 2012/8/6 Itamar Heim <iheim at redhat.com>:
>>>>
>>>> this looks like the subject name of the CA, not the host running the
>>>> virtual
>>>> machine?
>>
>>
>>

More information about the Users mailing list