Hello
Von: Patrick Hibbs <hibbsncc1701(a)gmail.com>
Gesendet: Sonntag, 25. Juni 2023 03:14
An: R A <Jarheadx(a)hotmail.de>; users(a)ovirt.org
Betreff: Re: [ovirt-users] ovirt 4.5 VNC Failed to complete handshake Error in the pull
function on Windows
Hello,
On 6/23/23 13:23, R A wrote:
Hello,
i am using ovirt 4.5.4-1.el9 standalone on Rocky Linux and have some struggle with vnc
connection.
I ve engine.mydomain.de which contains the ovirt-engine. I installed third party
certificate successfully. So when i call engine.mydomain.de/ovirt-engine or
node1.mydomain.de:9090 the browser tell me that connection is secured.
My first host is node1.mydomain.de, which has currently one VM up.
On Linux Client (Rocky Linux 9.2)
1. When i run „remote-viewer --debug /home/user1/Downloads/console.vv --gtk-vnc-debug“
everything works fine. RemoteViewer opens and i can see the console of my vm
2. When i try to open the console.vv directly via remoteViewer from enngine-portal i
get feedback from remoteViewer: „The certificate is not trusted“
Did you do that after opening console.vv manually? Or did you download a new
console.vv before doing so?
console.vv files are good for one use only. As they contain a one-time
password that is revoked after use.
I fetched a new console.vv after each test for sure.
1. 3. When i try to open via novnc a new tab opens and i get „Something went wrong,
connection is closed“
Again, did you reuse that console.vv file? Or did you download a new one? FYI: The
file should be deleted automatically after remote-viewer opens it. As it's not
supposed to be reused.
Same here
On Windows 11
1. When i generate the console.vv and copy the password and hostadress + port to
TigerVNC client everything work fine. TigerVNC tells me that connection is secured
2. When opening console.vv directly via RemoteViewer i get „Filed to complete handshake
Error in the pull function
3. When i try to open via novnc a new tab opens and i get „Something went wrong,
connection is closed“
4. When i run "C:\ProgramData\Microsoft\Windows\Start
Menu\Programs\VirtViewer\Remote viewer.lnk" --debug
C:\Users\rezaa\Downloads\console.vv --gtk-vnc-debug
I get :
C:\Users\rezaa>"C:\ProgramData\Microsoft\Windows\Start
Menu\Programs\VirtViewer\Remote viewer.lnk" --debug
C:\Users\rezaa\Downloads\console.vv --gtk-vnc-debug
C:\Users\rezaa>(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.218: keymap string
is empty - nothing to do
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.264: Opening display to
C:\Users\rezaa\Downloads\console.vv
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.265: Guest (NULL) has a vnc
display
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.271: ../src/vncconnection.c Init
VncConnection=00000000070f1c90
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.271: ../src/vncdisplaykeymap.c Using
Win32 virtual keycode mapping
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.272: ../src/vncdisplay.c Grab sequence
is now Control_L+Alt_L
(remote-viewer.exe:9460): libsoup-WARNING **: 19:16:33.277: Could not set SSL credentials
from '/etc/pki/tls/certs/ca-bundle.crt': Vertrauenswürdigkeitsliste konnte nicht
aus /etc/pki/tls/certs/ca-bundle.crt befüllt werden: Error while reading file.
(remote-viewer.exe:9460): libsoup-WARNING **: 19:16:33.277: Could not set SSL credentials
from '/etc/pki/tls/certs/ca-bundle.crt': Vertrauenswürdigkeitsliste konnte nicht
aus /etc/pki/tls/certs/ca-bundle.crt befüllt werden: Error while reading file.
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.278: Spice foreign menu updated
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.278: After open connection callback
fd=-1
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.279: Opening connection to display
at C:\Users\rezaa\Downloads\console.vv
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.289: fullscreen display 0: 0
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.289: ../src/vncconnection.c Open
host=node1.mydomain.de port=5900
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.289: notebook show status
0000000004408580
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.875: ../src/vncconnection.c Open
coroutine starting
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.876: ../src/vncconnection.c Started
background coroutine
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.877: ../src/vncconnection.c Resolving
host node1.mydomain.de 5900
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.880: ../src/vncconnection.c Trying one
socket
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.881: ../src/vncconnection.c Schedule
socket timeout 00000000070f0a40
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.882: ../src/vncconnection.c Socket
pending
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.914: ../src/vncconnection.c Finally
connected
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.915: ../src/vncconnection.c Remove
timeout 00000000070f0a40
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.916: ../src/vncconnection.c Emit main
context 13
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.917: ../src/vncdisplay.c Grab sequence
is now
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.917: notebook show status
0000000004408580
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.919: Insert display 0
0000000007572f80
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.919: notebook show status
0000000004408580
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.920: ../src/vncdisplay.c Connected to
VNC server
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.920: ../src/vncconnection.c Protocol
initialization
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.920: ../src/vncconnection.c Schedule
greeting timeout 00000000070f0a40
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.921: ../src/vncconnection.c Read error
Ein nicht blockierender Socketvorgang konnte nicht sofort ausgeführt werden.
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.922: Allocated 1024x768
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.922: Child allocate 1024x640
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.946: ../src/vncconnection.c Remove
timeout 00000000070f0a40
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.947: ../src/vncconnection.c Server
version: 3.8
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.950: ../src/vncconnection.c Sending full
greeting
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.951: ../src/vncconnection.c Using
version: 3.8
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.964: ../src/vncconnection.c Read error
Ein nicht blockierender Socketvorgang konnte nicht sofort ausgeführt werden.
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.983: ../src/vncconnection.c Possible
auth 19
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.984: ../src/vncconnection.c Emit main
context 11
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.984: ../src/vncconnection.c Thinking
about auth type 19
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.985: ../src/vncconnection.c Decided on
auth type 19
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.985: ../src/vncconnection.c Waiting for
auth type
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.986: ../src/vncconnection.c Choose auth
19
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.986: ../src/vncconnection.c Checking if
credentials are needed
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.987: ../src/vncconnection.c No
credentials required
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.987: ../src/vncconnection.c Read error
Ein nicht blockierender Socketvorgang konnte nicht sofort ausgeführt werden.
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.019: ../src/vncconnection.c Read error
Ein nicht blockierender Socketvorgang konnte nicht sofort ausgeführt werden.
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.050: ../src/vncconnection.c Possible
VeNCrypt sub-auth 261
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.051: ../src/vncconnection.c Emit main
context 12
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.052: ../src/vncconnection.c Requested
auth subtype 261
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.053: ../src/vncconnection.c Waiting for
VeNCrypt auth subtype
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.054: ../src/vncconnection.c Choose auth
261
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.055: ../src/vncconnection.c Checking if
credentials are needed
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.056: ../src/vncconnection.c No
credentials required
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.056: ../src/vncconnection.c Read error
Ein nicht blockierender Socketvorgang konnte nicht sofort ausgeführt werden.
(remote-viewer.exe:9460): GLib-GIO-WARNING **: 19:16:34.073: Unexpectedly, UWP app
`Microsoft.ScreenSketch_11.2303.17.0_x64__8wekyb3d8bbwe' (AUMId
`Microsoft.ScreenSketch_8wekyb3d8bbwe!App') supports 29 extensions but has no verbs
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.088: ../src/vncconnection.c Do TLS
handshake
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.089: ../src/vncconnection.c Checking if
credentials are needed
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.092: ../src/vncconnection.c Want a TLS
clientname
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.094: ../src/vncconnection.c Requesting
missing credentials
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.102: ../src/vncconnection.c Emit main
context 10
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:34.105: Got VNC credential request for
1 credential(s)
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.105: ../src/vncconnection.c Set
credential 2 libvirt
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.106: ../src/vncconnection.c Searching
for certs in /usr/x86_64-w64-mingw32/sys-root/mingw/etc/pki
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.108: ../src/vncconnection.c Failed to
find certificate CA/cacert.pem
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.109: ../src/vncconnection.c No CA
certificate provided, using GNUTLS global trust
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.111: ../src/vncconnection.c Failed to
find certificate CA/cacrl.pem
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.113: ../src/vncconnection.c Failed to
find certificate libvirt/private/clientkey.pem
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.113: ../src/vncconnection.c Failed to
find certificate libvirt/clientcert.pem
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.114: ../src/vncconnection.c Waiting for
missing credentials
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.117: ../src/vncconnection.c Got all
credentials
(
remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.120: ../src/vncconnection.c No CA
certificate provided; trying the system trust store instead
(remote-viewer.exe:9460): GLib-GIO-WARNING **: 19:16:34.120: Unexpectedly, UWP app
`Clipchamp.Clipchamp_2.6.2.0_neutral__yxz26nhyzhsrt' (AUMId
`Clipchamp.Clipchamp_yxz26nhyzhsrt!App') supports 41 extensions but has no verbs
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.132: ../src/vncconnection.c Using the
system trust store and CRL
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.132: ../src/vncconnection.c No client
cert or key provided
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.133: ../src/vncconnection.c No CA
revocation list provided
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.133: ../src/vncconnection.c Error:
Failed to complete handshake Error in the pull function.
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.134: ../src/vncconnection.c Emit main
context 16
(remote-viewer.exe:9460): virt-viewer-WARNING **: 19:16:34.134: vnc-session: got vnc error
Failed to complete handshake Error in the pull function.
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.135: ../src/vncdisplay.c VNC server
error
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.135: ../src/vncconnection.c Auth
failed
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.135: ../src/vncconnection.c Doing final
VNC cleanup
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.136: ../src/vncconnection.c Close
VncConnection=00000000070f1c90
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.136: ../src/vncconnection.c Emit main
context 15
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.137: ../src/vncdisplay.c Disconnected
from VNC server
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:34.137: Not removing main window 0
00000000044694d0
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.138: ../src/vncdisplay.c Grab sequence
is now
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:34.138: Disconnected
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:47.126: close vnc=00000000070ec090
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:47.127: ../src/vncconnection.c Init
VncConnection=00000000053f6af0
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:47.127: ../src/vncdisplaykeymap.c Using
Win32 virtual keycode mapping
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:47.128: ../src/vncdisplay.c Grab sequence
is now Control_L+Alt_L
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:47.129: ../src/vncdisplay.c Display
destroy, requesting that VNC connection close
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:47.129: ../src/vncdisplay.c Releasing VNC
widget
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:47.129: ../src/vncconnection.c Finalize
VncConnection=00000000053f6af0
This looks like your Windows host lacks the ovirt-engine CA in it's trust
store. You should try importing the CA first before opening the console.vv file.
I imported the engine-ca from here
https://<engine-url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA<https://%3cengine-url%3e/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA>
via MMC and the Certificate SnapIn to
my Windows. But still getting the same error.
It's not possible* to use a third party CA to secure the VNC connections.
As the VNC connections originate on the virtualization hosts themselves, the CA that they
use is the internal ovirt-engine CA that was automatically generated by engine-setup.
Yeah, i know that the thrid party CA is only fort he website communication
but not for communication between the hosts.
If you don't want to import the ovirt-engine CA on the end-user machines,
your best option is to force end users through the end-user portal. Alternatively, you
could disable VNC encryption entirely and secure the link via other means.
What do you mean exactly with „through the end-user portal“ ? I generated
the console.vv always from adminportal or vmportal.
*: Technically it is possible to use a third party CA cert on the VNC
connections, but it will only work until VDSM reboots the host or performs a host upgrade.
As there is no way to force VDSM to ignore the "invalid" custom cert.
I importe the engine-ca on my RockyLinux into
/etc/pki/ca-trust/source/anchors and now its working on Rocky Linux and now it works when
openeing the console.vv directly via RemoteViewer. But still having problem openening via
„novnc“ option via browser.
But having still struggle with Windows (nativeClient and novnc option)
-Patrick Hibbs
The solutions provided here was not successfull
https://access.redhat.com/solutions/6217601
BR
R A
_______________________________________________
Users mailing list -- users@ovirt.org<mailto:users@ovirt.org>
To unsubscribe send an email to
users-leave@ovirt.org<mailto:users-leave@ovirt.org>
Privacy Statement:
https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/XG7T3A77SJK...