Re: [Users] [vdsm] SPICE SSL Woes

Fri, 05 Oct 2012 10:53:20 -0700 

On 10/05/2012 07:20 PM, Bret Palsson wrote:

Fixed. It was that each server had the wrong time.
ovirt-engine: was off by a day
ovirt-node: off by 12 hours
spicec: was 3 days behind.

Updated ntpd on all machines and everything works as expected. Nothing was 
wrong with the certs.
good news are upstream should have a new warning on time sync issues for ovirt 3.2. 



Thank you for you help!

-Bret

On Oct 5, 2012, at 8:19 AM, David Jaša <dj...@redhat.com> wrote:


Itamar Heim píše v Pá 05. 10. 2012 v 15:56 +0200:

On 10/05/2012 10:57 AM, Juan Hernandez wrote:

On 10/05/2012 10:26 AM, Bret Palsson wrote:

I can't seem to get this secure spice session to work. Any help is appreciated, 
already burnt 20 hours on this.

Spice versions:
spice-server-0.10.1
spice-client 0.12.0
spice-xpi 2.7


The certificates that you get from the server in both examples are
different. Copy the text between "-----BEGIN CERTIFICATE-----" and
"-----END CERTIFICATE-----" to a file "cert.pem" and then run the
following command to see what is inside:

openssl x509 -in cert.pem -noout -text

In both cases looks like the certificate fails to verify. I would
suggest to take that "cert.pem" file and the "ca.pem" file from the
engine (/etc/pki/ovirt-engine/ca.pem) and verify it like this:

openssl verify -CAfile ca.pem cert.pem

It should say:

ca.pem: OK

The message you get when you test with openssl is this:

Verify return code: 9 (certificate is not yet valid)

That probably means that you have some kind of data/time problem. Make
sure that all your machines (engine, nodes, clients) are correctly
synchronized.

If you still have problems please share the certificate that you get
when connectiong with "openssl s_client" and the certificate of the CA
of the engine (/etc/pki/ovirt-engine/ca.pem).


spicec: I set the password to abcd using a bash script found on this mailing 
list, valid for 1200 seconds.
=============================================
# spicec --password abcd --secure-channels all -h 10.20.20.2 --secure-port 5902 
--ca-file cacert.pem
Error: failed to connect w/SSL, ssl_error 
error:00000001:lib(0):func(0):reason(1)
139833084392776:error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063:
Warning: SSL Error:
=============================================

spice-xpi: spice-xpi.log
=============================================
built and installed latest (which is great has better debugging output:
2012-10-02 07:58:26,805 DEBUG nsPluginInstance::SetHostIP: 10.20.20.2
2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetPort: 5901
2012-10-02 07:58:26,806 DEBUG nsPluginInstance::SetTitle: Test:%d - Press 
SHIFT+F12 to Release Cursor
2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetDynamicMenu:
2012-10-02 07:58:26,807 DEBUG nsPluginInstance::SetFullScreen: 0
2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetPassword: Password set
2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetNumberOfMonitors: 1
2012-10-02 07:58:26,808 DEBUG nsPluginInstance::SetUsbListenPort: 0
2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetAdminConsole: 1
2012-10-02 07:58:26,809 DEBUG nsPluginInstance::SetSecurePort: 5902
2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: original 
channels: smain,sinputs,scursor,splayback,srecord,sdisplay
2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetSSLChannels: modified 
channels: main,inputs,cursor,playback,record,display
2012-10-02 07:58:26,810 DEBUG nsPluginInstance::SetGuestHostName: Test
2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetCipherSuite: DEFAULT
2012-10-02 07:58:26,811 DEBUG nsPluginInstance::SetHostSubject: O=Best 
Company,CN=10.20.20.2
2012-10-02 07:58:26,812 DEBUG nsPluginInstance::SetTrustStore: Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202
        Validity
            Not Before: Sep  6 21:49:14 2012
            Not After : Sep  6 03:49:15 2022 GMT
        Subject: C=US, O=Best Company, CN=CA-ovirt-engine.example.com.28202
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:bc:70:bd:bc:a0:07:7a:99:5e:84:c6:91:70:30:
                    3e:f0:2a:c9:96:cb:ac:d5:f4:e7:a4:8d:85:c2:2d:
                    39:12:fa:2f:3f:3c:bf:bb:ed:90:31:28:ae:38:49:
                    68:e2:4a:ca:89:21:4c:1c:b5:72:ca:e5:c7:3d:d8:
                    64:95:22:98:45:67:50:43:dd:8e:cb:9e:39:d4:9b:
                    11:16:71:e1:d9:81:1e:4d:1c:2c:9c:6d:7c:d1:43:
                    a1:af:4a:83:77:e8:ad:0d:92:cb:fa:45:b8:d3:b6:
                    50:99:3e:4e:a7:91:30:57:ce:a7:5b:62:95:7f:9b:
                    fd:26:05:a9:e0:8e:45:2b:e3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF
            Authority Information Access:
                CA Issuers - URI:http://ovirt-engine.example.com:80/ca.crt

