Problem resolved, it was a cert issue. Thanks for the help. On Fri, Mar 23, 2012 at 8:03 AM, Anthony James <[email protected]>wrote:
> I did have spaces after the commas in the host subject but after > regenerating the certs and modifying the command I receive the same error. > I followed the steps to create the certs from the > http://www.spice-space.org/page/SSLConnection site. Should those steps > work? > > > On Fri, Mar 23, 2012 at 7:36 AM, David Jaša <[email protected]> wrote: > >> Hi Anthony, >> >> I don't see anything clearly wrong in what you posted in your last two >> mails. Just one note: -spice addr=127.0.0.1 means that the host will >> only be accessible on the localhost - if you add "<listen type='address' >> address='0.0.0.0'/>" element to "<graphics>" element in domain xml, qemu >> will bind to all ipv4 addresses. >> >> I'd just check the SSL/TLS stuff again - if your certs are OK, if you >> pass correct host subject (without space after comma!), if you pass >> correct CA file and so on... >> >> David >> >> Anthony James píše v Pá 23. 03. 2012 v 07:20 -0400: >> > I just tried connecting using remote-viewer, here is the command: >> > >> > >> > remote-viewer --spice-ca-file=ca-cert.pem >> > --spice-host-subject="$HOSTSUBJECT" spice://localhost/?port= >> > $PORT&tls-port=$SPORT >> > >> > >> > It connects but using only the non-tls port. When I remove port=$PORT >> > to try and force it to use the tls-port the connection fails and I see >> > this in the VM log: >> > >> > >> > reds_handle_ssl_accept: SSL_accept failed, error=1 >> > >> > >> > The remote-viewer version is 0.5.2. >> > >> > On Fri, Mar 23, 2012 at 7:10 AM, Anthony James >> > <[email protected]> wrote: >> > I created and started the VM with virt-manager. Here is what >> > looks like the qemu cmd from /var/log/libvirt/qemu/$VM.log >> > >> > >> > /usr/bin/qemu-kvm -S -M pc-0.15 -cpu core2duo,+lahf_lm, >> > +rdtscp,+popcnt,+sse4.2,+sse4.1,+pdcm,+xtpr,+cx16,+tm2,+est, >> > +smx,+vmx,+ds_cpl,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds -enable >> > -kvm -m 2048 -smp 2,sockets=2,cores=1,threads=1 -name $VMNAME >> > -uuid 9046e3aa-81d5-028d-010f-2a755e20aa97 -nodefconfi >> > g -nodefaults -chardev >> > >> socket,id=charmonitor,path=/var/lib/libvirt/qemu/$VMNAME.monitor,server,nowait >> -mon chardev=c >> > harmonitor,id=monitor,mode=control -rtc base=localtime >> > -no-shutdown -device >> > virtio-serial-pci,id=virtio-serial0,bus=pci. >> > 0,addr=0x5 -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x8 >> > -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0 >> > ,addr=0x9 -device >> > ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0xa >> > -device ich9-usb-uhci3,masterbus=usb.0,f >> > irstport=4,bus=pci.0,addr=0xb -drive >> > file=/vm/$VMNAME.img,if=none,id=drive-virtio-disk0,format=raw >> > -device virtio-bl >> > >> k-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 >> -drive file=/iso/virtio-win-0.1-2 >> > >> 2.iso,if=none,media=cdrom,id=drive-ide0-1-0,readonly=on,format=raw -device >> ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1 >> > -0,id=ide0-1-0 -netdev >> > tap,fd=26,id=hostnet0,vhost=on,vhostfd=27 -device >> > virtio-net-pci,netdev=hostnet0,id=net0,mac=52:5 >> > 4:00:43:e6:dd,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 >> > -device isa-serial,chardev=charserial0,id=serial0 -chardev >> > spicevmc,id=charchannel0,name=vdagent -device >> > >> virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0, >> > name=com.redhat.spice.0 -device usb-tablet,id=input0 -spice >> > port=$PORT,tls-port= >> > $SPORT,addr=127.0.0.1,x509-dir=/etc/pki/lib >> > virt-spice -k en-us -vga qxl -global >> > qxl-vga.vram_size=67108864 -device >> > intel-hda,id=sound0,bus=pci.0,addr=0x4 -device h >> > da-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev >> > spicevmc,id=charredir0,name=usbredir -device >> > usb-redir,chardev=ch >> > arredir0,id=redir0 -device >> > virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 >> > >> > >> > Also in the log I see the following messages for everytime I >> > try to connect using SSL: >> > >> > >> > reds_handle_ssl_accept: SSL_accept failed, error=1 >> > reds_handle_ssl_accept: SSL_accept failed, error=1 >> > >> > >> > Here are the package versions I'm running: >> > >> > >> > spice-xpi-2.7-2.fc16.x86_64 >> > spice-gtk3-0.11-4.fc16.x86_64 >> > spice-gtk-tools-0.11-4.fc16.x86_64 >> > spice-client-0.10.1-1.fc16.x86_64 >> > spice-server-0.10.1-1.fc16.x86_64 >> > spice-gtk-python-0.11-4.fc16.x86_64 >> > spice-gtk-0.11-4.fc16.x86_64 >> > spice-protocol-0.10.1-1.fc16.noarch >> > spice-glib-0.11-4.fc16.x86_64 >> > libvirt-0.9.10-2.fc16.x86_64 >> > libvirt-python-0.9.10-2.fc16.x86_64 >> > libvirt-client-0.9.10-2.fc16.x86_64 >> > qemu-system-x86-1.0-7.fc16.x86_64 >> > gpxe-roms-qemu-1.0.1-4.fc16.noarch >> > qemu-common-1.0-7.fc16.x86_64 >> > qemu-img-1.0-7.fc16.x86_64 >> > virt-manager-common-0.9.1-2.fc16.noarch >> > virt-manager-0.9.1-2.fc16.noarch >> > >> > >> > The host is running Fedora 16 with the updates-testing >> > virt-preview repos enabled. >> > >> > >> > >> > On Fri, Mar 23, 2012 at 6:58 AM, David Jaša <[email protected]> >> > wrote: >> > Anthony James píše v Pá 23. 03. 2012 v 06:46 -0400: >> > > David, >> > > >> > > >> > > I just tried about 20 times in a row, same error. >> > When you say it's a >> > > known bug in spicec when connecting manually, what >> > is the alternative >> > > to connecting manually? Is this bug present in >> > spicy or >> > > remote-viewer? Thanks in advance. >> > >> > >> > I don't recall hitting it with remote-viewer. FTR, >> > remote-viewer's >> > invocation format differs from that of spicec and >> > spicy: >> > >> > remote-viewer <options> >> > spice://<host>/?port=<port>&tls-port=<sport> >> > >> > you can get the complete list of of options with: >> > >> > remote-viewer --help-all >> > >> > Speaking about it, it might be also the libvirt/qemu >> > bug that both fired >> > up with main channel forced to SSL/TLS but without >> > setting up tls-port >> > on which would qemu actually listen. Could you post >> > qemu command line >> > here so we can rule it out? >> > >> > David >> > > >> > > On Fri, Mar 23, 2012 at 6:37 AM, David Jaša >> > <[email protected]> wrote: >> > > Anthony James píše v Pá 23. 03. 2012 v 06:26 >> > -0400: >> > > > David, >> > > > >> > > > Thanks for the reply. I've tried adding >> > --ca-file to the >> > > spicec >> > > > command line but still receive the same >> > error. Here is the >> > > command: >> > > > >> > > > spicec -h localhost -p $PORT -s $SPORT >> > --secure-channels all >> > > > --host-subject "$HOSTSUBJECT" --ca-file >> > ca-cert.pem -w >> > > $PASSWD >> > > > >> > > > Same error: >> > > > >> > > > Error: failed to connect w/SSL, ssl_error >> > > > error:00000001:lib(0):func(0):reason(1) >> > > > 140613653984512:error:14090086:SSL >> > > > >> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate >> > verify >> > > > failed:s3_clnt.c:1063: >> > > > Warning: SSL Error: >> > > >> > > >> > > Hi Anthony, >> > > >> > > try several times. It's a known bug in >> > spicec that when you're >> > > connecting manually, the connection fails >> > several times before >> > > it is >> > > established. Actually it's more frequent if >> > you specify >> > > --secure >> > > channels all or if you omit -p altogether >> > (both have the same >> > > effect). >> > > >> > > David >> > > > >> > > > On Fri, Mar 23, 2012 at 6:06 AM, David >> > Jaša >> > > <[email protected]> wrote: >> > > > Hi Anthony, >> > > > >> > > > Anthony James píše v Čt 22. 