'Unable to connect to the graphic server' error when opening SPICE console
问题
The below error message is shown when trying to connect to any virtual machine console:
Unable to connect to the graphic server
There are no firewall restrictions in place, telnet to SPICE ports works from the same machine, the SPICE client is up to date.
环境
Red Hat Enterprise Virtualization 3.2
决议
Verify existence of /etc/pki/ovirt-engine/ca.pem and the permissions:
# ls -lZ /etc/pki/ovirt-engine/
The ca.pem should exist and be owned by user ovirt and group ovirt. If this is correct, verify it is the same certificate as the one in/etc/pki/vdsm/libvirt-spice/ on the hypervisors.
If the files are absent or different, copy ca.pem from manager to affected hypervisors.
根源
The manager process cannot access the internal CA certificate /etc/pki/ovirt-engine/ca.pem.
This file is needed by the SPICE client and is transmitted by the manager on connect time. If it does not exist, SSL handshake fails and the connection drops.
诊断步骤
custom certificates were installed for the web interface they were installed a few months ago and worked fine the last action done to the env was an upgrade of the hypervisors clients are windows machines, spice client is 0.5.3-28.el6ev
engine.log on the manager contains this line:
ERROR [bll.GetCACertificateQuery] (ajp-/127.0.0.1:8702-6) Query GetCACertificateQuery failed. Exception message is java.io.FileNotFoundException: /etc/pki/ovirt-engine/ca.pem (Permission denied)
qemu logs on hypervisors contain lines like:
Spice-Warning **: reds.c:2933:reds_handle_ssl_accept: SSL_accept failed, error=5unable
SPICE client client log in debug mode has no errors, just:
INFO [4568:3108] COSpiceX::event_thread: exit_code=0 error_code=1
telnet hypervisors works from the client on SPICE ports
tcpdump contains brief traffic exchange before the error

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。