            X509v3 Authority Key Identifier:
                
keyid:87:93:27:08:E5:4D:2B:CE:EC:55:2C:E6:C4:C0:EE:32:0C:87:22:BF
                DirName:/C=US/O=Best 
Company/CN=CA-ovirt-engine.example.com.28202
                serial:01

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
    Signature Algorithm: sha1WithRSAEncryption
        a1:a9:17:91:ba:6e:0d:15:ce:28:e0:b8:7f:3c:5e:ba:6e:8d:
        31:91:bf:99:0c:74:5f:95:86:e6:90:fd:3c:13:3a:64:9e:40:
        f7:4f:e0:45:b8:8e:27:b3:23:d4:75:bb:be:5f:73:4f:48:e4:
        8c:6d:11:eb:76:70:81:c7:a5:8a:35:0b:ef:a5:cf:3d:ae:fd:
        1f:94:b7:e4:c3:4c:7f:fb:5b:09:eb:e8:b1:35:3c:b8:ba:e8:
        b7:d0:5f:8a:98:b5:9a:6c:24:53:2a:49:61:0e:7c:5e:b3:d2:
        d4:c3:dd:ca:b9:57:a3:f0:e4:9c:d6:3d:43:40:9d:dd:ff:cd:
        94:be
-----BEGIN CERTIFICATE-----
MIIDCDCCAnGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc
MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2
ZWlwLm5ldC4yODIwMjAiFxExMjA5MDYyMTQ5MTQrMDcwMBcNMjIwOTA2MDM0OTE1
WjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEf
MB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMjCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAvHC9vKAHeplehMaRcDA+8CrJlsus1fTnpI2Fwi05EvovPzy/
u+2QMSiuOElo4krKiSFMHLVyyuXHPdhklSKYRWdQQ92Oy5451JsRFnHh2YEeTRws
nG180UOhr0qDd+itDZLL+kW407ZQmT5Op5EwV86nW2KVf5v9JgWp4I5FK+MCAwEA
AaOB9TCB8jAdBgNVHQ4EFgQUh5MnCOVNK87sVSzmxMDuMgyHIr8wOgYIKwYBBQUH
AQEELjAsMCoGCCsGAQUFBzAChh5odHRwOi8vY20uaml2ZWlwLm5ldDo4MC9jYS5j
cnQwdAYDVR0jBG0wa4AUh5MnCOVNK87sVSzmxMDuMgyHIr+hUKROMEwxCzAJBgNV
BAYTAlVTMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMR8wHQYDVQQDExZD
QS1jbS5qaXZlaXAubmV0LjI4MjAyggEBMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P
AQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAKGpF5G6bg0VzijguH88XrpujTGR
v5kMdF+VhuaQ/TwTOmSeQPdP4EW4jiezI9R1u75fc09I5IxtEet2cIHHpYo1C++l
zz2u/R+Ut+TDTH/7Wwnr6LE1PLi66LfQX4qYtZpsJFMqSWEOfF6z0tTD3cq5V6Pw
5JzWPUNAnd3/zZS+
-----END CERTIFICATE-----

2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetHotKeys: 
release-cursor=shift+f12,toggle-fullscreen=shift+f11
2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetNoTaskMgrExecution: 0
2012-10-02 07:58:26,813 DEBUG nsPluginInstance::SetSendCtrlAltDelete: 0
2012-10-02 07:58:26,814 DEBUG nsPluginInstance::SetUsbAutoShare: 1
2012-10-02 07:58:26,815 DEBUG nsPluginInstance::SetUsbFilter: -1,-1,-1,-1,0
2012-10-02 07:58:26,816 INFO  nsPluginInstance::Connect: SPICE_XPI_SOCKET: 
/tmp/spicec-8ym5mJ/spice-xpi
2012-10-02 07:58:26,816 INFO  nsPluginInstance::Connect: 
SPICE_FOREIGN_MENU_SOCKET: /tmp/spicec-8ym5mJ/spice-foreign
2012-10-02 07:58:26,816 DEBUG nsPluginInstance::Connect: Controller pid: 50483
2012-10-02 07:58:26,816 DEBUG QErrorHandler: Something went wrong: connect 
error, 2
2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error
2012-10-02 07:58:26,817 INFO  nsPluginInstance::Connect: Launching 
/usr/libexec/spice-xpi-client
2012-10-02 07:58:26,817 DEBUG QErrorHandler: Something went wrong: connect 
error, 2
2012-10-02 07:58:26,817 DEBUG SpiceController::Connect: Connect Error
2012-10-02 07:58:27,818 DEBUG SpiceController::Connect: Connected!
2012-10-02 07:58:29,821 INFO  nsPluginInstance::Connect: Initiating connection 
with controller
2012-10-02 07:59:05,999 DEBUG nsPluginInstance::ControllerWaitHelper: 
Controller finished, pid: 50483, exit code: 0
2012-10-02 07:59:05,999 ERROR nsPluginInstance::CallOnDisconnected: could not 
get browser window, when trying to call OnDisconnected

