TLS fails to work with Spice due to apparmor.d needing /etc/pki/libvirt-spice** r, adding manually

Asked by neonkandi on 2012-11-12

Hi after going through a common prcedure to create a self signed certificate, using the default directory, the VM log reports that it cannot load the certificates.

((null):2176): Spice-Warning **: reds.c:3307:reds_init_ssl: Could not load certificates from /etc/pki/libvirt-spice/server-cert.pem
((null):2176): Spice-Warning **: reds.c:3317:reds_init_ssl: Could not use private key file
((null):2176): Spice-Warning **: reds.c:3325:reds_init_ssl: Could not use CA file /etc/pki/libvirt-spice/ca-cert.pem

TLS is enabled, and the path used is the default /etc/pki/libvirt-spice path, with both the path specified uncommented and commented out and left as default.

Key creation was as follows

openssl genrsa -des3 -out ca-key.pem 1024
openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem -utf8 -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
openssl genrsa -out server-key.pem 1024
openssl req -new -key server-key.pem -out server-key.csr -utf8 -subj "/C=IL/L=Raanana/O=Red Hat/CN=my server"
openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
openssl rsa -in server-key.pem -out server-key.pem.insecure
mv server-key.pem server-key.pem.secure
mv server-key.pem.insecure server-key.pem

location permissions and file were set with libvirt-qemu as the owner.

The solution appears to be due to path access protection.

The path needs to be added in apparmor like it is pre-added for the /etc/pki/libvirt-vnc directory (if you use the default directory)

I added the path /etc/pki/libvirt-spice** r, within apparmor.d to resolve the issue if I recall correctly (this is the default path)

As this is already added for /etc/pki/libvirt-vnc, it might be good to have it set alongside the install of the package, to enable TLS to work with minimum configuration.

I added this directly after the /etc/pki/libvirt-vnc entry, if you use a custom path then you would have to add this manually, as part of the user-guide for setting up spice+tls on Ubuntu 12.10.

If possible the comments by me can really be deleted for clarity.

Ubuntu 12.10

qemu-kvm-spice:
  Installed: 1.2.0-2012.09-0ubuntu1
  Candidate: 1.2.0-2012.09-0ubuntu1
  Version table:
 *** 1.2.0-2012.09-0ubuntu1 0
        500 http://gb.archive.ubuntu.com/ubuntu/ quantal/universe amd64 Packages
        100 /var/lib/dpkg/status

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu qemu-kvm-spice Edit question
Assignee:
No assignee Edit question
Solved by:
neonkandi
Solved:
2012-11-13
Last query:
2012-11-13
Last reply:
2012-11-13
neonkandi (jodi-curtis) said : #2

Hi, just to close this topic

the path needs to be added in apparmor like it is pre-added for the /var/lib/libvirt-vnc directory (if you use the default directory)

I added the path /var/pki/libvirt-spice** r, within apparmor.d to resolve the issue (this is the default path)

As this is already added for /var/pki/libvirt-vnc, it might be good to have it set alongside the install of the package, to enable TLS to work with minimum configuration.

neonkandi (jodi-curtis) said : #4

sorry, this should read /etc/pki/libvirt-vnc** r, and /etc/pki/libvirt-spice** r if I recall correctly, (excuse=lack of sleep)