[Users] spicec not connect | SSL Error
Itamar Heim
iheim at redhat.com
Tue Aug 7 20:18:03 UTC 2012
On 08/07/2012 10:04 PM, Artem wrote:
> Hello again,
> I figured out, this resolve my question
>
> # curl -X POST -H "Accept: application/xml" -H "Content-type:
> application/xml" -u admin at internal:pass --cacert ca.crt -d
> "<action><ticket><expiry>120</expiry></ticket></action>"
> https://vm-srv:8443/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <action>
> <ticket>
> <value>+e/OUQvquJx4</value>
> <expiry>120</expiry>
> </ticket>
> <status>
> <state>complete</state>
> </status>
> </action>
indeed.
artem/david - between all the inputs in this thread - please try to
capture it in a wiki as david suggested.
thanks,
Itamar
>
> Artem
>
> 2012/8/7 Artem <artem at e-inet.ru>:
>> Hi all, thaks for lot, it's work
>>
>> 1) get CA to client "wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt"
>> 2) set "vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD}
>> ${VALIDITY_SECONDS}" on kvm host
>> 3) and connect to consle use this line "spicec --ca-file ${CA_FILE} -w
>> ${PASSWORD} -h vm-srv -s ${SECURE_PORT}" successfully
>>
>> but how to install "setVmTicket" without login as root on kvm host,
>> how to make it through the post request?
>>
>>
>> 2012/8/6 David Jaša <djasa at redhat.com>:
>>> @Itamar - this is recurring problem, what about creating a wiki page for
>>> it?
>>>
>>> @Artem:
>>>
>>> Artem píše v Po 06. 08. 2012 v 01:30 +0400:
>>>> yes engine and kvm(qemu-kvm) installed on same machine (vm-srv)
>>>>
>>>> i change host-subject but..
>>>>
>>>> # spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL,
>>>> CN=vm-srv" --secure-channels=all
>>>
>>> 1) your command line is missing '--ca-file $CA_FILE' altoghether
>>>
>>> 2) you don't mention password
>>>
>>> 3) you shouldn't need to specify host subject at all because your host
>>> (-h) matches name of server in CN field of host subject. If you override
>>> it anyway, strip white spaces after commas in it:
>>> --host-subject='C=US,O=ICL,CN=vm-srv'
>>>
>>> 4) you could omit -p and --secure-channels altogether in order to
>>> achieve tls-only connection, but you can hit
>>> https://bugzilla.redhat.com/show_bug.cgi?id=723582 then
>>>
>>> So you should do (out of my head, may contain typos):
>>> get CA:
>>> * on engine, it is found here:
>>> CA_FILE=/etc/pki/ovirt-engine/ca.pem
>>> * on host, it's here:
>>> CA_FILE=/etc/pki/vdsm/libvirt-spice/ca-cert.pem
>>> * on any other host, get it from engine web interface:
>>> wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt
>>>
>>> on the host, get UUID of the VM:
>>> $ VM_UUID="$(ps -ef | grep ${VM_NAME} | sed -e 's/^.*-uuid[ \t]\+\([ \t]\+\)[ \t].*$/\1/')"
>>>
>>> as root on the host, set ticket (password and its period of validity):
>>> # vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS}
>>> (doing it via REST API is cleaner but more cumbersome for me)
>>>
>>> if the hostname you're connecting does not match what is in CN field of
>>> Subject of the server cert, get the subject without spaces after commas
>>> on the host:
>>> $ grep Subject: ${SERVER_CERT_FILE} | sed -e 's/^.*Subject:[ \t]*\(.*\)$/\1/;s/,[ \t]*/,/'
>>>
>>> connect to the spice-server:
>>> $ spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT}
>>> OR, with newer, shinier and overall better client :)
>>> # yum install virt-viewer
>>> $ remote-viewer --spice-ca-file /etc/pki/ovirt-engine/ca.pem spice://vm-srv/?tls-port=${SECURE_PORT}
>>> (you'll have to provide the password through the pop-up dialog)
>>>
>>> if you need to provide host subject (host name/IP not matching the one from server cert Subject):
>>> $ spicec --host-subject ${HOST_SUBJECT} [...]
>>> OR
>>> $ remote-viewer --spice-host-subject ${HOST_SUBJECT} [...]
>>>
>>> David
>>>
>>>
>>>> Error: subject mismatch: #entries cert=2, input=3
>>>> Error: failed to connect w/SSL, ssl_error
>>>> error:00000001:lib(0):func(0):reason(1)
>>>> 3079539240:error:14090086:SSL
>>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>>>> failed:s3_clnt.c:1063:
>>>> Warning: SSL Error:
>>>>
>>>>
>>>> 2012/8/6 Itamar Heim <iheim at redhat.com>:
>>>>> On 08/06/2012 12:07 AM, Artem wrote:
>>>>>>
>>>>>> hmm... not sure if understood correctly...
>>>>>>
>>>>>> vm-srv this KVM host.. (server) and I connect from another machine to vm
>>>>>> on kvm.
>>>>>
>>>>>
>>>>> did you install the engine and kvm host on same machine?
>>>>>
>>>>>
>>>>>>
>>>>>> this subject name i get in .spicec/spice_truststore.pem
>>>>>
>>>>>
>>>>> yes, spice trusts the CA, but client needs to validate the target host
>>>>> certificate.
>>>>> (if you run engine and host on same machine, try:
>>>>> "C=US, O=ICL, CN=vm-srv"
>>>>> (assuming you added the host with hostname of vm-srv to engine. if you added
>>>>> it with fqdn or ip, use them under last CN)
>>>>>
>>>>>
>>>>>>
>>>>>> //////////////////////////////////
>>>>>> # cat .spicec/spice_truststore.pem
>>>>>> Certificate:
>>>>>> Data:
>>>>>> Version: 3 (0x2)
>>>>>> Serial Number: 1 (0x1)
>>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>>> Issuer: C=US, O=ICL, CN=CA-vm-srv.15064
>>>>>> Validity
>>>>>> Not Before: Jul 28 03:42:06 2012
>>>>>> Not After : Jul 26 23:42:07 2022 GMT
>>>>>> Subject: C=US, O=ICL, CN=CA-vm-srv.15064
>>>>>> Subject Public Key Info:
>>>>>> Public Key Algorithm: rsaEncryption
>>>>>> Public-Key: (2048 bit)
>>>>>> Modulus:
>>>>>> ///////////////////////////////////////////
>>>>>>
>>>>>> 2012/8/6 Itamar Heim <iheim at redhat.com>:
>>>>>>>
>>>>>>> this looks like the subject name of the CA, not the host running the
>>>>>>> virtual
>>>>>>> machine?
>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>>> --
>>>
>>> David Jaša, RHCE
>>>
>>> SPICE QE based in Brno
>>> GPG Key: 22C33E24
>>> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>>>
>>>
>>>
More information about the Users
mailing list