solved using this link https://bugzilla.redhat.com/show_bug.cgi?id=1672587

чт, 2 апр. 2020 г. в 16:11, Milan Zamazal <mzamazal@redhat.com>:
David David <dd432690@gmail.com> writes:

> can connect to a vm which has spice console protocol by remote-viewer but
> that not working with vnc protocol
> the remote-viewer can't validate the server certs, is this a bug on the
> remote-viewerside or in the hypervisor?
> this problem is generally known? will it be fixed?

It works for me, so it's either a problem with your remote-viewer or an
unknown problem on the oVirt side.  I'd suggest paying attention to the
authentication method negotiation as pointed out earlier.  I'm not
expert in that area, so I can't help you with that but maybe someone
else can.

Regards,
Milan

> вс, 29 мар. 2020 г. в 12:52, David David <dd432690@gmail.com>:
>
>> there is no such problem with the ovirt-engine 4.2.5.2-1.el7
>> it appeared when upgrading to 4.3.*
>>
>> вс, 29 мар. 2020 г. в 12:46, David David <dd432690@gmail.com>:
>>
>>> tested on four different workstations with: fedora20, fedora31 and
>>> windows10(remote-manager last vers)
>>>
>>> вс, 29 мар. 2020 г. в 12:39, Strahil Nikolov <hunter86_bg@yahoo.com>:
>>>
>>>> On March 29, 2020 9:47:02 AM GMT+03:00, David David <dd432690@gmail.com>
>>>> wrote:
>>>> >I did as you said:
>>>> >copied from engine /etc/ovirt-engine/ca.pem onto my desktop into
>>>> >/etc/pki/ca-trust/source/anchors and then run update-ca-trust
>>>> >it didn’t help, still the same errors
>>>> >
>>>> >
>>>> >пт, 27 мар. 2020 г. в 21:56, Strahil Nikolov <hunter86_bg@yahoo.com>:
>>>> >
>>>> >> On March 27, 2020 12:23:10 PM GMT+02:00, David David
>>>> ><dd432690@gmail.com>
>>>> >> wrote:
>>>> >> >here is debug from opening console.vv by remote-viewer
>>>> >> >
>>>> >> >2020-03-27 14:09 GMT+04:00, Milan Zamazal <mzamazal@redhat.com>:
>>>> >> >> David David <dd432690@gmail.com> writes:
>>>> >> >>
>>>> >> >>> yes i have
>>>> >> >>> console.vv attached
>>>> >> >>
>>>> >> >> It looks the same as mine.
>>>> >> >>
>>>> >> >> There is a difference in our logs, you have
>>>> >> >>
>>>> >> >>   Possible auth 19
>>>> >> >>
>>>> >> >> while I have
>>>> >> >>
>>>> >> >>   Possible auth 2
>>>> >> >>
>>>> >> >> So I still suspect a wrong authentication method is used, but I
>>>> >don't
>>>> >> >> have any idea why.
>>>> >> >>
>>>> >> >> Regards,
>>>> >> >> Milan
>>>> >> >>
>>>> >> >>> 2020-03-26 21:38 GMT+04:00, Milan Zamazal <mzamazal@redhat.com>:
>>>> >> >>>> David David <dd432690@gmail.com> writes:
>>>> >> >>>>
>>>> >> >>>>> copied from qemu server all certs except "cacrl" to my
>>>> >> >desktop-station
>>>> >> >>>>> into /etc/pki/
>>>> >> >>>>
>>>> >> >>>> This is not needed, the CA certificate is included in console.vv
>>>> >> >and no
>>>> >> >>>> other certificate should be needed.
>>>> >> >>>>
>>>> >> >>>>> but remote-viewer is still didn't work
>>>> >> >>>>
>>>> >> >>>> The log looks like remote-viewer is attempting certificate
>>>> >> >>>> authentication rather than password authentication.  Do you have
>>>> >> >>>> password in console.vv?  It should look like:
>>>> >> >>>>
>>>> >> >>>>   [virt-viewer]
>>>> >> >>>>   type=vnc
>>>> >> >>>>   host=192.168.122.2
>>>> >> >>>>   port=5900
>>>> >> >>>>   password=fxLazJu6BUmL
>>>> >> >>>>   # Password is valid for 120 seconds.
>>>> >> >>>>   ...
>>>> >> >>>>
>>>> >> >>>> Regards,
>>>> >> >>>> Milan
>>>> >> >>>>
>>>> >> >>>>> 2020-03-26 2:22 GMT+04:00, Nir Soffer <nsoffer@redhat.com>:
>>>> >> >>>>>> On Wed, Mar 25, 2020 at 12:45 PM David David
>>>> ><dd432690@gmail.com>
>>>> >> >>>>>> wrote:
>>>> >> >>>>>>>
>>>> >> >>>>>>> ovirt 4.3.8.2-1.el7
>>>> >> >>>>>>> gtk-vnc2-1.0.0-1.fc31.x86_64
>>>> >> >>>>>>> remote-viewer version 8.0-3.fc31
>>>> >> >>>>>>>
>>>> >> >>>>>>> can't open vm console by remote-viewer
>>>> >> >>>>>>> vm has vnc console protocol
