@Itamar - this is recurring problem, what about creating a wiki page for it?
@Artem: Artem píše v Po 06. 08. 2012 v 01:30 +0400: > yes engine and kvm(qemu-kvm) installed on same machine (vm-srv) > > i change host-subject but.. > > # spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL, > CN=vm-srv" --secure-channels=all 1) your command line is missing '--ca-file $CA_FILE' altoghether 2) you don't mention password 3) you shouldn't need to specify host subject at all because your host (-h) matches name of server in CN field of host subject. If you override it anyway, strip white spaces after commas in it: --host-subject='C=US,O=ICL,CN=vm-srv' 4) you could omit -p and --secure-channels altogether in order to achieve tls-only connection, but you can hit https://bugzilla.redhat.com/show_bug.cgi?id=723582 then So you should do (out of my head, may contain typos): get CA: * on engine, it is found here: CA_FILE=/etc/pki/ovirt-engine/ca.pem * on host, it's here: CA_FILE=/etc/pki/vdsm/libvirt-spice/ca-cert.pem * on any other host, get it from engine web interface: wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt on the host, get UUID of the VM: $ VM_UUID="$(ps -ef | grep ${VM_NAME} | sed -e 's/^.*-uuid[ \t]\+\([ \t]\+\)[ \t].*$/\1/')" as root on the host, set ticket (password and its period of validity): # vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS} (doing it via REST API is cleaner but more cumbersome for me) if the hostname you're connecting does not match what is in CN field of Subject of the server cert, get the subject without spaces after commas on the host: $ grep Subject: ${SERVER_CERT_FILE} | sed -e 's/^.*Subject:[ \t]*\(.*\)$/\1/;s/,[ \t]*/,/' connect to the spice-server: $ spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT} OR, with newer, shinier and overall better client :) # yum install virt-viewer $ remote-viewer --spice-ca-file /etc/pki/ovirt-engine/ca.pem spice://vm-srv/?tls-port=${SECURE_PORT} (you'll have to provide the password through the pop-up dialog) if you need to provide host subject (host name/IP not matching the one from server cert Subject): $ spicec --host-subject ${HOST_SUBJECT} [...] OR $ remote-viewer --spice-host-subject ${HOST_SUBJECT} [...] David > Error: subject mismatch: #entries cert=2, input=3 > Error: failed to connect w/SSL, ssl_error > error:00000001:lib(0):func(0):reason(1) > 3079539240:error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed:s3_clnt.c:1063: > Warning: SSL Error: > > > 2012/8/6 Itamar Heim <ih...@redhat.com>: > > On 08/06/2012 12:07 AM, Artem wrote: > >> > >> hmm... not sure if understood correctly... > >> > >> vm-srv this KVM host.. (server) and I connect from another machine to vm > >> on kvm. > > > > > > did you install the engine and kvm host on same machine? > > > > > >> > >> this subject name i get in .spicec/spice_truststore.pem > > > > > > yes, spice trusts the CA, but client needs to validate the target host > > certificate. > > (if you run engine and host on same machine, try: > > "C=US, O=ICL, CN=vm-srv" > > (assuming you added the host with hostname of vm-srv to engine. if you added > > it with fqdn or ip, use them under last CN) > > > > > >> > >> ////////////////////////////////// > >> # cat .spicec/spice_truststore.pem > >> Certificate: > >> Data: > >> Version: 3 (0x2) > >> Serial Number: 1 (0x1) > >> Signature Algorithm: sha1WithRSAEncryption > >> Issuer: C=US, O=ICL, CN=CA-vm-srv.15064 > >> Validity > >> Not Before: Jul 28 03:42:06 2012 > >> Not After : Jul 26 23:42:07 2022 GMT > >> Subject: C=US, O=ICL, CN=CA-vm-srv.15064 > >> Subject Public Key Info: > >> Public Key Algorithm: rsaEncryption > >> Public-Key: (2048 bit) > >> Modulus: > >> /////////////////////////////////////////// > >> > >> 2012/8/6 Itamar Heim <ih...@redhat.com>: > >>> > >>> this looks like the subject name of the CA, not the host running the > >>> virtual > >>> machine? > > > > > > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
