Package and OS
------------------------------
Ubuntu 12.10
qemu-kvm-spice:
Installed: 1.2.0-2012.09-0ubuntu1
Candidate: 1.2.0-2012.09-0ubuntu1
Version table:
*** 1.2.0-2012.09-0ubuntu1 0
500 http://gb.archive.ubuntu.com/ubuntu/ quantal/universe amd64 Packages
100 /var/lib/dpkg/status
Key Creation
-------------------------
openssl genrsa -des3 -out ca-key.pem 1024
openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem -utf8 -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
openssl genrsa -out server-key.pem 1024
openssl req -new -key server-key.pem -out server-key.csr -utf8 -subj "/C=IL/L=Raanana/O=Red Hat/CN=my server"
openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
openssl rsa -in server-key.pem -out server-key.pem.insecure
mv server-key.pem server-key.pem.secure
mv server-key.pem.insecure server-key.pem
qemu.conf
--------------
qemu.conf configuration was attempted as default, and specified using an uncommented path "/etc/pki/libvirt-spice"
spice_tls = 1
# default it to keep them in /etc/pki/libvirt-spice. This directory
# must contain
...
#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" (using the default path)
spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" (specifiying the path directly)
Permissions
-------------
Permissions were tested set as default (assumed root or my account) and
sudo chown libvirt-qemu /etc/pki/libvirt-spice/
sudo chown libvirt-qemu /etc/pki/libvirt-spice/<filenames of files>
-------------------------
sudo nano /var/log/libvirt/qemu/VM11.log
qemu: terminating on signal 15 from pid 1417
2012-11-12 18:11:24.586+0000: shutting down
2012-11-12 18:11:29.698+0000: starting up
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin QEMU_AUDIO_DRV=spice /usr/bin/kvm -name VM11 -S -M pc-1.2 -cpu Opteron_G3,+ibs,+osvw,+3dnowprefetch,+cr8legacy,+extapic,+cmp_legacy,+3dnow,+3dnowext,+pdpe1gb,+fxsr_opt,+mmxext,+ht,+vme -enable-kvm -m 2048 -smp 1,sockets=1,cores=1,threads=1 -uuid 35a6984d-0b77-da48-770e-a8fb0c7c284d -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/VM11.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-disk0,if=none,id=drive-virtio-disk0,format=raw,cache=writeback -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=3 -drive file=/var/lib/libvirt/local/dynamic-pool0/buildsvr-disk1,if=none,id=drive-virtio-disk1,format=raw,cache=writethrough -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk1,id=virtio-disk1,bootindex=4 -drive if=none,id=drive-ide0-0-0,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive file=/var/lib/libvirt/local/fixed-pool0/buildsvr-media,if=none,id=drive-ide0-0-1,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1 -netdev tap,fd=21,id=hostnet0,vhost=on,vhostfd=22 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:16:3e:1a:b3:4c,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -spice port=5908,tls-port=5918,addr=0.0.0.0,agent-mouse=on,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,plaintext-channel=display,plaintext-channel=inputs,plaintext-channel=cursor,plaintext-channel=playback,plaintext-channel=record,plaintext-channel=usbredir,image-compression=auto_glz,streaming-video=filter -k en-gb -vga qxl -global qxl-vga.vram_size=33554432 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
char device redirected to /dev/pts/1
((null):1916): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not load certificates from /etc/pki/libvirt-spice/server-cert.pem
((null):1916): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not use private key file
((null):1916): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not use CA file /etc/pki/libvirt-spice/ca-cert.pem
Certificates
--------------------
I was able to open and read the files using the various commands similar to sudo openssl x509 -noout -text -in ca-cert.pem
I did wonder if it is rejecting the CA as some security feature, I hope this is of use.
I chose libvirt-qemu, as this is the account closed to the Red Hat/Fedora account name used "qemu"
Creation
---------------
creation was via an XML definition followed by calling virsh define <path>, virsh start VM11
I have tried to keep most files inside the libvirt tree to try to avoid permission errors, the configuration has two volume pools, specified inside /var/lib/libvirt/local/<pool-name> (which are mounted to other drives, and operate without problem)
The volumes used are vmdk volumes (for performance reasons) one inside each pool, for fixed allocation and sparse type allocation), not that this matters but it gives you an idea of what the setup is like.
Location content
jodic@squealer:/etc/pki/libvirt-spice$ dir
ca-cert.pem server-cert.pem server-key.pem
ca-key.pem server-key.csr server-key.pem.secure
I could try using a location without the qemu tree to try to rule out some permission problems. I'll go through it again in a little bit
On Mon, Nov 12, 2012 at 6:11 PM, David Jaša <djasa@xxxxxxxxxx> wrote:
Before reporting a bug, could we rule out misconfiguration possiblity
entirely?
