[Users] [vdsm] SPICE SSL Woes
I can't seem to get this secure spice session to work. Any help is appreciated, already burnt 20 hours on this. Spice versions: spice-server-0.10.1 spice-client 0.12.0 spice-xpi 2.7 spicec: I set the password to abcd using a bash script found on this mailing list, valid for 1200 seconds. = # spicec --password abcd --secure-channels all -h 10.20.20.2 --secure-port 5902 --ca-file cacert.pem Error: failed to connect w/SSL, ssl_error error:0001:lib(0):func(0):reason(1) 139833084392776:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error: = spice-xpi: spice-xpi.log = built and installed latest (which is great has better debugging output: 2012-10-02 07:58:26,805 DEBUG nsPluginInstance::SetHostIP: 10.20.20.2 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetPort: 5901 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetTitle: Test:%d - Press SHIFT+F12 to Release Cursor 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetDynamicMenu: 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetFullScreen: 0 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetPassword: Password set 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetNumberOfMonitors: 1 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetUsbListenPort: 0 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetAdminConsole: 1 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetSecurePort: 5902 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: original channels: smain,sinputs,scursor,splayback,srecord,sdisplay 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: modified channels: main,inputs,cursor,playback,record,display 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetGuestHostName: Test 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetCipherSuite: DEFAULT 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetHostSubject: O=Best Company,CN=10.20.20.2 2012-10-02 07:58:26,812 DEBUG nsPluginInstance::SetTrustStore: Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Validity Not Before: Sep 6 21:49:14 2012 Not After : Sep 6 03:49:15 2022 GMT Subject: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:bc:70:bd:bc:a0:07:7a:99:5e:84:c6:91:70:30: 3e:f0:2a:c9:96:cb:ac:d5:f4:e7:a4:8d:85:c2:2d: 39:12:fa:2f:3f:3c:bf:bb:ed:90:31:28:ae:38:49: 68:e2:4a:ca:89:21:4c:1c:b5:72:ca:e5:c7:3d:d8: 64:95:22:98:45:67:50:43:dd:8e:cb:9e:39:d4:9b: 11:16:71:e1:d9:81:1e:4d:1c:2c:9c:6d:7c:d1:43: a1:af:4a:83:77:e8:ad:0d:92:cb:fa:45:b8:d3:b6: 50:99:3e:4e:a7:91:30:57:ce:a7:5b:62:95:7f:9b: fd:26:05:a9:e0:8e:45:2b:e3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF Authority Information Access: CA Issuers - URI:http://ovirt-engine.example.com:80/ca.crt X509v3 Authority Key Identifier: keyid:87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF DirName:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 serial:01 X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption a1:a9:17:91:ba:6e:0d:15:ce:28:e0:b8:7f:3c:5e:ba:6e:8d: 31:91:bf:99:0c:74:5f:95:86:e6:90:fd:3c:13:3a:64:9e:40: f7:4f:e0:45:b8:8e:27:b3:23:d4:75:bb:be:5f:73:4f:48:e4: 8c:6d:11:eb:76:70:81:c7:a5:8a:35:0b:ef:a5:cf:3d:ae:fd: 1f:94:b7:e4:c3:4c:7f:fb:5b:09:eb:e8:b1:35:3c:b8:ba:e8: b7:d0:5f:8a:98:b5:9a:6c:24:53:2a:49:61:0e:7c:5e:b3:d2: d4:c3:dd:ca:b9:57:a3:f0:e4:9c:d6:3d:43:40:9d:dd:ff:cd: 94:be -BEGIN CERTIFICATE- MIIDCDCCAnGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2 ZWlwLm5ldC4yODIwMjAiFxExMjA5MDYyMTQ5MTQrMDcwMBcNMjIwOTA2MDM0OTE1 WjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEf MB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMjCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAvHC9vKAHeplehMaRcDA+8CrJlsus1fTnpI2Fwi05EvovPzy/ u+2QMSiuOElo4krKiSFMHLVyyuXHPdhklSKYRWdQQ92Oy5451JsRFnHh2YEeTRws nG180UOhr0qDd+itDZLL+kW407ZQmT5Op5EwV86nW2KVf5v9JgWp4I5FK+MCAwEA
Re: [Users] [vdsm] SPICE SSL Woes
On 10/05/2012 10:26 AM, Bret Palsson wrote: I can't seem to get this secure spice session to work. Any help is appreciated, already burnt 20 hours on this. Spice versions: spice-server-0.10.1 spice-client 0.12.0 spice-xpi 2.7 The certificates that you get from the server in both examples are different. Copy the text between -BEGIN CERTIFICATE- and -END CERTIFICATE- to a file cert.pem and then run the following command to see what is inside: openssl x509 -in cert.pem -noout -text In both cases looks like the certificate fails to verify. I would suggest to take that cert.pem file and the ca.pem file from the engine (/etc/pki/ovirt-engine/ca.pem) and verify it like this: openssl verify -CAfile ca.pem cert.pem It should say: ca.pem: OK The message you get when you test with openssl is this: Verify return code: 9 (certificate is not yet valid) That probably means that you have some kind of data/time problem. Make sure that all your machines (engine, nodes, clients) are correctly synchronized. If you still have problems please share the certificate that you get when connectiong with openssl s_client and the certificate of the CA of the engine (/etc/pki/ovirt-engine/ca.pem). spicec: I set the password to abcd using a bash script found on this mailing list, valid for 1200 seconds. = # spicec --password abcd --secure-channels all -h 10.20.20.2 --secure-port 5902 --ca-file cacert.pem Error: failed to connect w/SSL, ssl_error