Re: [Users] Cannot connect to guest with spice console; SSL validate error
You are probably right about it being a bad solution. After as many hours as I spent, my patience was a bit thin. In any case, I allowed the engine-setup application to modify the iptables on a new F17 install. Jeff - On Thu, Sep 27, 2012 at 8:51 AM, Nicholas Kesick cybertimber2...@hotmail.com wrote: From: j...@mayesnetwork.com Date: Thu, 27 Sep 2012 08:24:53 -0700 To: users@ovirt.org Subject: [Users] Cannot connect to guest with spice console; SSL validate error I did not see a solution for this issue, yet spent a couple of hours on it. In my case, the following command cleared the issue for all VMs: iptables --flush That seems like a very bad solution. iptables --flush removes all of the firewall rules, leaving your VM unprotected. I'm curious to know which rule was blocking it though. After that, no more SSL errors and I could connect via Spice. Jeff - Jeff Mayes ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Cannot connect to guest with spice console; SSL validate error
7 aug 2012 kl. 16.23 skrev Rami Vaknin:
On 08/07/2012 05:10 PM, Karli Sjöberg wrote:
Hi,
I seems very difficult to get this working. I have a Fedora 17 client,
installed spice-xpi and tried to access console from User Portal but console
never shows up. engine.log prints:
2012-08-07 15:56:18,738 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand]
(ajp--0.0.0.0-8009-13) [2a8bc3f4] Running command: SetVmTicketCommand internal:
false. Entities affected : ID: 2ad22641-7aeb-4d1b-999e-2c0563376641 Type: VM
2012-08-07 15:56:18,771 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
(ajp--0.0.0.0-8009-13) [2a8bc3f4] START, SetVmTicketVDSCommand(vdsId =
acfc94c0-d7e1-11e1-b35e-b38016c320bb,
vmId=2ad22641-7aeb-4d1b-999e-2c0563376641, ticket=NvbcLbRR/7Vx, validTime=120,m
userName=karli, userId=de526322-d046-4a06-911e-546e7159556e), log id: 3d61fa94
2012-08-07 15:56:18,816 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand]
(ajp--0.0.0.0-8009-13) [2a8bc3f4] FINISH, SetVmTicketVDSCommand, log id:
3d61fa94
From the F17 client with ovirt-shell installed from ovirt-3.1 repo:
$ console milli
(window briefly flashes and disappeares again)
warning: could not fetch host certificate info cause used backend/sdk does not
support it.
warning: host identity will not be validated.
And have also used spicec directly from F17 client:
# spicec -h cirrus2-1.slu.sehttp://cirrus2-1.slu.se -p 5900 -s 5901 -w
v36BkUumraDG (The first ticket had by this time expired, so this is a new one)
(flashes)
Error: failed to connect w/SSL, ssl_error
error:0001:lib(0):func(0):reason(1)
140059992839392:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063:
Warning: SSL Error:
# spicec -h cirrus2-1.slu.sehttp://cirrus2-1.slu.se -p 5900 -w v36BkUumraDG
(flashes)
Warning: connect error 5 - need secured connection
I wrote a simple script that collects the parameter needed to for spicec
in case of secure connection, I was using it on RHEL6, it probably will
be easy to convert it to Fedora if it does not already work OTB:
#!/bin/bash
# Usage: ./spice_to_vm.sh host vm_name
PASSWORD=root_password_to_the_host
SECONDS=1200
ssh-copy-id root@$1 /dev/null
ID=`ssh root@$1 vdsClient -s 0 list table | awk '{print $1:$3:}' |
grep :$2: | sed -e 's/\:.*//g'`
ssh root@$1 vdsClient -s 0 setVmTicket $ID $PASSWORD $SECONDS keep
/dev/null
PORT=`ssh root@$1 vdsClient -s 0 getVmStats $ID | grep displaySecurePort
| awk '{print $3}'`
SUBJECT=`ssh root@$1 openssl x509 -noout -text -in
/etc/pki/vdsm/certs/vdsmcert.pem | grep Subject: | cut -f 10- -d |
sed -e 's/\ //g'`
scp root@$1:/etc/pki/vdsm/certs/cacert.pem /tmp/cacert.pem /dev/null
COMMAND=sudo /usr/libexec/spicec --host-subject \$SUBJECT\ --password
$PASSWORD --secure-channels all -h $1 --secure-port $PORT --ca-file
/tmp/cacert.pem
echo $COMMAND
Thank you so much, this helped me realize what the issue was. I had at first
added the hosts to my engine with a black address on the storage network. But
I changed the display network to the public network, so that you can connect
to a console from anywhere. This made the certificate of the hosts invalid, as
the --host-subject doesn´t match the address that you connect to:
# spicec --host-subject O=slu,CN=cirrus2-2.sto.slu.se --password RFesfeuIGHhd
-h cirrus2-2.slu.sehttp://cirrus2-2.slu.se -s 5903
So this means that changing your display network breaks SPICE consoles. Less
than good, I would say.
