[ovirt-users] regenerate libvirt-spice keys after libvirtd restart?
David Jaša
djasa at redhat.com
Tue Mar 8 17:43:41 UTC 2016
The only problem with spice certs in oVirt I remember over the last 5
years concerns certificate encoding - which bit only users who used
non-ascii characters in Organization. The bugs (private RHEV
unfortunately) should be fixed for quite some time - and the fix
involved certificate regeneration. You can see it in recent versions of
engine setup...
Otherwise, it was really transparent process. Try removing
the /etc/pki/vdsm/libvirt-spice directory, reinstalling package that
owns it (yum reinstall vdsm) and reinstalling host in RHEV. You should
get 100 % fresh certs by this time.
BTW when I was meddling with libvirt settings on oVirt host last time,
vdsm complained and refused to work. Doesn't it say something
interesting about it?
David
On Út, 2016-03-08 at 09:11 -0800, Bill James wrote:
> any suggestions on how to get ovirt and spice console keys to work
> correctly?
>
>
> On 03/07/2016 10:09 AM, Bill James wrote:
> > thanks for the reply.
> > I tried reinstall of one host. Didn't help.
> > Also tried removing the host and reinstalling it. Didn't help.
> >
> > Looks like server cert & key were regenerated, but not ca-cert.pem.
> >
> >
> > [root at ovirt2 test ~]# ls -rtl /etc/pki/vdsm/libvirt-spice|grep -v
> > 2016|tail
> > total 84
> > -rw-r--r-- 1 root kvm 1379 Feb 19 17:09 ca-cert.pem
> > -rw-r--r-- 1 root kvm 1570 Mar 7 09:44 server-cert.pem
> > -r--r----- 1 vdsm kvm 1675 Mar 7 09:44 server-key.pem
> >
> > [root at ovirt2 test ~]# tail -3 /etc/libvirt/qemu.conf
> > spice_tls=1
> > spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice"
> > ## end of configuration section by vdsm-4.17.0
> >
> > Chown'd all the files to vdsm:kvm just incase, and rebooted the host.
> > Didn't help.
> >
> > Changed console back to VNC and it starts up fine.
> >
> >
> > Seems strange that I could mess up the spice keys just by restarting
> > libvirtd. (service libvirtd restart)
> >
> >
> >
> > On 03/07/2016 06:15 AM, David Jaša wrote:
> >> Hi,
> >>
> >> it looks like you messed up private key location and/or contents. If you
> >> "Reinstall" the host in ovirt engine, the keys/certs should get
> >> regenerated.
> >>
> >> David
> >>
> >> On Pá, 2016-03-04 at 10:16 -0800, Bill James wrote:
> >>> I needed to bounce libvirtd after changing a config in
> >>> libvirt/qemu.conf
> >>> so import-to-ovirt.pl,
> >>> but now my VMs with Spice console complain:
> >>>
> >>> libvirtError: internal error: process exited while connecting to
> >>> monitor: ((null):2791): Spice-Warning **: reds.c:3311:reds_init_ssl:
> >>> Could not use private key file
> >>>
> >>> What is the proper way to sync up the key after restarting libvirtd?
> >>> I even tried rebooting host and restart ovirt-engine and ovirt-engine
> >>> setup, didn't help.
> >>>
> >>> Work around is just use VNC consoles. But I'd like to get spice working
> >>> again.
> >>>
> >>> centos 7.2
> >>> libvirt-client-1.2.17-13.el7_2.2.x86_64
> >>> ovirt-engine-3.6.2.6-1.el7.centos.noarch
> >>>
> >>>
> >>>
> >>> Cloud Services for Business www.j2.com
> >>> j2 | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | Onebox
> >>>
> >
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
More information about the Users
mailing list