[Users] spicec not connect | SSL Error

David Jaša djasa at redhat.com
Mon Aug 6 11:30:34 UTC 2012 

@Itamar - this is recurring problem, what about creating a wiki page for
it?

@Artem:

Artem píše v Po 06. 08. 2012 v 01:30 +0400:
> yes engine and kvm(qemu-kvm) installed  on same machine (vm-srv)
> 
> i change host-subject but..
> 
> # spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL,
> CN=vm-srv" --secure-channels=all

1) your command line is missing '--ca-file $CA_FILE' altoghether

2) you don't mention password

3) you shouldn't need to specify host subject at all because your host
(-h) matches name of server in CN field of host subject. If you override
it anyway, strip white spaces after commas in it:
--host-subject='C=US,O=ICL,CN=vm-srv'

4) you could omit -p and --secure-channels altogether in order to
achieve tls-only connection, but you can hit
https://bugzilla.redhat.com/show_bug.cgi?id=723582 then

So you should do (out of my head, may contain typos):
get CA:
* on engine, it is found here:
CA_FILE=/etc/pki/ovirt-engine/ca.pem
* on host, it's here:
CA_FILE=/etc/pki/vdsm/libvirt-spice/ca-cert.pem
* on any other host, get it from engine web interface:
wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt

on the host, get UUID of the VM:
$ VM_UUID="$(ps -ef | grep ${VM_NAME} | sed -e 's/^.*-uuid[ \t]\+\([ \t]\+\)[ \t].*$/\1/')"

as root on the host, set ticket (password and its period of validity):
# vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS}
(doing it via REST API is cleaner but more cumbersome for me)

if the hostname you're connecting does not match what is in CN field of
Subject of the server cert, get the subject without spaces after commas
on the host:
$ grep Subject: ${SERVER_CERT_FILE} | sed -e 's/^.*Subject:[ \t]*\(.*\)$/\1/;s/,[ \t]*/,/'

connect to the spice-server:
$ spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT}
OR, with newer, shinier and overall better client :)
# yum install virt-viewer
$ remote-viewer --spice-ca-file /etc/pki/ovirt-engine/ca.pem spice://vm-srv/?tls-port=${SECURE_PORT}
(you'll have to provide the password through the pop-up dialog)

if you need to provide host subject (host name/IP not matching the one from server cert Subject):
$ spicec --host-subject ${HOST_SUBJECT} [...]
OR
$ remote-viewer --spice-host-subject ${HOST_SUBJECT} [...]

David


> Error: subject mismatch: #entries cert=2, input=3
> Error: failed to connect w/SSL, ssl_error
> error:00000001:lib(0):func(0):reason(1)
> 3079539240:error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed:s3_clnt.c:1063:
> Warning: SSL Error:
> 
> 
> 2012/8/6 Itamar Heim <iheim at redhat.com>:
> > On 08/06/2012 12:07 AM, Artem wrote:
> >>
> >> hmm... not sure if understood correctly...
> >>
> >> vm-srv this KVM host.. (server) and I connect from another machine to vm
> >> on kvm.
> >
> >
> > did you install the engine and kvm host on same machine?
> >
> >
> >>
> >> this subject name i get in .spicec/spice_truststore.pem
> >
> >
> > yes, spice trusts the CA, but client needs to validate the target host
> > certificate.
> > (if you run engine and host on same machine, try:
> > "C=US, O=ICL, CN=vm-srv"
> > (assuming you added the host with hostname of vm-srv to engine. if you added
> > it with fqdn or ip, use them under last CN)
> >
> >
> >>
> >> //////////////////////////////////
> >> # cat .spicec/spice_truststore.pem
> >> Certificate:
> >>      Data:
> >>          Version: 3 (0x2)
> >>          Serial Number: 1 (0x1)
> >>          Signature Algorithm: sha1WithRSAEncryption
> >>          Issuer: C=US, O=ICL, CN=CA-vm-srv.15064
> >>          Validity
> >>              Not Before: Jul 28 03:42:06 2012
> >>              Not After : Jul 26 23:42:07 2022 GMT
> >>          Subject: C=US, O=ICL, CN=CA-vm-srv.15064
> >>          Subject Public Key Info:
> >>              Public Key Algorithm: rsaEncryption
> >>                  Public-Key: (2048 bit)
> >>                  Modulus:
> >> ///////////////////////////////////////////
> >>
> >> 2012/8/6 Itamar Heim <iheim at redhat.com>:
> >>>
> >>> this looks like the subject name of the CA, not the host running the
> >>> virtual
> >>> machine?
> >
> >
> >
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

-- 

David Jaša, RHCE

SPICE QE based in Brno
GPG Key:     22C33E24 
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24

More information about the Users mailing list