tested on four different workstations with: fedora20, fedora31 and windows10(remote-manager last vers) вс, 29 мар. 2020 г. в 12:39, Strahil Nikolov <hunter86_bg@yahoo.com>:
On March 29, 2020 9:47:02 AM GMT+03:00, David David <dd432690@gmail.com> wrote:
I did as you said: copied from engine /etc/ovirt-engine/ca.pem onto my desktop into /etc/pki/ca-trust/source/anchors and then run update-ca-trust it didn’t help, still the same errors
пт, 27 мар. 2020 г. в 21:56, Strahil Nikolov <hunter86_bg@yahoo.com>:
On March 27, 2020 12:23:10 PM GMT+02:00, David David <dd432690@gmail.com> wrote:
here is debug from opening console.vv by remote-viewer
2020-03-27 14:09 GMT+04:00, Milan Zamazal <mzamazal@redhat.com>:
David David <dd432690@gmail.com> writes:
yes i have console.vv attached
It looks the same as mine.
There is a difference in our logs, you have
Possible auth 19
while I have
Possible auth 2
So I still suspect a wrong authentication method is used, but I don't have any idea why.
Regards, Milan
2020-03-26 21:38 GMT+04:00, Milan Zamazal <mzamazal@redhat.com>: > David David <dd432690@gmail.com> writes: > >> copied from qemu server all certs except "cacrl" to my desktop-station >> into /etc/pki/ > > This is not needed, the CA certificate is included in console.vv and no > other certificate should be needed. > >> but remote-viewer is still didn't work > > The log looks like remote-viewer is attempting certificate > authentication rather than password authentication. Do you have > password in console.vv? It should look like: > > [virt-viewer] > type=vnc > host=192.168.122.2 > port=5900 > password=fxLazJu6BUmL > # Password is valid for 120 seconds. > ... > > Regards, > Milan > >> 2020-03-26 2:22 GMT+04:00, Nir Soffer <nsoffer@redhat.com>: >>> On Wed, Mar 25, 2020 at 12:45 PM David David <dd432690@gmail.com> >>> wrote: >>>> >>>> ovirt 4.3.8.2-1.el7 >>>> gtk-vnc2-1.0.0-1.fc31.x86_64 >>>> remote-viewer version 8.0-3.fc31 >>>> >>>> can't open vm console by remote-viewer >>>> vm has vnc console protocol >>>> when click on console button to connect to a vm, the remote-viewer >>>> console disappear immediately >>>> >>>> remote-viewer debug in attachment >>> >>> You an issue with the certificates: >>> >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.238: >>> ../src/vncconnection.c Set credential 2 libvirt >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> ../src/vncconnection.c Searching for certs in /etc/pki >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> ../src/vncconnection.c Searching for certs in /root/.pki >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> ../src/vncconnection.c Failed to find certificate CA/cacert.pem >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> ../src/vncconnection.c No CA certificate provided, using GNUTLS global >>> trust >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> ../src/vncconnection.c Failed to find certificate CA/cacrl.pem >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> ../src/vncconnection.c Failed to find certificate >>> libvirt/private/clientkey.pem >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> ../src/vncconnection.c Failed to find certificate >>> libvirt/clientcert.pem >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> ../src/vncconnection.c Waiting for missing credentials >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> ../src/vncconnection.c Got all credentials >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> ../src/vncconnection.c No CA certificate provided; trying the system >>> trust store instead >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >>> ../src/vncconnection.c Using the system trust store and CRL >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >>> ../src/vncconnection.c No client cert or key provided >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >>> ../src/vncconnection.c No CA revocation list provided >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.241: >>> ../src/vncconnection.c Handshake was blocking >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.243: >>> ../src/vncconnection.c Handshake was blocking >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.251: >>> ../src/vncconnection.c Handshake was blocking >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.298: >>> ../src/vncconnection.c Handshake done >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.298: >>> ../src/vncconnection.c Validating >>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.301: >>> ../src/vncconnection.c Error: The certificate is not trusted >>> >>> Adding people that may know more about this. >>> >>> Nir >>> >>> > >
Hello,
You can try to take the engine's CA (maybe it's useless) and put it on your system in: /etc/pki/ca-trust/source/anchors (if it's EL7 or a Fedora) and then run update-ca-trust
Best Regards, Strahil Nikolov
Hey David,
What is you workstation's OS ? Also, have you tried from another workstation ?
Best Regards, Strahil Nikolov
there is no such problem with the ovirt-engine 4.2.5.2-1.el7 it appeared when upgrading to 4.3.* вс, 29 мар. 2020 г. в 12:46, David David <dd432690@gmail.com>:
tested on four different workstations with: fedora20, fedora31 and windows10(remote-manager last vers)
вс, 29 мар. 2020 г. в 12:39, Strahil Nikolov <hunter86_bg@yahoo.com>:
On March 29, 2020 9:47:02 AM GMT+03:00, David David <dd432690@gmail.com> wrote:
I did as you said: copied from engine /etc/ovirt-engine/ca.pem onto my desktop into /etc/pki/ca-trust/source/anchors and then run update-ca-trust it didn’t help, still the same errors
пт, 27 мар. 2020 г. в 21:56, Strahil Nikolov <hunter86_bg@yahoo.com>:
On March 27, 2020 12:23:10 PM GMT+02:00, David David <dd432690@gmail.com> wrote:
here is debug from opening console.vv by remote-viewer
2020-03-27 14:09 GMT+04:00, Milan Zamazal <mzamazal@redhat.com>:
David David <dd432690@gmail.com> writes:
> yes i have > console.vv attached
It looks the same as mine.
There is a difference in our logs, you have
Possible auth 19
while I have
Possible auth 2
So I still suspect a wrong authentication method is used, but I don't have any idea why.
Regards, Milan
> 2020-03-26 21:38 GMT+04:00, Milan Zamazal <mzamazal@redhat.com>: >> David David <dd432690@gmail.com> writes: >> >>> copied from qemu server all certs except "cacrl" to my desktop-station >>> into /etc/pki/ >> >> This is not needed, the CA certificate is included in console.vv and no >> other certificate should be needed. >> >>> but remote-viewer is still didn't work >> >> The log looks like remote-viewer is attempting certificate >> authentication rather than password authentication. Do you have >> password in console.vv? It should look like: >> >> [virt-viewer] >> type=vnc >> host=192.168.122.2 >> port=5900 >> password=fxLazJu6BUmL >> # Password is valid for 120 seconds. >> ... >> >> Regards, >> Milan >> >>> 2020-03-26 2:22 GMT+04:00, Nir Soffer <nsoffer@redhat.com>: >>>> On Wed, Mar 25, 2020 at 12:45 PM David David <dd432690@gmail.com> >>>> wrote: >>>>> >>>>> ovirt 4.3.8.2-1.el7 >>>>> gtk-vnc2-1.0.0-1.fc31.x86_64 >>>>> remote-viewer version 8.0-3.fc31 >>>>> >>>>> can't open vm console by remote-viewer >>>>> vm has vnc console protocol >>>>> when click on console button to connect to a vm, the remote-viewer >>>>> console disappear immediately >>>>> >>>>> remote-viewer debug in attachment >>>> >>>> You an issue with the certificates: >>>> >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.238: >>>> ../src/vncconnection.c Set credential 2 libvirt >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>> ../src/vncconnection.c Searching for certs in /etc/pki >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>> ../src/vncconnection.c Searching for certs in /root/.pki >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>> ../src/vncconnection.c Failed to find certificate CA/cacert.pem >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>> ../src/vncconnection.c No CA certificate provided, using GNUTLS global >>>> trust >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>> ../src/vncconnection.c Failed to find certificate CA/cacrl.pem >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>> ../src/vncconnection.c Failed to find certificate >>>> libvirt/private/clientkey.pem >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>> ../src/vncconnection.c Failed to find certificate >>>> libvirt/clientcert.pem >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>> ../src/vncconnection.c Waiting for missing credentials >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>> ../src/vncconnection.c Got all credentials >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>> ../src/vncconnection.c No CA certificate provided; trying the system >>>> trust store instead >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >>>> ../src/vncconnection.c Using the system trust store and CRL >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >>>> ../src/vncconnection.c No client cert or key provided >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >>>> ../src/vncconnection.c No CA revocation list provided >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.241: >>>> ../src/vncconnection.c Handshake was blocking >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.243: >>>> ../src/vncconnection.c Handshake was blocking >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.251: >>>> ../src/vncconnection.c Handshake was blocking >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.298: >>>> ../src/vncconnection.c Handshake done >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.298: >>>> ../src/vncconnection.c Validating >>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.301: >>>> ../src/vncconnection.c Error: The certificate is not trusted >>>> >>>> Adding people that may know more about this. >>>> >>>> Nir >>>> >>>> >> >>
Hello,
You can try to take the engine's CA (maybe it's useless) and put it on your system in: /etc/pki/ca-trust/source/anchors (if it's EL7 or a Fedora) and then run update-ca-trust
Best Regards, Strahil Nikolov
Hey David,
What is you workstation's OS ? Also, have you tried from another workstation ?
Best Regards, Strahil Nikolov
can connect to a vm which has spice console protocol by remote-viewer but that not working with vnc protocol the remote-viewer can't validate the server certs, is this a bug on the remote-viewerside or in the hypervisor? this problem is generally known? will it be fixed? вс, 29 мар. 2020 г. в 12:52, David David <dd432690@gmail.com>:
there is no such problem with the ovirt-engine 4.2.5.2-1.el7 it appeared when upgrading to 4.3.*
вс, 29 мар. 2020 г. в 12:46, David David <dd432690@gmail.com>:
tested on four different workstations with: fedora20, fedora31 and windows10(remote-manager last vers)
вс, 29 мар. 2020 г. в 12:39, Strahil Nikolov <hunter86_bg@yahoo.com>:
On March 29, 2020 9:47:02 AM GMT+03:00, David David <dd432690@gmail.com> wrote:
I did as you said: copied from engine /etc/ovirt-engine/ca.pem onto my desktop into /etc/pki/ca-trust/source/anchors and then run update-ca-trust it didn’t help, still the same errors
пт, 27 мар. 2020 г. в 21:56, Strahil Nikolov <hunter86_bg@yahoo.com>:
On March 27, 2020 12:23:10 PM GMT+02:00, David David <dd432690@gmail.com> wrote:
here is debug from opening console.vv by remote-viewer
2020-03-27 14:09 GMT+04:00, Milan Zamazal <mzamazal@redhat.com>: > David David <dd432690@gmail.com> writes: > >> yes i have >> console.vv attached > > It looks the same as mine. > > There is a difference in our logs, you have > > Possible auth 19 > > while I have > > Possible auth 2 > > So I still suspect a wrong authentication method is used, but I don't > have any idea why. > > Regards, > Milan > >> 2020-03-26 21:38 GMT+04:00, Milan Zamazal <mzamazal@redhat.com>: >>> David David <dd432690@gmail.com> writes: >>> >>>> copied from qemu server all certs except "cacrl" to my desktop-station >>>> into /etc/pki/ >>> >>> This is not needed, the CA certificate is included in console.vv and no >>> other certificate should be needed. >>> >>>> but remote-viewer is still didn't work >>> >>> The log looks like remote-viewer is attempting certificate >>> authentication rather than password authentication. Do you have >>> password in console.vv? It should look like: >>> >>> [virt-viewer] >>> type=vnc >>> host=192.168.122.2 >>> port=5900 >>> password=fxLazJu6BUmL >>> # Password is valid for 120 seconds. >>> ... >>> >>> Regards, >>> Milan >>> >>>> 2020-03-26 2:22 GMT+04:00, Nir Soffer <nsoffer@redhat.com>: >>>>> On Wed, Mar 25, 2020 at 12:45 PM David David <dd432690@gmail.com> >>>>> wrote: >>>>>> >>>>>> ovirt 4.3.8.2-1.el7 >>>>>> gtk-vnc2-1.0.0-1.fc31.x86_64 >>>>>> remote-viewer version 8.0-3.fc31 >>>>>> >>>>>> can't open vm console by remote-viewer >>>>>> vm has vnc console protocol >>>>>> when click on console button to connect to a vm, the remote-viewer >>>>>> console disappear immediately >>>>>> >>>>>> remote-viewer debug in attachment >>>>> >>>>> You an issue with the certificates: >>>>> >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.238: >>>>> ../src/vncconnection.c Set credential 2 libvirt >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c Searching for certs in /etc/pki >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c Searching for certs in /root/.pki >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c Failed to find certificate CA/cacert.pem >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c No CA certificate provided, using GNUTLS global >>>>> trust >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c Failed to find certificate CA/cacrl.pem >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c Failed to find certificate >>>>> libvirt/private/clientkey.pem >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c Failed to find certificate >>>>> libvirt/clientcert.pem >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c Waiting for missing credentials >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c Got all credentials >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>> ../src/vncconnection.c No CA certificate provided; trying