>>>> >> >>>>>>> when click on console button to connect to a vm, the
>>>> >> >remote-viewer
>>>> >> >>>>>>> console disappear immediately
>>>> >> >>>>>>>
>>>> >> >>>>>>> remote-viewer debug in attachment
>>>> >> >>>>>>
>>>> >> >>>>>> You an issue with the certificates:
>>>> >> >>>>>>
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.238:
>>>> >> >>>>>> ../src/vncconnection.c Set credential 2 libvirt
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239:
>>>> >> >>>>>> ../src/vncconnection.c Searching for certs in /etc/pki
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239:
>>>> >> >>>>>> ../src/vncconnection.c Searching for certs in /root/.pki
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239:
>>>> >> >>>>>> ../src/vncconnection.c Failed to find certificate
>>>> >CA/cacert.pem
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239:
>>>> >> >>>>>> ../src/vncconnection.c No CA certificate provided, using
>>>> >GNUTLS
>>>> >> >global
>>>> >> >>>>>> trust
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239:
>>>> >> >>>>>> ../src/vncconnection.c Failed to find certificate CA/cacrl.pem
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239:
>>>> >> >>>>>> ../src/vncconnection.c Failed to find certificate
>>>> >> >>>>>> libvirt/private/clientkey.pem
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239:
>>>> >> >>>>>> ../src/vncconnection.c Failed to find certificate
>>>> >> >>>>>> libvirt/clientcert.pem
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239:
>>>> >> >>>>>> ../src/vncconnection.c Waiting for missing credentials
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239:
>>>> >> >>>>>> ../src/vncconnection.c Got all credentials
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239:
>>>> >> >>>>>> ../src/vncconnection.c No CA certificate provided; trying the
>>>> >> >system
>>>> >> >>>>>> trust store instead
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240:
>>>> >> >>>>>> ../src/vncconnection.c Using the system trust store and CRL
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240:
>>>> >> >>>>>> ../src/vncconnection.c No client cert or key provided
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240:
>>>> >> >>>>>> ../src/vncconnection.c No CA revocation list provided
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.241:
>>>> >> >>>>>> ../src/vncconnection.c Handshake was blocking
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.243:
>>>> >> >>>>>> ../src/vncconnection.c Handshake was blocking
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.251:
>>>> >> >>>>>> ../src/vncconnection.c Handshake was blocking
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.298:
>>>> >> >>>>>> ../src/vncconnection.c Handshake done
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.298:
>>>> >> >>>>>> ../src/vncconnection.c Validating
>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.301:
>>>> >> >>>>>> ../src/vncconnection.c Error: The certificate is not trusted
>>>> >> >>>>>>
>>>> >> >>>>>> Adding people that may know more about this.
>>>> >> >>>>>>
>>>> >> >>>>>> Nir
>>>> >> >>>>>>
>>>> >> >>>>>>
>>>> >> >>>>
>>>> >> >>>>
>>>> >> >>
>>>> >> >>
>>>> >>
>>>> >> Hello,
>>>> >>
>>>> >> You can try to take the engine's CA (maybe it's  useless) and put it
>>>> >on
>>>> >> your system in:
>>>> >> /etc/pki/ca-trust/source/anchors (if it's  EL7 or a Fedora) and then
>>>> >run
>>>> >> update-ca-trust
>>>> >>
>>>> >> Best Regards,
>>>> >> Strahil Nikolov
>>>> >>
>>>>
>>>> Hey David,
>>>>
>>>> What is you workstation's OS ?
>>>> Also, have you tried from another workstation ?
>>>>
>>>> Best Regards,
>>>> Strahil Nikolov
>>>>
>>>
> _______________________________________________
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-leave@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/MACDEEWMWOTPGHIJ24WTQI5KAL4TMYS7/