I was able to solve this by removing the hosts from engine and adding them
again, but with the public address instead, so now the connection address and
host subject match. I logged in to the admin portal, clicked for console and
voilá, console appears. BUT if I log in to the user portal with the same
credentials and click for console on the same guest(or any other), a console
screen briefly flashes and then disappears:( Bug.
/Karli
# rpm -qa | egrep '(ovirt|vdsm)'
ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch
vdsm-cli-4.10.0-5.fc17.noarch
ovirt-engine-config-3.1.0-1.fc17.noarch
ovirt-engine-userportal-3.1.0-1.fc17.noarch
vdsm-4.10.0-5.fc17.x86_64
ovirt-log-collector-3.1.0-0.git10d719.fc17.noarch
ovirt-engine-sdk-3.1.0.4-1.fc17.noarch
ovirt-engine-restapi-3.1.0-1.fc17.noarch
ovirt-engine-backend-3.1.0-1.fc17.noarch
ovirt-engine-3.1.0-1.fc17.noarch
ovirt-engine-webadmin-portal-3.1.0-1.fc17.noarch
ovirt-engine-notification-service-3.1.0-1.fc17.noarch
ovirt-engine-dbscripts-3.1.0-1.fc17.noarch
vdsm-python-4.10.0-5.fc17.x86_64
ovirt-engine-genericapi-3.1.0-1.fc17.noarch
ovirt-engine-tools-common-3.1.0-1.fc17.noarch
ovirt-engine-cli-3.1.0.6-1.fc17.noarch
vdsm-xmlrpc-4.10.0-5.fc17.noarch
vdsm-bootstrap-4.10.0-5.fc17.noarch
ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch
ovirt-engine-setup-3.1.0-1.fc17.noarch
The engine is installed with SSL as enabled by default, the hosts too. VDSM and
libvirt are all active and validate fine towards the engine;
[Users] Cannot connect to guest with spice console; SSL validate error
Hi, I seems very difficult to get this working. I have a Fedora 17 client, installed spice-xpi and tried to access console from User Portal but console never shows up. engine.log prints: 2012-08-07 15:56:18,738 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] Running command: SetVmTicketCommand internal: false. Entities affected : ID: 2ad22641-7aeb-4d1b-999e-2c0563376641 Type: VM 2012-08-07 15:56:18,771 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] START, SetVmTicketVDSCommand(vdsId = acfc94c0-d7e1-11e1-b35e-b38016c320bb, vmId=2ad22641-7aeb-4d1b-999e-2c0563376641, ticket=NvbcLbRR/7Vx, validTime=120,m userName=karli, userId=de526322-d046-4a06-911e-546e7159556e), log id: 3d61fa94 2012-08-07 15:56:18,816 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] FINISH, SetVmTicketVDSCommand, log id: 3d61fa94 From the F17 client with ovirt-shell installed from ovirt-3.1 repo: $ console milli (window briefly flashes and disappeares again) warning: could not fetch host certificate info cause used backend/sdk does not support it. warning: host identity will not be validated. And have also used spicec directly from F17 client: # spicec -h cirrus2-1.slu.se -p 5900 -s 5901 -w v36BkUumraDG (The first ticket had by this time expired, so this is a new one) (flashes) Error: failed to connect w/SSL, ssl_error error:0001:lib(0):func(0):reason(1) 140059992839392:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error: # spicec -h cirrus2-1.slu.se -p 5900 -w v36BkUumraDG (flashes) Warning: connect error 5 - need secured connection # rpm -qa | egrep '(ovirt|vdsm)' ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch vdsm-cli-4.10.0-5.fc17.noarch ovirt-engine-config-3.1.0-1.fc17.noarch ovirt-engine-userportal-3.1.0-1.fc17.noarch vdsm-4.10.0-5.fc17.x86_64 ovirt-log-collector-3.1.0-0.git10d719.fc17.noarch ovirt-engine-sdk-3.1.0.4-1.fc17.noarch ovirt-engine-restapi-3.1.0-1.fc17.noarch ovirt-engine-backend-3.1.0-1.fc17.noarch ovirt-engine-3.1.0-1.fc17.noarch ovirt-engine-webadmin-portal-3.1.0-1.fc17.noarch ovirt-engine-notification-service-3.1.0-1.fc17.noarch ovirt-engine-dbscripts-3.1.0-1.fc17.noarch vdsm-python-4.10.0-5.fc17.x86_64 ovirt-engine-genericapi-3.1.0-1.fc17.noarch ovirt-engine-tools-common-3.1.0-1.fc17.noarch ovirt-engine-cli-3.1.0.6-1.fc17.noarch vdsm-xmlrpc-4.10.0-5.fc17.noarch vdsm-bootstrap-4.10.0-5.fc17.noarch ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch ovirt-engine-setup-3.1.0-1.fc17.noarch The engine is installed with SSL as enabled by default, the hosts too. VDSM and libvirt are all active and validate fine towards the engine; have status UP and so on, but can't get SPICE console working. VNC works of course, but SPICE would be much cooler:) How do I get console working with SPICE? Best Regards Karli Sjöberg ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Cannot connect to guest with spice console; SSL validate error