1) do you use libvirt?
2) if so, do you use system session or per-user session?
3) could you look at qemu command line? If you use libvirt, you'll find it in /var/log/libvirt/qemu/VM_NAME.log
4) at the libvirt command file, is there '... -spice ...,x509-(dir|ca...|server),... ' entry?
5) if the x509 directive is x509-dir, does "qemu-kvm -spice tls-port=12345,x509-dir=DIR,disable-ticketing" command throw the same error?
(the same goes for per-file x509 options)
6) if it is indeed a problem, is it permission issue or are the files empty or are they invalid?
(...)
David
Jodi Curtis píše v Po 12. 11. 2012 v 17:55 +0000:
> Hi
>
>
> I've used the directory correctly on qemu.conf, I've seen these
> problems relating to Red Hat/oVirt, where it wasn't set despite being
> set in qemu.conf, so I will probably file a bug report with Ubuntu on
> this one.
>
>
> The red-hat solution isn't valid for Ubuntu.
>
>
> Thanks
>
> On Mon, Nov 12, 2012 at 5:49 PM, David Jaša <djasa@xxxxxxxxxx> wrote:
> Jodi Curtis píše v Po 12. 11. 2012 v 17:31 +0000:
> > Hi
> >
> >
> > Thanks, I found the method in the end, my current problem is
> related
> > to a problem with Ubuntu/SSL/Spice, so not really your
> software, I
> > have asked for help from a Linux admin, but its detailed
> below for the
> > record, I've gone through the key making proces twice, and
> rebooted,
> > obviously paths have been checked and qemu.conf has been set
> as
> > required
> >
> >
> > ((null):2176): Spice-Warning **: reds.c:3307:reds_init_ssl:
> Could not
> > load certificates from server-cert.pem
> > ((null):2176): Spice-Warning **: reds.c:3317:reds_init_ssl:
> Could not
> > use private key file
> > ((null):2176): Spice-Warning **: reds.c:3325:reds_init_ssl:
> Could not
> > use CA file
>
>
> Assuming that your cert/key files are correct and in place,
> this looks
> like incorrect x509-dir option of qemu cli or
> spice_tls_x509_cert_dir
> directive of /etc/libvirt/qemu.conf pointing to a wrong
> directory. Just
> a configuration issue.
>
> David
>
> >
> >
> > There is very little obvious on the internet, so am trying
> to identify
> > if its a common SSL or config problem, or if I should file a
> bug
> > report with Ubuntu kvm-spice
> >
> >
> > Jodi
> >
> >
> > On Mon, Nov 12, 2012 at 12:12 PM, David Jaša
> <djasa@xxxxxxxxxx> wrote:
> > Hi Jodi,
> >
> > You can find full tls-enabled remote-viewer
> invocation in this
> > oVirt
> > wiki page:
> >
> http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal
> >
> > David
> >
> >
> > Jodi Curtis píše v Ne 11. 11. 2012 v 23:28 +0000:
> > > Hi
> > >
> > >
> > > I'm having trouble connecting to a spice server
> with tls
> > enabled
> > > through virt-viewer on windows, I have tls
> configured and a
> > > ca-cert.pem file, but I don't know where to put
> it, or what
> > to use
> > >
> > >
> > > I have tried various combinations of
> > spice://192.168.2.140:590x
> > >
> > >
> > > I have tried adding +ssh or +tls, I have tried
> adding the
> > ca-cert.pem
> > > file to the location used by the spicec page that
> covers how
> > to set up
> > > tls, and I have tried adding my username before
> the IP.
> > >
> > > I have tried connecting to both ports.
> > >
> > >
> > > Any help on what it should be, or if there is an
> alternative
> > to
> > > virt-viewer on windows that I need to use for the
> secure
> > connection.
> > >
> > >
> > > Thanks
> >
> > > _______________________________________________
> > > Spice-devel mailing list
> > > Spice-devel@xxxxxxxxxxxxxxxxxxxxx
> > >
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> >
> > --
> >
> > David Jaša, RHCE
> >
> > SPICE QE based in Brno
> > GPG Key: 22C33E24
> > Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00
> 22C3 3E24
> >
> >
> >
> >
> >
> > _______________________________________________
> > Spice-devel mailing list
> > Spice-devel@xxxxxxxxxxxxxxxxxxxxx
> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
>
> --
>
> David Jaša, RHCE
>
> SPICE QE based in Brno
> GPG Key: 22C33E24
> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
>
>
>
>
>
>
--
David Jaša, RHCE
SPICE QE based in Brno
GPG Key: 22C33E24
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel