[Users] spicec not connect | SSL Error

David Jaša djasa at redhat.com
Wed Aug 8 08:47:36 UTC 2012


Itamar Heim píše v Út 07. 08. 2012 v 23:18 +0300:
> On 08/07/2012 10:04 PM, Artem wrote:
> > Hello again,
> > I figured out, this resolve my question
> >
> > # curl -X POST -H "Accept: application/xml" -H "Content-type:
> > application/xml" -u admin at internal:pass --cacert ca.crt -d
> > "<action><ticket><expiry>120</expiry></ticket></action>"
> > https://vm-srv:8443/api/vms/d3db360f-4ff5-46f5-b61d-db09465db52c/ticket
> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> > <action>
> >      <ticket>
> >          <value>+e/OUQvquJx4</value>
> >          <expiry>120</expiry>
> >      </ticket>
> >      <status>
> >          <state>complete</state>
> >      </status>
> > </action>
> 
> indeed.
> artem/david - between all the inputs in this thread - please try to 
> capture it in a wiki as david suggested.

Just writing it right now (offline).

David

> 
> thanks,
>     Itamar
> 
> >
> > Artem
> >
> > 2012/8/7 Artem <artem at e-inet.ru>:
> >> Hi all, thaks for lot, it's work
> >>
> >> 1) get CA to client "wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt"
> >> 2) set "vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD}
> >> ${VALIDITY_SECONDS}" on kvm host
> >> 3) and connect to consle use this line "spicec --ca-file ${CA_FILE} -w
> >> ${PASSWORD} -h vm-srv -s ${SECURE_PORT}" successfully
> >>
> >> but how to install "setVmTicket" without login as root on kvm host,
> >> how to make it through the post request?
> >>
> >>
> >> 2012/8/6 David Jaša <djasa at redhat.com>:
> >>> @Itamar - this is recurring problem, what about creating a wiki page for
> >>> it?
> >>>
> >>> @Artem:
> >>>
> >>> Artem píše v Po 06. 08. 2012 v 01:30 +0400:
> >>>> yes engine and kvm(qemu-kvm) installed  on same machine (vm-srv)
> >>>>
> >>>> i change host-subject but..
> >>>>
> >>>> # spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL,
> >>>> CN=vm-srv" --secure-channels=all
> >>>
> >>> 1) your command line is missing '--ca-file $CA_FILE' altoghether
> >>>
> >>> 2) you don't mention password
> >>>
> >>> 3) you shouldn't need to specify host subject at all because your host
> >>> (-h) matches name of server in CN field of host subject. If you override
> >>> it anyway, strip white spaces after commas in it:
> >>> --host-subject='C=US,O=ICL,CN=vm-srv'
> >>>
> >>> 4) you could omit -p and --secure-channels altogether in order to
> >>> achieve tls-only connection, but you can hit
> >>> https://bugzilla.redhat.com/show_bug.cgi?id=723582 then
> >>>
> >>> So you should do (out of my head, may contain typos):
> >>> get CA:
> >>> * on engine, it is found here:
> >>> CA_FILE=/etc/pki/ovirt-engine/ca.pem
> >>> * on host, it's here:
> >>> CA_FILE=/etc/pki/vdsm/libvirt-spice/ca-cert.pem
> >>> * on any other host, get it from engine web interface:
> >>> wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt
> >>>
> >>> on the host, get UUID of the VM:
> >>> $ VM_UUID="$(ps -ef | grep ${VM_NAME} | sed -e 's/^.*-uuid[ \t]\+\([ \t]\+\)[ \t].*$/\1/')"
> >>>
> >>> as root on the host, set ticket (password and its period of validity):
> >>> # vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS}
> >>> (doing it via REST API is cleaner but more cumbersome for me)
> >>>
> >>> if the hostname you're connecting does not match what is in CN field of
> >>> Subject of the server cert, get the subject without spaces after commas