error:0001:lib(0):func(0):reason(1) 139833084392776:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error: = spice-xpi: spice-xpi.log = built and installed latest (which is great has better debugging output: 2012-10-02 07:58:26,805 DEBUG nsPluginInstance::SetHostIP: 10.20.20.2 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetPort: 5901 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetTitle: Test:%d - Press SHIFT+F12 to Release Cursor 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetDynamicMenu: 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetFullScreen: 0 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetPassword: Password set 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetNumberOfMonitors: 1 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetUsbListenPort: 0 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetAdminConsole: 1 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetSecurePort: 5902 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: original channels: smain,sinputs,scursor,splayback,srecord,sdisplay 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: modified channels: main,inputs,cursor,playback,record,display 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetGuestHostName: Test 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetCipherSuite: DEFAULT 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetHostSubject: O=Best Company,CN=10.20.20.2 2012-10-02 07:58:26,812 DEBUG nsPluginInstance::SetTrustStore: Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Validity Not Before: Sep 6 21:49:14 2012 Not After : Sep 6 03:49:15 2022 GMT Subject: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:bc:70:bd:bc:a0:07:7a:99:5e:84:c6:91:70:30: 3e:f0:2a:c9:96:cb:ac:d5:f4:e7:a4:8d:85:c2:2d: 39:12:fa:2f:3f:3c:bf:bb:ed:90:31:28:ae:38:49: 68:e2:4a:ca:89:21:4c:1c:b5:72:ca:e5:c7:3d:d8: 64:95:22:98:45:67:50:43:dd:8e:cb:9e:39:d4:9b: 11:16:71:e1:d9:81:1e:4d:1c:2c:9c:6d:7c:d1:43: a1:af:4a:83:77:e8:ad:0d:92:cb:fa:45:b8:d3:b6: 50:99:3e:4e:a7:91:30:57:ce:a7:5b:62:95:7f:9b: fd:26:05:a9:e0:8e:45:2b:e3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF Authority Information Access: CA Issuers - URI:http://ovirt-engine.example.com:80/ca.crt X509v3 Authority Key Identifier: keyid:87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF DirName:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 serial:01 X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate
Re: [Users] [vdsm] SPICE SSL Woes
On 10/05/2012 10:57 AM, Juan Hernandez wrote: On 10/05/2012 10:26 AM, Bret Palsson wrote: I can't seem to get this secure spice session to work. Any help is appreciated, already burnt 20 hours on this. Spice versions: spice-server-0.10.1 spice-client 0.12.0 spice-xpi 2.7 The certificates that you get from the server in both examples are different. Copy the text between -BEGIN CERTIFICATE- and -END CERTIFICATE- to a file cert.pem and then run the following command to see what is inside: openssl x509 -in cert.pem -noout -text In both cases looks like the certificate fails to verify. I would suggest to take that cert.pem file and the ca.pem file from the engine (/etc/pki/ovirt-engine/ca.pem) and verify it like this: openssl verify -CAfile ca.pem cert.pem It should say: ca.pem: OK The message you get when you test with openssl is this: Verify return code: 9 (certificate is not yet valid) That probably means that you have some kind of data/time problem. Make sure that all your machines (engine, nodes, clients) are correctly synchronized. If you still have problems please share the certificate that you get when connectiong with openssl s_client and the certificate of the CA of the engine (/etc/pki/ovirt-engine/ca.pem). spicec: I set the password to abcd using a bash script found on this mailing list, valid for 1200 seconds. = # spicec --password abcd --secure-channels all -h 10.20.20.2 --secure-port 5902 --ca-file cacert.pem Error: failed to connect w/SSL, ssl_error error:0001:lib(0):func(0):reason(1) 139833084392776:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error: = spice-xpi: spice-xpi.log = built and installed latest (which is great has better debugging output: 2012-10-02 07:58:26,805 DEBUG nsPluginInstance::SetHostIP: 10.20.20.2 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetPort: 5901 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetTitle: Test:%d - Press SHIFT+F12 to Release Cursor 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetDynamicMenu: 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetFullScreen: 0 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetPassword: Password set 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetNumberOfMonitors: 1 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetUsbListenPort: 0 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetAdminConsole: 1 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetSecurePort: 5902 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: original channels: smain,sinputs,scursor,splayback,srecord,sdisplay 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: modified channels: main,inputs,cursor,playback,record,display 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetGuestHostName: Test 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetCipherSuite: DEFAULT 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetHostSubject: O=Best Company,CN=10.20.20.2 2012-10-02 07:58:26,812 DEBUG nsPluginInstance::SetTrustStore: Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Validity Not Before: Sep 6 21:49:14 2012 Not After : Sep 6 03:49:15 2022 GMT Subject: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:bc:70:bd:bc:a0:07:7a:99:5e:84:c6:91:70:30: 3e:f0:2a:c9:96:cb:ac:d5:f4:e7:a4:8d:85:c2:2d: 39:12:fa:2f:3f:3c:bf:bb:ed:90:31:28:ae:38:49: 68:e2:4a:ca:89:21:4c:1c:b5:72:ca:e5:c7:3d:d8: 64:95:22:98:45:67:50:43:dd:8e:cb:9e:39:d4:9b: 11:16:71:e1:d9:81:1e:4d:1c:2c:9c:6d:7c:d1:43: a1:af:4a:83:77:e8:ad:0d:92:cb:fa:45:b8:d3:b6: 50:99:3e:4e:a7:91:30:57:ce:a7:5b:62:95:7f:9b: fd:26:05:a9:e0:8e:45:2b:e3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF Authority Information Access: CA Issuers - URI:http://ovirt-engine.example.com:80/ca.crt X509v3 Authority Key Identifier: keyid:87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF DirName:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202 serial:01 X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate
Re: [Users] [vdsm] SPICE SSL Woes
On 10/05/2012 07:20 PM, Bret Palsson wrote: Fixed. It was that each server had the wrong time. ovirt-engine: was off by a day ovirt-node: off by 12 hours spicec: was 3 days behind. Updated ntpd on all machines and everything works as expected. Nothing was wrong with the certs. good news are upstream should have a new warning on time sync issues for ovirt 3.2. Thank you for you help! -Bret On Oct 5, 2012, at 8:19 AM, David Jaša dj...@redhat.com wrote: Itamar Heim píše v Pá 05. 10. 2012 v 15:56 +0200: On 10/05/2012 10:57 AM, Juan Hernandez wrote: On 10/05/2012 10:26 AM, Bret Palsson wrote: I can't seem to get this secure spice session to work. Any help is appreciated, already burnt 20 hours on this. Spice versions: spice-server-0.10.1 spice-client 0.12.0 spice-xpi 2.7 The certificates that you get from the server in both examples are different. Copy the text between -BEGIN CERTIFICATE- and -END CERTIFICATE- to a file cert.pem and then run the following command to see what is inside: openssl x509 -in cert.pem -noout -text In both cases looks like the certificate fails to verify. I would suggest to take that cert.pem file and the ca.pem file from the engine (/etc/pki/ovirt-engine/ca.pem) and verify it like this: openssl verify -CAfile ca.pem cert.pem It should say: ca.pem: OK The message you get when you test with openssl is this: Verify return code: 9 (certificate is not yet valid) That probably means that you have some kind of data/time problem. Make sure that all your machines (engine, nodes, clients) are correctly synchronized. If you still have problems please share the certificate that you get when connectiong with openssl s_client and the certificate of the CA of the engine (/etc/pki/ovirt-engine/ca.pem). spicec: I set the password to abcd using a bash script found on this mailing list, valid for 1200 seconds. = # spicec --password abcd --secure-channels all -h 10.20.20.2 --secure-port 5902 --ca-file cacert.pem Error: failed to connect w/SSL, ssl_error error:0001:lib(0):func(0):reason(1) 139833084392776:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error: = spice-xpi: spice-xpi.log = built and installed latest (which is great has better debugging output: 2012-10-02 07:58:26,805 DEBUG nsPluginInstance::SetHostIP: 10.20.20.2 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetPort: 5901 2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetTitle: Test:%d - Press SHIFT+F12 to Release Cursor 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetDynamicMenu: 2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetFullScreen: 0 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetPassword: Password set 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetNumberOfMonitors: 1 2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetUsbListenPort: 0 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetAdminConsole: 1 2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetSecurePort: 5902 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: original channels: smain,sinputs,scursor,splayback,srecord,sdisplay 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: modified channels: main,inputs,cursor,playback,record,display 2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetGuestHostName: Test 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetCipherSuite: DEFAULT 2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetHostSubject: O=Best Company,CN=10.20.20.2 2012-10-02 07:58:26,812 DEBUG nsPluginInstance::SetTrustStore: Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Validity Not Before: Sep 6 21:49:14 2012 Not After : Sep 6 03:49:15 2022 GMT Subject: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:bc:70:bd:bc:a0:07:7a:99:5e:84:c6:91:70:30: 3e:f0:2a:c9:96:cb:ac:d5:f4:e7:a4:8d:85:c2:2d: 39:12:fa:2f:3f:3c:bf:bb:ed:90:31:28:ae:38:49: 68:e2:4a:ca:89:21:4c:1c:b5:72:ca:e5:c7:3d:d8: 64:95:22:98:45:67:50:43:dd:8e:cb:9e:39:d4:9b: 11:16:71:e1:d9:81:1e:4d:1c:2c:9c:6d:7c:d1:43: a1:af:4a:83:77:e8:ad:0d:92:cb:fa:45:b8:d3:b6: 50:99:3e:4e:a7:91:30:57:ce:a7:5b:62:95:7f:9b: fd:26:05:a9:e0:8e:45:2b:e3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: