can connect to a vm which has spice console protocol by remote-viewer but that not working with vnc protocol the remote-viewer can't validate the server certs, is this a bug on the remote-viewerside or in the hypervisor? this problem is generally known? will it be fixed? вс, 29 мар. 2020 г. в 12:52, David David <dd432690@gmail.com>:
there is no such problem with the ovirt-engine 4.2.5.2-1.el7 it appeared when upgrading to 4.3.*
вс, 29 мар. 2020 г. в 12:46, David David <dd432690@gmail.com>:
tested on four different workstations with: fedora20, fedora31 and windows10(remote-manager last vers)
вс, 29 мар. 2020 г. в 12:39, Strahil Nikolov <hunter86_bg@yahoo.com>:
On March 29, 2020 9:47:02 AM GMT+03:00, David David <dd432690@gmail.com> wrote:
I did as you said: copied from engine /etc/ovirt-engine/ca.pem onto my desktop into /etc/pki/ca-trust/source/anchors and then run update-ca-trust it didn’t help, still the same errors
пт, 27 мар. 2020 г. в 21:56, Strahil Nikolov <hunter86_bg@yahoo.com>:
On March 27, 2020 12:23:10 PM GMT+02:00, David David <dd432690@gmail.com> wrote:
here is debug from opening console.vv by remote-viewer
2020-03-27 14:09 GMT+04:00, Milan Zamazal <mzamazal@redhat.com>: > David David <dd432690@gmail.com> writes: > >> yes i have >> console.vv attached > > It looks the same as mine. > > There is a difference in our logs, you have > > Possible auth 19 > > while I have > > Possible auth 2 > > So I still suspect a wrong authentication method is used, but I don't > have any idea why. > > Regards, > Milan > >> 2020-03-26 21:38 GMT+04:00, Milan Zamazal <mzamazal@redhat.com>: >>> David David <dd432690@gmail.com> writes: >>> >>>> copied from qemu server all certs except "cacrl" to my desktop-station >>>> into /etc/pki/ >>> >>> This is not needed, the CA certificate is included in console.vv and no >>> other certificate should be needed. >>> >>>> but remote-viewer is still didn't work >>> >>> The log looks like remote-viewer is attempting certificate >>> authentication rather than password authentication. Do you have >>> password in console.vv? It should look like: >>> >>> [virt-viewer] >>> type=vnc >>> host=192.168.122.2 >>> port=5900 >>> password=fxLazJu6BUmL >>> # Password is valid for 120 seconds. >>> ... >>> >>> Regards, >>> Milan >>> >>>> 2020-03-26 2:22 GMT+04:00, Nir Soffer <nsoffer@redhat.com>: >>>>> On Wed, Mar 25, 2020 at 12:45 PM David David <dd432690@gmail.com> >>>>> wrote: >>>>>> >>>>>> ovirt 4.3.8.2-1.el7 >>>>>> gtk-vnc2-1.0.0-1.fc31.x86_64 >>>>>> remote-viewer version 8.0-3.fc31 >>>>>> >>>>>> can't open vm console by remote-viewer >>>>>> vm has vnc console protocol >>>>>> when click on console button to connect to a vm, the remote-viewer >>>>>> console disappear immediately >>>>>> >>>>>> remote-viewer debug in attachment >>>>> >>>>> You an issue with the certificates: >>>>> >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.238: >>>>> ../src/vncconnection.c Set credential 2 libvirt >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c Searching for certs in /etc/pki >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c Searching for certs in /root/.pki >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c Failed to find certificate CA/cacert.pem >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c No CA certificate provided, using GNUTLS global >>>>> trust >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c Failed to find certificate CA/cacrl.pem >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c Failed to find certificate >>>>> libvirt/private/clientkey.pem >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c Failed to find certificate >>>>> libvirt/clientcert.pem >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c Waiting for missing credentials >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c Got all credentials >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c No CA certificate provided; trying the system >>>>> trust store instead >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >>>>> ../src/vncconnection.c Using the system trust store and CRL >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >>>>> ../src/vncconnection.c No client cert or key provided >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >>>>> ../src/vncconnection.c No CA revocation list provided >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.241: >>>>> ../src/vncconnection.c Handshake was blocking >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.243: >>>>> ../src/vncconnection.c Handshake was blocking >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.251: >>>>> ../src/vncconnection.c Handshake was blocking >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.298: >>>>> ../src/vncconnection.c Handshake done >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.298: >>>>> ../src/vncconnection.c Validating >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.301: >>>>> ../src/vncconnection.c Error: The certificate is not trusted >>>>> >>>>> Adding people that may know more about this. >>>>> >>>>> Nir >>>>> >>>>> >>> >>> > >
Hello,
You can try to take the engine's CA (maybe it's useless) and put it on your system in: /etc/pki/ca-trust/source/anchors (if it's EL7 or a Fedora) and then run update-ca-trust
Best Regards, Strahil Nikolov
Hey David,
What is you workstation's OS ? Also, have you tried from another workstation ?
Best Regards, Strahil Nikolov