[Users] [vdsm] SPICE SSL Woes
Itamar Heim
iheim at redhat.com
Fri Oct 5 17:53:07 UTC 2012
On 10/05/2012 07:20 PM, Bret Palsson wrote:
> Fixed. It was that each server had the wrong time.
> ovirt-engine: was off by a day
> ovirt-node: off by 12 hours
> spicec: was 3 days behind.
>
> Updated ntpd on all machines and everything works as expected. Nothing was wrong with the certs.
good news are upstream should have a new warning on time sync issues for
ovirt 3.2.
>
> Thank you for you help!
>
> -Bret
>
> On Oct 5, 2012, at 8:19 AM, David Jaša <djasa at redhat.com> wrote:
>
>> Itamar Heim píše v Pá 05. 10. 2012 v 15:56 +0200:
>>> On 10/05/2012 10:57 AM, Juan Hernandez wrote:
>>>> On 10/05/2012 10:26 AM, Bret Palsson wrote:
>>>>> I can't seem to get this secure spice session to work. Any help is appreciated, already burnt 20 hours on this.
>>>>>
>>>>> Spice versions:
>>>>> spice-server-0.10.1
>>>>> spice-client 0.12.0
>>>>> spice-xpi 2.7
>>>>
>>>> The certificates that you get from the server in both examples are
>>>> different. Copy the text between "-----BEGIN CERTIFICATE-----" and
>>>> "-----END CERTIFICATE-----" to a file "cert.pem" and then run the
>>>> following command to see what is inside:
>>>>
>>>> openssl x509 -in cert.pem -noout -text
>>>>
>>>> In both cases looks like the certificate fails to verify. I would
>>>> suggest to take that "cert.pem" file and the "ca.pem" file from the
>>>> engine (/etc/pki/ovirt-engine/ca.pem) and verify it like this:
>>>>
>>>> openssl verify -CAfile ca.pem cert.pem
>>>>
>>>> It should say:
>>>>
>>>> ca.pem: OK
>>>>
>>>> The message you get when you test with openssl is this:
>>>>
>>>> Verify return code: 9 (certificate is not yet valid)
>>>>
>>>> That probably means that you have some kind of data/time problem. Make
>>>> sure that all your machines (engine, nodes, clients) are correctly
>>>> synchronized.
>>>>
>>>> If you still have problems please share the certificate that you get
>>>> when connectiong with "openssl s_client" and the certificate of the CA
>>>> of the engine (/etc/pki/ovirt-engine/ca.pem).
>>>>
>>>>> spicec: I set the password to abcd using a bash script found on this mailing list, valid for 1200 seconds.
>>>>> =============================================
>>>>> # spicec --password abcd --secure-channels all -h 10.20.20.2 --secure-port 5902 --ca-file cacert.pem
>>>>> Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1)
>>>>> 139833084392776:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063:
>>>>> Warning: SSL Error:
>>>>> =============================================
>>>>>
>>>>> spice-xpi: spice-xpi.log
>>>>> =============================================
>>>>> built and installed latest (which is great has better debugging output:
>>>>> 2012-10-02 07:58:26,805 DEBUG nsPluginInstance::SetHostIP: 10.20.20.2
>>>>> 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetPort: 5901
>>>>> 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetTitle: Test:%d - Press SHIFT+F12 to Release Cursor
>>>>> 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetDynamicMenu:
>>>>> 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetFullScreen: 0
>>>>> 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetPassword: Password set
>>>>> 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetNumberOfMonitors: 1
>>>>> 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetUsbListenPort: 0
>>>>> 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetAdminConsole: 1
