8:58 a.m.
can connect to a vm which has spice console protocol by remote-viewer but
that not working with vnc protocol
the remote-viewer can't validate the server certs, is this a bug on the
remote-viewerside or in the hypervisor?
this problem is generally known? will it be fixed?
вс, 29 мар. 2020 г. в 12:52, David David <dd432690(a)gmail.com>:
there is no such problem with the ovirt-engine 4.2.5.2-1.el7
it appeared when upgrading to 4.3.*
вс, 29 мар. 2020 г. в 12:46, David David <dd432690(a)gmail.com>:
> tested on four different workstations with: fedora20, fedora31 and
> windows10(remote-manager last vers)
>
> вс, 29 мар. 2020 г. в 12:39, Strahil Nikolov <hunter86_bg(a)yahoo.com>:
>
>> On March 29, 2020 9:47:02 AM GMT+03:00, David David <dd432690(a)gmail.com>
>> wrote:
>> >I did as you said:
>> >copied from engine /etc/ovirt-engine/ca.pem onto my desktop into
>> >/etc/pki/ca-trust/source/anchors and then run update-ca-trust
>> >it didn’t help, still the same errors
>> >
>> >
>> >пт, 27 мар. 2020 г. в 21:56, Strahil Nikolov <hunter86_bg(a)yahoo.com>:
>> >
>> >> On March 27, 2020 12:23:10 PM GMT+02:00, David David
>> ><dd432690(a)gmail.com>
>> >> wrote:
>> >> >here is debug from opening console.vv by remote-viewer
>> >> >
>> >> >2020-03-27 14:09 GMT+04:00, Milan Zamazal
<mzamazal(a)redhat.com>:
>> >> >> David David <dd432690(a)gmail.com> writes:
>> >> >>
>> >> >>> yes i have
>> >> >>> console.vv attached
>> >> >>
>> >> >> It looks the same as mine.
>> >> >>
>> >> >> There is a difference in our logs, you have
>> >> >>
>> >> >> Possible auth 19
>> >> >>
>> >> >> while I have
>> >> >>
>> >> >> Possible auth 2
>> >> >>
>> >> >> So I still suspect a wrong authentication method is used, but
I
>> >don't
>> >> >> have any idea why.
>> >> >>
>> >> >> Regards,
>> >> >> Milan
>> >> >>
>> >> >>> 2020-03-26 21:38 GMT+04:00, Milan Zamazal
<mzamazal(a)redhat.com>:
>> >> >>>> David David <dd432690(a)gmail.com> writes:
>> >> >>>>
>> >> >>>>> copied from qemu server all certs except
"cacrl" to my
>> >> >desktop-station
>> >> >>>>> into /etc/pki/
>> >> >>>>
>> >> >>>> This is not needed, the CA certificate is included in
console.vv
>> >> >and no
>> >> >>>> other certificate should be needed.
>> >> >>>>
>> >> >>>>> but remote-viewer is still didn't work
>> >> >>>>
>> >> >>>> The log looks like remote-viewer is attempting
certificate
>> >> >>>> authentication rather than password authentication. Do
you have
>> >> >>>> password in console.vv? It should look like:
>> >> >>>>
>> >> >>>> [virt-viewer]
>> >> >>>> type=vnc
>> >> >>>> host=192.168.122.2
>> >> >>>> port=5900
>> >> >>>> password=fxLazJu6BUmL
>> >> >>>> # Password is valid for 120 seconds.
>> >> >>>> ...
>> >> >>>>
>> >> >>>> Regards,
>> >> >>>> Milan
>> >> >>>>
>> >> >>>>> 2020-03-26 2:22 GMT+04:00, Nir Soffer
<nsoffer(a)redhat.com>:
>> >> >>>>>> On Wed, Mar 25, 2020 at 12:45 PM David David
>> ><dd432690(a)gmail.com>
>> >> >>>>>> wrote:
>> >> >>>>>>>
>> >> >>>>>>> ovirt 4.3.8.2-1.el7
>> >> >>>>>>> gtk-vnc2-1.0.0-1.fc31.x86_64
>> >> >>>>>>> remote-viewer version 8.0-3.fc31
>> >> >>>>>>>
>> >> >>>>>>> can't open vm console by remote-viewer
>> >> >>>>>>> vm has vnc console protocol
>> >> >>>>>>> when click on console button to connect to
a vm, the
>> >> >remote-viewer
>> >> >>>>>>> console disappear immediately
>> >> >>>>>>>
>> >> >>>>>>> remote-viewer debug in attachment
>> >> >>>>>>
>> >> >>>>>> You an issue with the certificates:
>> >> >>>>>>
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.238:
>> >> >>>>>> ../src/vncconnection.c Set credential 2
libvirt
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.239:
>> >> >>>>>> ../src/vncconnection.c Searching for certs in
/etc/pki
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.239:
>> >> >>>>>> ../src/vncconnection.c Searching for certs in
/root/.pki
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.239:
>> >> >>>>>> ../src/vncconnection.c Failed to find
certificate
>> >CA/cacert.pem
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.239:
>> >> >>>>>> ../src/vncconnection.c No CA certificate
provided, using
>> >GNUTLS
>> >> >global
>> >> >>>>>> trust
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.239:
>> >> >>>>>> ../src/vncconnection.c Failed to find
certificate CA/cacrl.pem
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.239:
>> >> >>>>>> ../src/vncconnection.c Failed to find
certificate
>> >> >>>>>> libvirt/private/clientkey.pem
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.239:
>> >> >>>>>> ../src/vncconnection.c Failed to find
certificate
>> >> >>>>>> libvirt/clientcert.pem
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.239:
>> >> >>>>>> ../src/vncconnection.c Waiting for missing
credentials
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.239:
>> >> >>>>>> ../src/vncconnection.c Got all credentials
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.239:
>> >> >>>>>> ../src/vncconnection.c No CA certificate
provided; trying the
>> >> >system
>> >> >>>>>> trust store instead
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.240:
>> >> >>>>>> ../src/vncconnection.c Using the system trust
store and CRL
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.240:
>> >> >>>>>> ../src/vncconnection.c No client cert or key
provided
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.240:
>> >> >>>>>> ../src/vncconnection.c No CA revocation list
provided
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.241:
>> >> >>>>>> ../src/vncconnection.c Handshake was blocking
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.243:
>> >> >>>>>> ../src/vncconnection.c Handshake was blocking
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.251:
>> >> >>>>>> ../src/vncconnection.c Handshake was blocking
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.298:
>> >> >>>>>> ../src/vncconnection.c Handshake done
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.298:
>> >> >>>>>> ../src/vncconnection.c Validating
>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG:
11:56:25.301:
>> >> >>>>>> ../src/vncconnection.c Error: The certificate
is not trusted
>> >> >>>>>>
>> >> >>>>>> Adding people that may know more about this.
>> >> >>>>>>
>> >> >>>>>> Nir
>> >> >>>>>>
>> >> >>>>>>
>> >> >>>>
>> >> >>>>
>> >> >>
>> >> >>
>> >>
>> >> Hello,
>> >>
>> >> You can try to take the engine's CA (maybe it's useless) and
put it
>> >on
>> >> your system in:
>> >> /etc/pki/ca-trust/source/anchors (if it's EL7 or a Fedora) and
then
>> >run
>> >> update-ca-trust
>> >>
>> >> Best Regards,
>> >> Strahil Nikolov
>> >>
>>
>> Hey David,
>>
>> What is you workstation's OS ?
>> Also, have you tried from another workstation ?
>>
>> Best Regards,
>> Strahil Nikolov
>>
>