03. >> > 2012 v 15:40 -0400: >> > > > > I'm having problems connecting >> > to a spice virtual >> > > machine >> > > > using SSL. >> > > > > I use the following command to >> > connect: >> > > > > >> > > > > >> > > > > spicec -h localhost -p $PORT -s >> > $SPORT >> > > --secure-channels all >> > > > > --host-subject "$HOSTSUBJECT" -w >> > $PASSWD >> > > > > >> > > > >> > > > You're missing --ca-file >> > $CA_CERTIFICATE_FILE in >> > > your command >> > > > line. >> > > > >> > > > David >> > > > > >> > > > > The error I receive is: >> > > > > >> > > > > >> > > > > Error: failed to connect w/SSL, >> > ssl_error >> > > > > >> > error:00000001:lib(0):func(0):reason(1) >> > > > > >> > 139699632096512:error:14090086:SSL >> > > > > >> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate >> > > verify >> > > > > failed:s3_clnt.c:1063: >> > > > > Warning: SSL Error: >> > > > > >> > > > > >> > > > > I have followed the instructions >> > from the >> > > following 2 sites >> > > > to >> > > > > configure the SSL certs: >> > > > > >> > > > > >> > > > > >> > http://www.spice-space.org/page/SSLConnection >> > > > > >> > > > > >> > > > > >> > > > >> > > >> > >> http://fedoraproject.org/w/index.php?title=QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set&oldid=255162 >> > > > > >> > > > > >> > > > > Any help would be greatly >> > appreciated, I'm sure >> > > I'm missing >> > > > something. >> > > > > >> > > > > >> > > > > Thanks, >> > > > > Tony >> > > > >> > > > > >> > _______________________________________________ >> > > > > Spice-devel mailing list >> > > > > >> > [email protected] >> > > > > >> > > >> > >> http://lists.freedesktop.org/mailman/listinfo/spice-devel >> > > > >> > > > >> > > > -- >> > > > >> > > > David Jaša, RHCE >> > > > >> > > > SPICE QE based in Brno >> > > > GPG Key: 22C33E24 >> > > > Fingerprint: 513A 060B D1B4 2A72 >> > 7F0D 0278 B125 CD00 >> > > 22C3 3E24 >> > > > >> > > > >> > > > >> > > > >> > > > >> > _______________________________________________ >> > > > Spice-devel mailing list >> > > > [email protected] >> > > > >> > >> http://lists.freedesktop.org/mailman/listinfo/spice-devel >> > > >> > > -- >> > > >> > > David Jaša, RHCE >> > > >> > > SPICE QE based in Brno >> > > GPG Key: 22C33E24 >> > > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 >> > B125 CD00 22C3 3E24 >> > > >> > > >> > > >> > > >> > > >> > > >> > > _______________________________________________ >> > > Spice-devel mailing list >> > > [email protected] >> > > >> > >> http://lists.freedesktop.org/mailman/listinfo/spice-devel >> > >> > -- >> > >> > David Jaša, RHCE >> > >> > SPICE QE based in Brno >> > GPG Key: 22C33E24 >> > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 >> > 22C3 3E24 >> > >> > >> > >> > >> > >> > >> > >> > >> > _______________________________________________ >> > Spice-devel mailing list >> > [email protected] >> > http://lists.freedesktop.org/mailman/listinfo/spice-devel >> >> -- >> >> David Jaša, RHCE >> >> SPICE QE based in Brno >> GPG Key: 22C33E24 >> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 >> >> >> >> >
_______________________________________________ Spice-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/spice-devel