>>>>> 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetSecurePort: 5902
>>>>> 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: original channels: smain,sinputs,scursor,splayback,srecord,sdisplay
>>>>> 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: modified channels: main,inputs,cursor,playback,record,display
>>>>> 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetGuestHostName: Test
>>>>> 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetCipherSuite: DEFAULT
>>>>> 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetHostSubject: O=Best Company,CN=10.20.20.2
>>>>> 2012-10-02 07:58:26,812 DEBUG nsPluginInstance::SetTrustStore: Certificate:
>>>>> Data:
>>>>> Version: 3 (0x2)
>>>>> Serial Number: 1 (0x1)
>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>> Issuer: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202
>>>>> Validity
>>>>> Not Before: Sep 6 21:49:14 2012
>>>>> Not After : Sep 6 03:49:15 2022 GMT
>>>>> Subject: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202
>>>>> Subject Public Key Info:
>>>>> Public Key Algorithm: rsaEncryption
>>>>> Public-Key: (1024 bit)
>>>>> Modulus:
>>>>> 00:bc:70:bd:bc:a0:07:7a:99:5e:84:c6:91:70:30:
>>>>> 3e:f0:2a:c9:96:cb:ac:d5:f4:e7:a4:8d:85:c2:2d:
>>>>> 39:12:fa:2f:3f:3c:bf:bb:ed:90:31:28:ae:38:49:
>>>>> 68:e2:4a:ca:89:21:4c:1c:b5:72:ca:e5:c7:3d:d8:
>>>>> 64:95:22:98:45:67:50:43:dd:8e:cb:9e:39:d4:9b:
>>>>> 11:16:71:e1:d9:81:1e:4d:1c:2c:9c:6d:7c:d1:43:
>>>>> a1:af:4a:83:77:e8:ad:0d:92:cb:fa:45:b8:d3:b6:
>>>>> 50:99:3e:4e:a7:91:30:57:ce:a7:5b:62:95:7f:9b:
>>>>> fd:26:05:a9:e0:8e:45:2b:e3
>>>>> Exponent: 65537 (0x10001)
>>>>> X509v3 extensions:
>>>>> X509v3 Subject Key Identifier:
>>>>> 87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF
>>>>> Authority Information Access:
>>>>> CA Issuers - URI:http://ovirt-engine.example.com:80/ca.crt
>>>>>
>>>>> X509v3 Authority Key Identifier:
>>>>> keyid:87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF
>>>>> DirName:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202
>>>>> serial:01
>>>>>
>>>>> X509v3 Basic Constraints: critical
>>>>> CA:TRUE
>>>>> X509v3 Key Usage: critical
>>>>> Certificate Sign, CRL Sign
>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>> a1:a9:17:91:ba:6e:0d:15:ce:28:e0:b8:7f:3c:5e:ba:6e:8d:
>>>>> 31:91:bf:99:0c:74:5f:95:86:e6:90:fd:3c:13:3a:64:9e:40:
>>>>> f7:4f:e0:45:b8:8e:27:b3:23:d4:75:bb:be:5f:73:4f:48:e4:
>>>>> 8c:6d:11:eb:76:70:81:c7:a5:8a:35:0b:ef:a5:cf:3d:ae:fd:
>>>>> 1f:94:b7:e4:c3:4c:7f:fb:5b:09:eb:e8:b1:35:3c:b8:ba:e8:
>>>>> b7:d0:5f:8a:98:b5:9a:6c:24:53:2a:49:61:0e:7c:5e:b3:d2:
>>>>> d4:c3:dd:ca:b9:57:a3:f0:e4:9c:d6:3d:43:40:9d:dd:ff:cd:
>>>>> 94:be
>>>>> -----BEGIN CERTIFICATE-----
>>>>> MIIDCDCCAnGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc
>>>>> MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2
>>>>> ZWlwLm5ldC4yODIwMjAiFxExMjA5MDYyMTQ5MTQrMDcwMBcNMjIwOTA2MDM0OTE1
>>>>> WjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEf
>>>>> MB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMjCBnzANBgkqhkiG9w0BAQEF
>>>>> AAOBjQAwgYkCgYEAvHC9vKAHeplehMaRcDA+8CrJlsus1fTnpI2Fwi05EvovPzy/
>>>>> u+2QMSiuOElo4krKiSFMHLVyyuXHPdhklSKYRWdQQ92Oy5451JsRFnHh2YEeTRws
>>>>> nG180UOhr0qDd+itDZLL+kW407ZQmT5Op5EwV86nW2KVf5v9JgWp4I5FK+MCAwEA
>>>>> AaOB9TCB8jAdBgNVHQ4EFgQUh5MnCOVNK87sVSzmxMDuMgyHIr8wOgYIKwYBBQUH
>>>>> AQEELjAsMCoGCCsGAQUFBzAChh5odHRwOi8vY20uaml2ZWlwLm5ldDo4MC9jYS5j
>>>>> cnQwdAYDVR0jBG0wa4AUh5MnCOVNK87sVSzmxMDuMgyHIr+hUKROMEwxCzAJBgNV
