[Users] Cannot connect to guest with spice console; SSL validate error

Itamar Heim iheim at redhat.com
Tue Aug 7 23:43:35 UTC 2012 

On 08/07/2012 05:23 PM, Rami Vaknin wrote:
> On 08/07/2012 05:10 PM, Karli Sjöberg wrote:
>> Hi,
>>
>> I seems very difficult to get this working. I have a Fedora 17 client,
>> installed spice-xpi and tried to access console from User Portal but
>> console never shows up. engine.log prints:
>> 2012-08-07 15:56:18,738 INFO
>> [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--0.0.0.0-8009-13)
>> [2a8bc3f4] Running command: SetVmTicketCommand internal: false.
>> Entities affected :  ID: 2ad22641-7aeb-4d1b-999e-2c0563376641 Type: VM
>> 2012-08-07 15:56:18,771 INFO
>> [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
>> (ajp--0.0.0.0-8009-13) [2a8bc3f4] START, SetVmTicketVDSCommand(vdsId =
>> acfc94c0-d7e1-11e1-b35e-b38016c320bb,
>> vmId=2ad22641-7aeb-4d1b-999e-2c0563376641, ticket=NvbcLbRR/7Vx,
>> validTime=120,m userName=karli,
>> userId=de526322-d046-4a06-911e-546e7159556e), log id: 3d61fa94
>> 2012-08-07 15:56:18,816 INFO
>> [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
>> (ajp--0.0.0.0-8009-13) [2a8bc3f4] FINISH, SetVmTicketVDSCommand, log
>> id: 3d61fa94
>>
>>  From the F17 client with "ovirt-shell" installed from ovirt-3.1 repo:
>> $ console milli
>> (window briefly flashes and disappeares again)
>> warning: could not fetch host certificate info cause used backend/sdk
>> does not support it.
>> warning: host identity will not be validated.
>>
>> And have also used "spicec" directly from F17 client:
>> # spicec -h cirrus2-1.slu.se -p 5900 -s 5901 -w v36BkUumraDG (The
>> first ticket had by this time expired, so this is a new one)
>> (flashes)
>> Error: failed to connect w/SSL, ssl_error
>> error:00000001:lib(0):func(0):reason(1)
>> 140059992839392:error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>> failed:s3_clnt.c:1063:
>> Warning: SSL Error:
>> # spicec -h cirrus2-1.slu.se -p 5900 -w v36BkUumraDG
>> (flashes)
>> Warning: connect error 5 - need secured connection
>
> I wrote a simple script that collects the parameter needed to for spicec
> in case of secure connection, I was using it on RHEL6, it probably will
> be easy to convert it to Fedora if it does not already work OTB:
>
> #!/bin/bash
>
> # Usage: ./spice_to_vm.sh host vm_name
>
> PASSWORD="root_password_to_the_host"
> SECONDS="1200"
>
> ssh-copy-id root@$1 >& /dev/null
>
> ID=`ssh root@$1 vdsClient -s 0 list table | awk '{print $1":"$3":"}' |
> grep ":$2:" | sed -e 's/\:.*//g'`
> ssh root@$1 vdsClient -s 0 setVmTicket $ID $PASSWORD $SECONDS keep >&
> /dev/null

you should really setvmticket via restapi rather than directly to the host.

>
> PORT=`ssh root@$1 vdsClient -s 0 getVmStats $ID | grep displaySecurePort
> | awk '{print $3}'`
> SUBJECT=`ssh root@$1 openssl x509 -noout -text -in
> /etc/pki/vdsm/certs/vdsmcert.pem | grep Subject: | cut -f 10- -d " " |
> sed -e 's/\ //g'`
>
> scp root@$1:/etc/pki/vdsm/certs/cacert.pem /tmp/cacert.pem >& /dev/null
> COMMAND="sudo /usr/libexec/spicec --host-subject \"$SUBJECT\" --password
> $PASSWORD --secure-channels all -h $1 --secure-port $PORT --ca-file
> /tmp/cacert.pem"
>
> echo $COMMAND
>
>>
>> # rpm -qa | egrep '(ovirt|vdsm)'
>> ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch
>> vdsm-cli-4.10.0-5.fc17.noarch
>> ovirt-engine-config-3.1.0-1.fc17.noarch
>> ovirt-engine-userportal-3.1.0-1.fc17.noarch
>> vdsm-4.10.0-5.fc17.x86_64
>> ovirt-log-collector-3.1.0-0.git10d719.fc17.noarch
>> ovirt-engine-sdk-3.1.0.4-1.fc17.noarch
>> ovirt-engine-restapi-3.1.0-1.fc17.noarch
>> ovirt-engine-backend-3.1.0-1.fc17.noarch
>> ovirt-engine-3.1.0-1.fc17.noarch
>> ovirt-engine-webadmin-portal-3.1.0-1.fc17.noarch
>> ovirt-engine-notification-service-3.1.0-1.fc17.noarch
>> ovirt-engine-dbscripts-3.1.0-1.fc17.noarch
>> vdsm-python-4.10.0-5.fc17.x86_64
>> ovirt-engine-genericapi-3.1.0-1.fc17.noarch
>> ovirt-engine-tools-common-3.1.0-1.fc17.noarch
>> ovirt-engine-cli-3.1.0.6-1.fc17.noarch
>> vdsm-xmlrpc-4.10.0-5.fc17.noarch
>> vdsm-bootstrap-4.10.0-5.fc17.noarch
>> ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch
>> ovirt-engine-setup-3.1.0-1.fc17.noarch
>>
>>
>> The engine is installed with SSL as enabled by default, the hosts too.
>> VDSM and libvirt are all active and validate fine towards the engine;
>> have status "UP" and so on, but can't get SPICE console working. VNC
>> works of course, but SPICE would be much cooler:) How do I get console
>> working with SPICE?
>>
>> Best Regards
>> Karli Sjöberg
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>
>

More information about the Users mailing list