> >>> on the host:
> >>> $ grep Subject: ${SERVER_CERT_FILE} | sed -e 's/^.*Subject:[ \t]*\(.*\)$/\1/;s/,[ \t]*/,/'
> >>>
> >>> connect to the spice-server:
> >>> $ spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT}
> >>> OR, with newer, shinier and overall better client :)
> >>> # yum install virt-viewer
> >>> $ remote-viewer --spice-ca-file /etc/pki/ovirt-engine/ca.pem spice://vm-srv/?tls-port=${SECURE_PORT}
> >>> (you'll have to provide the password through the pop-up dialog)
> >>>
> >>> if you need to provide host subject (host name/IP not matching the one from server cert Subject):
> >>> $ spicec --host-subject ${HOST_SUBJECT} [...]
> >>> OR
> >>> $ remote-viewer --spice-host-subject ${HOST_SUBJECT} [...]
> >>>
> >>> David
> >>>
> >>>
> >>>> Error: subject mismatch: #entries cert=2, input=3
> >>>> Error: failed to connect w/SSL, ssl_error
> >>>> error:00000001:lib(0):func(0):reason(1)
> >>>> 3079539240:error:14090086:SSL
> >>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> >>>> failed:s3_clnt.c:1063:
> >>>> Warning: SSL Error:
> >>>>
> >>>>
> >>>> 2012/8/6 Itamar Heim <iheim at redhat.com>:
> >>>>> On 08/06/2012 12:07 AM, Artem wrote:
> >>>>>>
> >>>>>> hmm... not sure if understood correctly...
> >>>>>>
> >>>>>> vm-srv this KVM host.. (server) and I connect from another machine to vm
> >>>>>> on kvm.
> >>>>>
> >>>>>
> >>>>> did you install the engine and kvm host on same machine?
> >>>>>
> >>>>>
> >>>>>>
> >>>>>> this subject name i get in .spicec/spice_truststore.pem
> >>>>>
> >>>>>
> >>>>> yes, spice trusts the CA, but client needs to validate the target host
> >>>>> certificate.
> >>>>> (if you run engine and host on same machine, try:
> >>>>> "C=US, O=ICL, CN=vm-srv"
> >>>>> (assuming you added the host with hostname of vm-srv to engine. if you added
> >>>>> it with fqdn or ip, use them under last CN)
> >>>>>
> >>>>>
> >>>>>>
> >>>>>> //////////////////////////////////
> >>>>>> # cat .spicec/spice_truststore.pem
> >>>>>> Certificate:
> >>>>>>       Data:
> >>>>>>           Version: 3 (0x2)
> >>>>>>           Serial Number: 1 (0x1)
> >>>>>>           Signature Algorithm: sha1WithRSAEncryption
> >>>>>>           Issuer: C=US, O=ICL, CN=CA-vm-srv.15064
> >>>>>>           Validity
> >>>>>>               Not Before: Jul 28 03:42:06 2012
> >>>>>>               Not After : Jul 26 23:42:07 2022 GMT
> >>>>>>           Subject: C=US, O=ICL, CN=CA-vm-srv.15064
> >>>>>>           Subject Public Key Info:
> >>>>>>               Public Key Algorithm: rsaEncryption
> >>>>>>                   Public-Key: (2048 bit)
> >>>>>>                   Modulus:
> >>>>>> ///////////////////////////////////////////
> >>>>>>
> >>>>>> 2012/8/6 Itamar Heim <iheim at redhat.com>:
> >>>>>>>
> >>>>>>> this looks like the subject name of the CA, not the host running the
> >>>>>>> virtual
> >>>>>>> machine?
> >>>>>
> >>>>>
> >>>>>
> >>>> _______________________________________________
> >>>> Users mailing list
> >>>> Users at ovirt.org
> >>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>
> >>> --
> >>>
> >>> David Jaša, RHCE
> >>>
> >>> SPICE QE based in Brno
> >>> GPG Key:     22C33E24
> >>> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
> >>>
> >>>
> >>>
> 
> 

-- 

David Jaša, RHCE

SPICE QE based in Brno
GPG Key:     22C33E24 
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24






More information about the Users mailing list