Hello

 

Von: Patrick Hibbs <hibbsncc1701@gmail.com>
Gesendet: Sonntag, 25. Juni 2023 03:14
An: R A <Jarheadx@hotmail.de>; users@ovirt.org
Betreff: Re: [ovirt-users] ovirt 4.5 VNC Failed to complete handshake Error in the pull function on Windows

 

Hello,

On 6/23/23 13:23, R A wrote:

Hello,

 

i am using ovirt 4.5.4-1.el9 standalone on Rocky Linux and have some struggle with vnc connection.

 

I ve engine.mydomain.de which contains the ovirt-engine. I installed third party certificate successfully. So when i call engine.mydomain.de/ovirt-engine or node1.mydomain.de:9090 the browser tell me that connection is secured.

 

My first host is node1.mydomain.de, which has currently one VM up.

 

On Linux Client (Rocky Linux 9.2)

 

  1. When i run „remote-viewer --debug /home/user1/Downloads/console.vv  --gtk-vnc-debug“ everything works fine. RemoteViewer opens and i can see the console of my vm
  2. When i try to open the console.vv directly via remoteViewer from enngine-portal i get feedback from remoteViewer: „The certificate is not trusted“

            Did you do that after opening console.vv manually? Or did you download a new console.vv before doing so?

            console.vv files are good for one use only. As they contain a one-time password that is revoked after use.

                I fetched a new console.vv after each test for sure.

 

  1. 3. When i try to open via novnc a new tab opens and i get „Something went wrong, connection is closed“

        Again, did you reuse that console.vv file? Or did you download a new one? FYI: The file should be deleted automatically after remote-viewer opens it. As it's not supposed to be reused.

Same here 

 

On Windows 11

 

  1. When i generate the console.vv and copy the password and hostadress + port to TigerVNC client everything work fine. TigerVNC tells me that connection is secured
  2. When opening console.vv directly via RemoteViewer i get „Filed to complete handshake Error in the pull function
  3. When i try to open via novnc a new tab opens and i get „Something went wrong, connection is closed“
  4. When i run "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VirtViewer\Remote viewer.lnk" --debug C:\Users\rezaa\Downloads\console.vv  --gtk-vnc-debug

I get :

 

C:\Users\rezaa>"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VirtViewer\Remote viewer.lnk" --debug C:\Users\rezaa\Downloads\console.vv  --gtk-vnc-debug

 

C:\Users\rezaa>(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.218: keymap string is empty - nothing to do

(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.264: Opening display to C:\Users\rezaa\Downloads\console.vv

(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.265: Guest (NULL) has a vnc display

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.271: ../src/vncconnection.c Init VncConnection=00000000070f1c90

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.271: ../src/vncdisplaykeymap.c Using Win32 virtual keycode mapping

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.272: ../src/vncdisplay.c Grab sequence is now Control_L+Alt_L

 

(remote-viewer.exe:9460): libsoup-WARNING **: 19:16:33.277: Could not set SSL credentials from '/etc/pki/tls/certs/ca-bundle.crt': Vertrauenswürdigkeitsliste konnte nicht aus /etc/pki/tls/certs/ca-bundle.crt befüllt werden: Error while reading file.

 

(remote-viewer.exe:9460): libsoup-WARNING **: 19:16:33.277: Could not set SSL credentials from '/etc/pki/tls/certs/ca-bundle.crt': Vertrauenswürdigkeitsliste konnte nicht aus /etc/pki/tls/certs/ca-bundle.crt befüllt werden: Error while reading file.

(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.278: Spice foreign menu updated

(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.278: After open connection callback fd=-1

(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.279: Opening connection to display at C:\Users\rezaa\Downloads\console.vv

(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.289: fullscreen display 0: 0

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.289: ../src/vncconnection.c Open host=node1.mydomain.de port=5900

(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.289: notebook show status 0000000004408580

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.875: ../src/vncconnection.c Open coroutine starting

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.876: ../src/vncconnection.c Started background coroutine

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.877: ../src/vncconnection.c Resolving host node1.mydomain.de 5900

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.880: ../src/vncconnection.c Trying one socket

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.881: ../src/vncconnection.c Schedule socket timeout 00000000070f0a40

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.882: ../src/vncconnection.c Socket pending

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.914: ../src/vncconnection.c Finally connected

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.915: ../src/vncconnection.c Remove timeout 00000000070f0a40

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.916: ../src/vncconnection.c Emit main context 13

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.917: ../src/vncdisplay.c Grab sequence is now

(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.917: notebook show status 0000000004408580

(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.919: Insert display 0 0000000007572f80

(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.919: notebook show status 0000000004408580

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.920: ../src/vncdisplay.c Connected to VNC server

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.920: ../src/vncconnection.c Protocol initialization

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.920: ../src/vncconnection.c Schedule greeting timeout 00000000070f0a40

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.921: ../src/vncconnection.c Read error Ein nicht blockierender Socketvorgang konnte nicht sofort ausgeführt werden.

(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.922: Allocated 1024x768

(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.922: Child allocate 1024x640

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.946: ../src/vncconnection.c Remove timeout 00000000070f0a40

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.947: ../src/vncconnection.c Server version: 3.8

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.950: ../src/vncconnection.c Sending full greeting

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.951: ../src/vncconnection.c Using version: 3.8

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.964: ../src/vncconnection.c Read error Ein nicht blockierender Socketvorgang konnte nicht sofort ausgeführt werden.

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.983: ../src/vncconnection.c Possible auth 19

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.984: ../src/vncconnection.c Emit main context 11

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.984: ../src/vncconnection.c Thinking about auth type 19

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.985: ../src/vncconnection.c Decided on auth type 19

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.985: ../src/vncconnection.c Waiting for auth type

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.986: ../src/vncconnection.c Choose auth 19

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.986: ../src/vncconnection.c Checking if credentials are needed

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.987: ../src/vncconnection.c No credentials required

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.987: ../src/vncconnection.c Read error Ein nicht blockierender Socketvorgang konnte nicht sofort ausgeführt werden.

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.019: ../src/vncconnection.c Read error Ein nicht blockierender Socketvorgang konnte nicht sofort ausgeführt werden.

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.050: ../src/vncconnection.c Possible VeNCrypt sub-auth 261

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.051: ../src/vncconnection.c Emit main context 12

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.052: ../src/vncconnection.c Requested auth subtype 261

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.053: ../src/vncconnection.c Waiting for VeNCrypt auth subtype

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.054: ../src/vncconnection.c Choose auth 261

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.055: ../src/vncconnection.c Checking if credentials are needed

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.056: ../src/vncconnection.c No credentials required

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.056: ../src/vncconnection.c Read error Ein nicht blockierender Socketvorgang konnte nicht sofort ausgeführt werden.

 

(remote-viewer.exe:9460): GLib-GIO-WARNING **: 19:16:34.073: Unexpectedly, UWP app `Microsoft.ScreenSketch_11.2303.17.0_x64__8wekyb3d8bbwe' (AUMId `Microsoft.ScreenSketch_8wekyb3d8bbwe!App') supports 29 extensions but has no verbs

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.088: ../src/vncconnection.c Do TLS handshake

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.089: ../src/vncconnection.c Checking if credentials are needed

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.092: ../src/vncconnection.c Want a TLS clientname

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.094: ../src/vncconnection.c Requesting missing credentials

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.102: ../src/vncconnection.c Emit main context 10

(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:34.105: Got VNC credential request for 1 credential(s)

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.105: ../src/vncconnection.c Set credential 2 libvirt

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.106: ../src/vncconnection.c Searching for certs in /usr/x86_64-w64-mingw32/sys-root/mingw/etc/pki

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.108: ../src/vncconnection.c Failed to find certificate CA/cacert.pem

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.109: ../src/vncconnection.c No CA certificate provided, using GNUTLS global trust

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.111: ../src/vncconnection.c Failed to find certificate CA/cacrl.pem

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.113: ../src/vncconnection.c Failed to find certificate libvirt/private/clientkey.pem

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.113: ../src/vncconnection.c Failed to find certificate libvirt/clientcert.pem

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.114: ../src/vncconnection.c Waiting for missing credentials

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.117: ../src/vncconnection.c Got all credentials

(

remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.120: ../src/vncconnection.c No CA certificate provided; trying the system trust store instead

(remote-viewer.exe:9460): GLib-GIO-WARNING **: 19:16:34.120: Unexpectedly, UWP app `Clipchamp.Clipchamp_2.6.2.0_neutral__yxz26nhyzhsrt' (AUMId `Clipchamp.Clipchamp_yxz26nhyzhsrt!App') supports 41 extensions but has no verbs

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.132: ../src/vncconnection.c Using the system trust store and CRL

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.132: ../src/vncconnection.c No client cert or key provided

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.133: ../src/vncconnection.c No CA revocation list provided

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.133: ../src/vncconnection.c Error: Failed to complete handshake Error in the pull function.

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.134: ../src/vncconnection.c Emit main context 16

 

(remote-viewer.exe:9460): virt-viewer-WARNING **: 19:16:34.134: vnc-session: got vnc error Failed to complete handshake Error in the pull function.

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.135: ../src/vncdisplay.c VNC server error

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.135: ../src/vncconnection.c Auth failed

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.135: ../src/vncconnection.c Doing final VNC cleanup

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.136: ../src/vncconnection.c Close VncConnection=00000000070f1c90

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.136: ../src/vncconnection.c Emit main context 15

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.137: ../src/vncdisplay.c Disconnected from VNC server

(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:34.137: Not removing main window 0 00000000044694d0

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.138: ../src/vncdisplay.c Grab sequence is now

(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:34.138: Disconnected

(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:47.126: close vnc=00000000070ec090

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:47.127: ../src/vncconnection.c Init VncConnection=00000000053f6af0

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:47.127: ../src/vncdisplaykeymap.c Using Win32 virtual keycode mapping

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:47.128: ../src/vncdisplay.c Grab sequence is now Control_L+Alt_L

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:47.129: ../src/vncdisplay.c Display destroy, requesting that VNC connection close

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:47.129: ../src/vncdisplay.c Releasing VNC widget

(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:47.129: ../src/vncconnection.c Finalize VncConnection=00000000053f6af0

            This looks like your Windows host lacks the ovirt-engine CA in it's trust store. You should try importing the CA first before opening the console.vv file.

                I imported the engine-ca from here https://<engine-url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA via MMC and the Certificate SnapIn to

                my Windows. But still getting the same error.

            It's not possible* to use a third party CA to secure the VNC connections. As the VNC connections originate on the virtualization hosts themselves, the CA that they use is the internal ovirt-engine CA that was automatically generated by engine-setup.

                Yeah, i know that the thrid party CA is only fort he website communication but not for communication between the hosts.

            If you don't want to import the ovirt-engine CA on the end-user machines, your best option is to force end users through the end-user portal. Alternatively, you could disable VNC encryption entirely and secure the link via other means.

                What do you mean exactly with „through the end-user portal“ ? I generated the console.vv always from adminportal or vmportal.

            *: Technically it is possible to use a third party CA cert on the VNC connections, but it will only work until VDSM reboots the host or performs a host upgrade. As there is no way to force VDSM to ignore the "invalid" custom cert.

                I importe the engine-ca on my RockyLinux into  /etc/pki/ca-trust/source/anchors and now its working on Rocky Linux and now it works when openeing the console.vv directly via RemoteViewer. But still having problem openening via „novnc“ option via browser.

But having still struggle with Windows (nativeClient and novnc option)

-Patrick Hibbs

 

 

The solutions provided here was not successfull https://access.redhat.com/solutions/6217601

 

BR

R A

 

 

 



_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/XG7T3A77SJKNTFBEOCVETNOXLJM4VZS5/