[Users] spicec not connect | SSL Error

Artem artem at e-inet.ru
Tue Aug 7 17:38:01 UTC 2012 

Hi all, thaks for lot, it's work

1) get CA to client "wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt"
2) set "vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD}
${VALIDITY_SECONDS}" on kvm host
3) and connect to consle use this line "spicec --ca-file ${CA_FILE} -w
${PASSWORD} -h vm-srv -s ${SECURE_PORT}" successfully

but how to install "setVmTicket" without login as root on kvm host,
how to make it through the post request?


2012/8/6 David Jaša <djasa at redhat.com>:
> @Itamar - this is recurring problem, what about creating a wiki page for
> it?
>
> @Artem:
>
> Artem píše v Po 06. 08. 2012 v 01:30 +0400:
>> yes engine and kvm(qemu-kvm) installed  on same machine (vm-srv)
>>
>> i change host-subject but..
>>
>> # spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL,
>> CN=vm-srv" --secure-channels=all
>
> 1) your command line is missing '--ca-file $CA_FILE' altoghether
>
> 2) you don't mention password
>
> 3) you shouldn't need to specify host subject at all because your host
> (-h) matches name of server in CN field of host subject. If you override
> it anyway, strip white spaces after commas in it:
> --host-subject='C=US,O=ICL,CN=vm-srv'
>
> 4) you could omit -p and --secure-channels altogether in order to
> achieve tls-only connection, but you can hit
> https://bugzilla.redhat.com/show_bug.cgi?id=723582 then
>
> So you should do (out of my head, may contain typos):
> get CA:
> * on engine, it is found here:
> CA_FILE=/etc/pki/ovirt-engine/ca.pem
> * on host, it's here:
> CA_FILE=/etc/pki/vdsm/libvirt-spice/ca-cert.pem
> * on any other host, get it from engine web interface:
> wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt
>
> on the host, get UUID of the VM:
> $ VM_UUID="$(ps -ef | grep ${VM_NAME} | sed -e 's/^.*-uuid[ \t]\+\([ \t]\+\)[ \t].*$/\1/')"
>
> as root on the host, set ticket (password and its period of validity):
> # vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS}
> (doing it via REST API is cleaner but more cumbersome for me)
>
> if the hostname you're connecting does not match what is in CN field of
> Subject of the server cert, get the subject without spaces after commas
> on the host:
> $ grep Subject: ${SERVER_CERT_FILE} | sed -e 's/^.*Subject:[ \t]*\(.*\)$/\1/;s/,[ \t]*/,/'
>
> connect to the spice-server:
> $ spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT}
> OR, with newer, shinier and overall better client :)
> # yum install virt-viewer
> $ remote-viewer --spice-ca-file /etc/pki/ovirt-engine/ca.pem spice://vm-srv/?tls-port=${SECURE_PORT}
> (you'll have to provide the password through the pop-up dialog)
>
> if you need to provide host subject (host name/IP not matching the one from server cert Subject):
> $ spicec --host-subject ${HOST_SUBJECT} [...]
> OR
> $ remote-viewer --spice-host-subject ${HOST_SUBJECT} [...]
>
> David
>
>
>> Error: subject mismatch: #entries cert=2, input=3
>> Error: failed to connect w/SSL, ssl_error
>> error:00000001:lib(0):func(0):reason(1)
>> 3079539240:error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>> failed:s3_clnt.c:1063:
>> Warning: SSL Error:
>>
>>
>> 2012/8/6 Itamar Heim <iheim at redhat.com>:
>> > On 08/06/2012 12:07 AM, Artem wrote:
>> >>
>> >> hmm... not sure if understood correctly...
>> >>
>> >> vm-srv this KVM host.. (server) and I connect from another machine to vm
>> >> on kvm.
>> >
>> >
>> > did you install the engine and kvm host on same machine?
>> >
>> >
>> >>
>> >> this subject name i get in .spicec/spice_truststore.pem
>> >
>> >
>> > yes, spice trusts the CA, but client needs to validate the target host
>> > certificate.
>> > (if you run engine and host on same machine, try:
>> > "C=US, O=ICL, CN=vm-srv"
>> > (assuming you added the host with hostname of vm-srv to engine. if you added
>> > it with fqdn or ip, use them under last CN)
>> >
>> >
>> >>
>> >> //////////////////////////////////
>> >> # cat .spicec/spice_truststore.pem
>> >> Certificate:
>> >>      Data:
>> >>          Version: 3 (0x2)
>> >>          Serial Number: 1 (0x1)
>> >>          Signature Algorithm: sha1WithRSAEncryption
>> >>          Issuer: C=US, O=ICL, CN=CA-vm-srv.15064
>> >>          Validity
>> >>              Not Before: Jul 28 03:42:06 2012
>> >>              Not After : Jul 26 23:42:07 2022 GMT
>> >>          Subject: C=US, O=ICL, CN=CA-vm-srv.15064
>> >>          Subject Public Key Info:
>> >>              Public Key Algorithm: rsaEncryption
>> >>                  Public-Key: (2048 bit)
>> >>                  Modulus:
>> >> ///////////////////////////////////////////
>> >>
>> >> 2012/8/6 Itamar Heim <iheim at redhat.com>:
>> >>>
>> >>> this looks like the subject name of the CA, not the host running the
>> >>> virtual
>> >>> machine?
>> >
>> >
>> >
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>
> --
>
> David Jaša, RHCE
>
> SPICE QE based in Brno
> GPG Key:     22C33E24
> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>
>
>

More information about the Users mailing list