[Users] spicec not connect | SSL Error
Artem
artem at e-inet.ru
Tue Aug 7 19:04:38 UTC 2012
Hello again,
I figured out, this resolve my question
# curl -X POST -H "Accept: application/xml" -H "Content-type:
application/xml" -u admin at internal:pass --cacert ca.crt -d
"<action><ticket><expiry>120</expiry></ticket></action>"
https://vm-srv:8443/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<action>
<ticket>
<value>+e/OUQvquJx4</value>
<expiry>120</expiry>
</ticket>
<status>
<state>complete</state>
</status>
</action>
Artem
2012/8/7 Artem <artem at e-inet.ru>:
> Hi all, thaks for lot, it's work
>
> 1) get CA to client "wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt"
> 2) set "vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD}
> ${VALIDITY_SECONDS}" on kvm host
> 3) and connect to consle use this line "spicec --ca-file ${CA_FILE} -w
> ${PASSWORD} -h vm-srv -s ${SECURE_PORT}" successfully
>
> but how to install "setVmTicket" without login as root on kvm host,
> how to make it through the post request?
>
>
> 2012/8/6 David Jaša <djasa at redhat.com>:
>> @Itamar - this is recurring problem, what about creating a wiki page for
>> it?
>>
>> @Artem:
>>
>> Artem píše v Po 06. 08. 2012 v 01:30 +0400:
>>> yes engine and kvm(qemu-kvm) installed on same machine (vm-srv)
>>>
>>> i change host-subject but..
>>>
>>> # spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL,
>>> CN=vm-srv" --secure-channels=all
>>
>> 1) your command line is missing '--ca-file $CA_FILE' altoghether
>>
>> 2) you don't mention password
>>
>> 3) you shouldn't need to specify host subject at all because your host
>> (-h) matches name of server in CN field of host subject. If you override
>> it anyway, strip white spaces after commas in it:
>> --host-subject='C=US,O=ICL,CN=vm-srv'
>>
>> 4) you could omit -p and --secure-channels altogether in order to
>> achieve tls-only connection, but you can hit
>> https://bugzilla.redhat.com/show_bug.cgi?id=723582 then
>>
>> So you should do (out of my head, may contain typos):
>> get CA:
>> * on engine, it is found here:
>> CA_FILE=/etc/pki/ovirt-engine/ca.pem
>> * on host, it's here:
>> CA_FILE=/etc/pki/vdsm/libvirt-spice/ca-cert.pem
>> * on any other host, get it from engine web interface:
>> wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt
>>
>> on the host, get UUID of the VM:
>> $ VM_UUID="$(ps -ef | grep ${VM_NAME} | sed -e 's/^.*-uuid[ \t]\+\([ \t]\+\)[ \t].*$/\1/')"
>>
>> as root on the host, set ticket (password and its period of validity):
>> # vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS}
>> (doing it via REST API is cleaner but more cumbersome for me)
>>
>> if the hostname you're connecting does not match what is in CN field of
>> Subject of the server cert, get the subject without spaces after commas
>> on the host:
>> $ grep Subject: ${SERVER_CERT_FILE} | sed -e 's/^.*Subject:[ \t]*\(.*\)$/\1/;s/,[ \t]*/,/'
>>
>> connect to the spice-server:
>> $ spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT}
>> OR, with newer, shinier and overall better client :)
>> # yum install virt-viewer
>> $ remote-viewer --spice-ca-file /etc/pki/ovirt-engine/ca.pem spice://vm-srv/?tls-port=${SECURE_PORT}
>> (you'll have to provide the password through the pop-up dialog)
>>
>> if you need to provide host subject (host name/IP not matching the one from server cert Subject):
>> $ spicec --host-subject ${HOST_SUBJECT} [...]
>> OR
>> $ remote-viewer --spice-host-subject ${HOST_SUBJECT} [...]
>>
>> David
>>
>>
>>> Error: subject mismatch: #entries cert=2, input=3
>>> Error: failed to connect w/SSL, ssl_error
>>> error:00000001:lib(0):func(0):reason(1)
>>> 3079539240:error:14090086:SSL
>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>>> failed:s3_clnt.c:1063:
>>> Warning: SSL Error:
>>>
>>>
>>> 2012/8/6 Itamar Heim <iheim at redhat.com>:
>>> > On 08/06/2012 12:07 AM, Artem wrote:
>>> >>
>>> >> hmm... not sure if understood correctly...
>>> >>
>>> >> vm-srv this KVM host.. (server) and I connect from another machine to vm
>>> >> on kvm.
>>> >
>>> >
>>> > did you install the engine and kvm host on same machine?
>>> >
>>> >
>>> >>
>>> >> this subject name i get in .spicec/spice_truststore.pem
>>> >
>>> >
>>> > yes, spice trusts the CA, but client needs to validate the target host
>>> > certificate.
>>> > (if you run engine and host on same machine, try:
>>> > "C=US, O=ICL, CN=vm-srv"
>>> > (assuming you added the host with hostname of vm-srv to engine. if you added
>>> > it with fqdn or ip, use them under last CN)
>>> >
>>> >
>>> >>
>>> >> //////////////////////////////////
>>> >> # cat .spicec/spice_truststore.pem
>>> >> Certificate:
>>> >> Data:
>>> >> Version: 3 (0x2)
>>> >> Serial Number: 1 (0x1)
>>> >> Signature Algorithm: sha1WithRSAEncryption
>>> >> Issuer: C=US, O=ICL, CN=CA-vm-srv.15064
>>> >> Validity
>>> >> Not Before: Jul 28 03:42:06 2012
>>> >> Not After : Jul 26 23:42:07 2022 GMT
>>> >> Subject: C=US, O=ICL, CN=CA-vm-srv.15064
>>> >> Subject Public Key Info:
>>> >> Public Key Algorithm: rsaEncryption
>>> >> Public-Key: (2048 bit)
>>> >> Modulus:
>>> >> ///////////////////////////////////////////
>>> >>
>>> >> 2012/8/6 Itamar Heim <iheim at redhat.com>:
>>> >>>
>>> >>> this looks like the subject name of the CA, not the host running the
>>> >>> virtual
>>> >>> machine?
>>> >
>>> >
>>> >
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>
>> --
>>
>> David Jaša, RHCE
>>
>> SPICE QE based in Brno
>> GPG Key: 22C33E24
>> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>>
>>
>>
More information about the Users
mailing list