>>>>> BAYTAlVTMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMR8wHQYDVQQDExZD
>>>>> QS1jbS5qaXZlaXAubmV0LjI4MjAyggEBMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P
>>>>> AQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAKGpF5G6bg0VzijguH88XrpujTGR
>>>>> v5kMdF+VhuaQ/TwTOmSeQPdP4EW4jiezI9R1u75fc09I5IxtEet2cIHHpYo1C++l
>>>>> zz2u/R+Ut+TDTH/7Wwnr6LE1PLi66LfQX4qYtZpsJFMqSWEOfF6z0tTD3cq5V6Pw
>>>>> 5JzWPUNAnd3/zZS+
>>>>> -----END CERTIFICATE-----
>>>>>
>>>>> 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetHotKeys: release-cursor=shift+f12,toggle-fullscreen=shift+f11
>>>>> 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetNoTaskMgrExecution: 0
>>>>> 2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetSendCtrlAltDelete: 0
>>>>> 2012-10-02 07:58:26,814 DEBUG nsPluginInstance::SetUsbAutoShare: 1
>>>>> 2012-10-02 07:58:26,815 DEBUG nsPluginInstance::SetUsbFilter: -1,-1,-1,-1,0
>>>>> 2012-10-02 07:58:26,816 INFO nsPluginInstance::Connect: SPICE_XPI_SOCKET: /tmp/spicec-8ym5mJ/spice-xpi
>>>>> 2012-10-02 07:58:26,816 INFO nsPluginInstance::Connect: SPICE_FOREIGN_MENU_SOCKET: /tmp/spicec-8ym5mJ/spice-foreign
>>>>> 2012-10-02 07:58:26,816 DEBUG nsPluginInstance::Connect: Controller pid: 50483
>>>>> 2012-10-02 07:58:26,816 DEBUG QErrorHandler: Something went wrong: connect error, 2
>>>>> 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error
>>>>> 2012-10-02 07:58:26,817 INFO nsPluginInstance::Connect: Launching /usr/libexec/spice-xpi-client
>>>>> 2012-10-02 07:58:26,817 DEBUG QErrorHandler: Something went wrong: connect error, 2
>>>>> 2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error
>>>>> 2012-10-02 07:58:27,818 DEBUG SpiceController::Connect: Connected!
>>>>> 2012-10-02 07:58:29,821 INFO nsPluginInstance::Connect: Initiating connection with controller
>>>>> 2012-10-02 07:59:05,999 DEBUG nsPluginInstance::ControllerWaitHelper: Controller finished, pid: 50483, exit code: 0
>>>>> 2012-10-02 07:59:05,999 ERROR nsPluginInstance::CallOnDisconnected: could not get browser window, when trying to call OnDisconnected
>>>>>
>>>>> =============================================
>>>>>
>>>>>
>>>>>
>>>>> Openssl test:
>>>>> =============================================
>>>>> [root at centos6 ~]# openssl s_client -connect 10.20.20.2:5902 -CAfile cacert.pem
>>>>> CONNECTED(00000003)
>>>>> depth=1 C = US, O = Best Company, CN = CA-ovirt-engine.example.com.28202
>>>>> verify return:1
>>>>> depth=0 O = Best Company, CN = 10.20.20.2
>>>>> verify error:num=9:certificate is not yet valid
>>>>> notBefore=Oct 4 01:40:57 2012
>>>>> verify return:1
>>>>> depth=0 O = Best Company, CN = 10.20.20.2
>>>>> notBefore=Oct 4 01:40:57 2012
>>>>> verify return:1
>>>>> ---
>>>>> Certificate chain
>>>>> 0 s:/O=Best Company/CN=10.20.20.2
>>>>> i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202
>>>>> 1 s:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202
>>>>> i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202
>>>>> ---
>>>>> Server certificate
>>>>> -----BEGIN CERTIFICATE-----
>>>>> MIIDDTCCAnagAwIBAgIBBzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc
>>>>> MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2
>>>>> ZWlwLm5ldC4yODIwMjAiFxExMjEwMDQwMTQwNTctMDYwMBcNMTcxMDA0MDc0MDU4
>>>>> WjAzMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMRMwEQYDVQQDEwoxMC4y
>>>>> MC4yMC4yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfxg43vrorGXoui5Cs
>>>>> 69xeS/R31r2FkfE3UO57BzKbToBY88Hj7dUkFjlFVwg3/eUIBh0jYQ5Qq5Q4Kl9p