I don't know if this is the same issue but for some reason my CA cert for spice was a blank file. I copied another one from the vdsm directory (mostly guessing) and it worked. cp /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-spice/ca-cert.pem From: users-boun...@ovirt.org [users-boun...@ovirt.org] on behalf of Karli Sjöberg [karli.sjob...@slu.se] Sent: Tuesday, August 07, 2012 10:10 AM To: users@oVirt.org Subject: [Users] Cannot connect to guest with spice console;SSL validate error Hi, I seems very difficult to get this working. I have a Fedora 17 client, installed spice-xpi and tried to access console from User Portal but console never shows up. engine.log prints: 2012-08-07 15:56:18,738 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] Running command: SetVmTicketCommand internal: false. Entities affected : ID: 2ad22641-7aeb-4d1b-999e-2c0563376641 Type: VM 2012-08-07 15:56:18,771 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] START, SetVmTicketVDSCommand(vdsId = acfc94c0-d7e1-11e1-b35e-b38016c320bb, vmId=2ad22641-7aeb-4d1b-999e-2c0563376641, ticket=NvbcLbRR/7Vx, validTime=120,m userName=karli, userId=de526322-d046-4a06-911e-546e7159556e), log id: 3d61fa94 2012-08-07 15:56:18,816 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--0.0.0.0-8009-13) [2a8bc3f4] FINISH, SetVmTicketVDSCommand, log id: 3d61fa94 From the F17 client with ovirt-shell installed from ovirt-3.1 repo: $ console milli (window briefly flashes and disappeares again) warning: could not fetch host certificate info cause used backend/sdk does not support it. warning: host identity will not be validated. And have also used spicec directly from F17 client: # spicec -h cirrus2-1.slu.se -p 5900 -s 5901 -w v36BkUumraDG (The first ticket had by this time expired, so this is a new one) (flashes) Error: failed to connect w/SSL, ssl_error error:0001:lib(0):func(0):reason(1) 140059992839392:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error: # spicec -h cirrus2-1.slu.se -p 5900 -w v36BkUumraDG (flashes) Warning: connect error 5 - need secured connection # rpm -qa | egrep '(ovirt|vdsm)' ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch vdsm-cli-4.10.0-5.fc17.noarch ovirt-engine-config-3.1.0-1.fc17.noarch ovirt-engine-userportal-3.1.0-1.fc17.noarch vdsm-4.10.0-5.fc17.x86_64 ovirt-log-collector-3.1.0-0.git10d719.fc17.noarch ovirt-engine-sdk-3.1.0.4-1.fc17.noarch ovirt-engine-restapi-3.1.0-1.fc17.noarch ovirt-engine-backend-3.1.0-1.fc17.noarch ovirt-engine-3.1.0-1.fc17.noarch ovirt-engine-webadmin-portal-3.1.0-1.fc17.noarch ovirt-engine-notification-service-3.1.0-1.fc17.noarch ovirt-engine-dbscripts-3.1.0-1.fc17.noarch vdsm-python-4.10.0-5.fc17.x86_64 ovirt-engine-genericapi-3.1.0-1.fc17.noarch ovirt-engine-tools-common-3.1.0-1.fc17.noarch ovirt-engine-cli-3.1.0.6-1.fc17.noarch vdsm-xmlrpc-4.10.0-5.fc17.noarch vdsm-bootstrap-4.10.0-5.fc17.noarch ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch ovirt-engine-setup-3.1.0-1.fc17.noarch The engine is installed with SSL as enabled by default, the hosts too. VDSM and libvirt are all active and validate fine towards the engine; have status UP and so on, but can't get SPICE console working. VNC works of course, but SPICE would be much cooler:) How do I get console working with SPICE? Best Regards Karli Sjöberg ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