=============================================



Openssl test:
=============================================
[root@centos6 ~]# openssl s_client -connect 10.20.20.2:5902 -CAfile cacert.pem
CONNECTED(00000003)
depth=1 C = US, O = Best Company, CN = CA-ovirt-engine.example.com.28202
verify return:1
depth=0 O = Best Company, CN = 10.20.20.2
verify error:num=9:certificate is not yet valid
notBefore=Oct  4 01:40:57 2012
verify return:1
depth=0 O = Best Company, CN = 10.20.20.2
notBefore=Oct  4 01:40:57 2012
verify return:1
---
Certificate chain
0 s:/O=Best Company/CN=10.20.20.2
   i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202
1 s:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202
   i:/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDDTCCAnagAwIBAgIBBzANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzEc
MBoGA1UEChMTSml2ZSBDb21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2
ZWlwLm5ldC4yODIwMjAiFxExMjEwMDQwMTQwNTctMDYwMBcNMTcxMDA0MDc0MDU4
WjAzMRwwGgYDVQQKExNKaXZlIENvbW11bmljYXRpb25zMRMwEQYDVQQDEwoxMC4y
MC4yMC4yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfxg43vrorGXoui5Cs
69xeS/R31r2FkfE3UO57BzKbToBY88Hj7dUkFjlFVwg3/eUIBh0jYQ5Qq5Q4Kl9p
Oy4/58VwqRd6P/C3a9LgF1rdvXEnmtNZyoXNmvFeTgpEF+165hr6aPXmMqXqaSEv
ab/mFdxVKM6FwgUWQb/uW3Rp3QIDAQABo4IBEjCCAQ4wHQYDVR0OBBYEFIhzxNFR
sbDS9hLGOID0RLPlYrLPMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAoYeaHR0
cDovL2NtLmppdmVpcC5uZXQ6ODAvY2EuY3J0MHQGA1UdIwRtMGuAFIeTJwjlTSvO
7FUs5sTA7jIMhyK/oVCkTjBMMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTSml2ZSBD
b21tdW5pY2F0aW9uczEfMB0GA1UEAxMWQ0EtY20uaml2ZWlwLm5ldC4yODIwMoIB
ATAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAayUoWzI77OMVGa1QeWKQ
VF/iwu5URB8sbsmFk9NmfUOtIYsVsmdMsoDSYQsL7mEe0SA5GOXpS1sThdXsU1uf
9bZ+dyrmCBmg0/cPOiXA8R1GgS+Bwjc+MxEOuXzTmumfW19hlbKbRXRwgx+vRgDv
JbUNV6jXUHqhBeGnsVhiLrQ=
-----END CERTIFICATE-----
subject=/O=Best Company/CN=10.20.20.2
issuer=/C=US/O=Best Company/CN=CA-ovirt-engine.example.com.28202
---
No client certificate CA names sent
---
SSL handshake has read 1884 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 9747FACA4B5CC4542E050F4B8534E1B71234BC5F99F3221D284BC53D0A5CB746
    Session-ID-ctx:
    Master-Key: 
7A579DA9F75E76C63F3FDFCB5BBE42EE28AEF5211C5AC5ECAE8679166C98FBB5AD00BFC4B8AC5D7E214A3B0069CF50E7
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - ae f2 91 79 e4 94 85 a2-02 60 aa 91 54 a5 3f 13   ...y.....`..T.?.
    0010 - 90 b4 78 20 27 5a 52 61-78 a1 4d db 73 25 c0 f8   ..x 'ZRax.M.s%..
    0020 - 65 7f 43 76 72 35 08 96-0d 32 c4 72 eb ae c4 a9   e.Cvr5...2.r....
    0030 - 83 78 7f 48 8c c6 a9 38-78 ea 90 60 52 62 0e 4d   .x.H...8x..`Rb.M
    0040 - 7c 3e 41 62 63 2d 27 b3-bc ba bb b7 87 ac 12 df   |>Abc-'.........
    0050 - 04 61 3d c8 8f cd 14 e4-51 bf 74 66 2c a0 a6 70   .a=.....Q.tf,..p
    0060 - 3e d2 5f 4c 63 10 80 83-18 d7 4e 08 e0 5b c5 5a   >._Lc.....N..[.Z
    0070 - 75 94 27 de 1e 8e 61 e9-64 af 52 eb 1e 98 00 e2   u.'...a.d.R.....
    0080 - 4f 80 8c 1f ec 40 b7 25-7b 72 a3 1a 99 8a 6a ca   O....@.%{r....j.
    0090 - 90 80 f9 1e 5f 99 96 0a-3e bb 4f b6 86 d1 49 0c   ...._...>.O...I.

    Start Time: 1349186957
    Timeout   : 300 (sec)
    Verify return code: 9 (certificate is not yet valid)
---

=============================================


_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users






also note that the host certificate is based on the hostname in the
engine, so you must give the spice client the host name to validate it with.


that is not issue in this case because Bret specified host the same way
as it is in CN of server cert.

Bret, one more thing: did you try to put the host in maintenance mode
and then click "Reinstall" in the host Action Items in webadmin? That
way, server certificates should get regenerated and SSL should Just
Work.

David




_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


--

David Jaša, RHCE

SPICE QE based in Brno
GPG Key:     22C33E24
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24



_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users




_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Reply via email to