>>>>> Oy4/58VwqRd6P/C3a9LgF1rdvXEnmtNZyoXNmvFeTgpEF+165hr6aPXmMqXqaSEv
>>>>> ab/mFdxVKM6FwgUWQb/uW3Rp3QIDAQABo4IBEjCCAQ4wHQYDVR0OBBYEFIhzxNFR
>>>>> sbDS9hLGOID0RLPlYrLPMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAoYeaHR0
>>>>> cDovL2NtLmppdmVpcC5uZXQ6ODAvY2EuY3J0MHQGA1UdIwRtMGuAFIeTJwjlTSvO
>>>>> 7FUs5sTA7jIMhyK/oVCkTjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBD
>>>>> b21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMoIB
>>>>> ATAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEF
>>>>> BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAayUoWzI77OMVGa1QeWKQ
>>>>> VF/iwu5URB8sbsmFk9NmfUOtIYsVsmdMsoDSYQsL7mEe0SA5GOXpS1sThdXsU1uf
>>>>> 9bZ+dyrmCBmg0/cPOiXA8R1GgS+Bwjc+MxEOuXzTmumfW19hlbKbRXRwgx+vRgDv
>>>>> JbUNV6jXUHqhBeGnsVhiLrQ=
>>>>> -----END CERTIFICATE-----
>>>>> subject=/O=Best Company/CN=10.20.20.2
>>>>> issuer=/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202
>>>>> ---
>>>>> No client certificate CA names sent
>>>>> ---
>>>>> SSL handshake has read 1884 bytes and written 311 bytes
>>>>> ---
>>>>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>>>>> Server public key is 1024 bit
>>>>> Secure Renegotiation IS supported
>>>>> Compression: NONE
>>>>> Expansion: NONE
>>>>> SSL-Session:
>>>>> Protocol : TLSv1
>>>>> Cipher : AES256-SHA
>>>>> Session-ID: 9747FACA4B5CC4542E050F4B8534E1B71234BC5F99F3221D284BC53D0A5CB746
>>>>> Session-ID-ctx:
>>>>> Master-Key: 7A579DA9F75E76C63F3FDFCB5BBE42EE28AEF5211C5AC5ECAE8679166C98FBB5AD00BFC4B8AC5D7E214A3B0069CF50E7
>>>>> Key-Arg : None
>>>>> Krb5 Principal: None
>>>>> PSK identity: None
>>>>> PSK identity hint: None
>>>>> TLS session ticket:
>>>>> 0000 - ae f2 91 79 e4 94 85 a2-02 60 aa 91 54 a5 3f 13 ...y.....`..T.?.
>>>>> 0010 - 90 b4 78 20 27 5a 52 61-78 a1 4d db 73 25 c0 f8 ..x 'ZRax.M.s%..
>>>>> 0020 - 65 7f 43 76 72 35 08 96-0d 32 c4 72 eb ae c4 a9 e.Cvr5...2.r....
>>>>> 0030 - 83 78 7f 48 8c c6 a9 38-78 ea 90 60 52 62 0e 4d .x.H...8x..`Rb.M
>>>>> 0040 - 7c 3e 41 62 63 2d 27 b3-bc ba bb b7 87 ac 12 df |>Abc-'.........
>>>>> 0050 - 04 61 3d c8 8f cd 14 e4-51 bf 74 66 2c a0 a6 70 .a=.....Q.tf,..p
>>>>> 0060 - 3e d2 5f 4c 63 10 80 83-18 d7 4e 08 e0 5b c5 5a >._Lc.....N..[.Z
>>>>> 0070 - 75 94 27 de 1e 8e 61 e9-64 af 52 eb 1e 98 00 e2 u.'...a.d.R.....
>>>>> 0080 - 4f 80 8c 1f ec 40 b7 25-7b 72 a3 1a 99 8a 6a ca O.... at .%{r....j.
>>>>> 0090 - 90 80 f9 1e 5f 99 96 0a-3e bb 4f b6 86 d1 49 0c ...._...>.O...I.
>>>>>
>>>>> Start Time: 1349186957
>>>>> Timeout : 300 (sec)
>>>>> Verify return code: 9 (certificate is not yet valid)
>>>>> ---
>>>>>
>>>>> =============================================
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at ovirt.org
>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>
>>>>
>>>>
>>>
>>> also note that the host certificate is based on the hostname in the
>>> engine, so you must give the spice client the host name to validate it with.
>>
>> that is not issue in this case because Bret specified host the same way
>> as it is in CN of server cert.
>>
>> Bret, one more thing: did you try to put the host in maintenance mode
>> and then click "Reinstall" in the host Action Items in webadmin? That
>> way, server certificates should get regenerated and SSL should Just
>> Work.
>>
>> David
>>
>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>
>> --
>>
>> David Jaša, RHCE
>>
>> SPICE QE based in Brno
>> GPG Key: 22C33E24
>> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
More information about the Users
mailing list