the system >>>>> trust store instead >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >>>>> ../src/vncconnection.c Using the system trust store and CRL >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >>>>> ../src/vncconnection.c No client cert or key provided >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >>>>> ../src/vncconnection.c No CA revocation list provided >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.241: >>>>> ../src/vncconnection.c Handshake was blocking >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.243: >>>>> ../src/vncconnection.c Handshake was blocking >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.251: >>>>> ../src/vncconnection.c Handshake was blocking >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.298: >>>>> ../src/vncconnection.c Handshake done >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.298: >>>>> ../src/vncconnection.c Validating >>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.301: >>>>> ../src/vncconnection.c Error: The certificate is not trusted >>>>> >>>>> Adding people that may know more about this. >>>>> >>>>> Nir >>>>> >>>>> >>> >>> > >
Hello,
You can try to take the engine's CA (maybe it's useless) and put it on your system in: /etc/pki/ca-trust/source/anchors (if it's EL7 or a Fedora) and then run update-ca-trust
Best Regards, Strahil Nikolov
Hey David,
What is you workstation's OS ? Also, have you tried from another workstation ?
Best Regards, Strahil Nikolov
David David <dd432690@gmail.com> writes:
can connect to a vm which has spice console protocol by remote-viewer but that not working with vnc protocol the remote-viewer can't validate the server certs, is this a bug on the remote-viewerside or in the hypervisor? this problem is generally known? will it be fixed?
It works for me, so it's either a problem with your remote-viewer or an unknown problem on the oVirt side. I'd suggest paying attention to the authentication method negotiation as pointed out earlier. I'm not expert in that area, so I can't help you with that but maybe someone else can. Regards, Milan
вс, 29 мар. 2020 г. в 12:52, David David <dd432690@gmail.com>:
there is no such problem with the ovirt-engine 4.2.5.2-1.el7 it appeared when upgrading to 4.3.*
вс, 29 мар. 2020 г. в 12:46, David David <dd432690@gmail.com>:
tested on four different workstations with: fedora20, fedora31 and windows10(remote-manager last vers)
вс, 29 мар. 2020 г. в 12:39, Strahil Nikolov <hunter86_bg@yahoo.com>:
On March 29, 2020 9:47:02 AM GMT+03:00, David David <dd432690@gmail.com> wrote:
I did as you said: copied from engine /etc/ovirt-engine/ca.pem onto my desktop into /etc/pki/ca-trust/source/anchors and then run update-ca-trust it didn’t help, still the same errors
пт, 27 мар. 2020 г. в 21:56, Strahil Nikolov <hunter86_bg@yahoo.com>:
On March 27, 2020 12:23:10 PM GMT+02:00, David David <dd432690@gmail.com> wrote: >here is debug from opening console.vv by remote-viewer > >2020-03-27 14:09 GMT+04:00, Milan Zamazal <mzamazal@redhat.com>: >> David David <dd432690@gmail.com> writes: >> >>> yes i have >>> console.vv attached >> >> It looks the same as mine. >> >> There is a difference in our logs, you have >> >> Possible auth 19 >> >> while I have >> >> Possible auth 2 >> >> So I still suspect a wrong authentication method is used, but I don't >> have any idea why. >> >> Regards, >> Milan >> >>> 2020-03-26 21:38 GMT+04:00, Milan Zamazal <mzamazal@redhat.com>: >>>> David David <dd432690@gmail.com> writes: >>>> >>>>> copied from qemu server all certs except "cacrl" to my >desktop-station >>>>> into /etc/pki/ >>>> >>>> This is not needed, the CA certificate is included in console.vv >and no >>>> other certificate should be needed. >>>> >>>>> but remote-viewer is still didn't work >>>> >>>> The log looks like remote-viewer is attempting certificate >>>> authentication rather than password authentication. Do you have >>>> password in console.vv? It should look like: >>>> >>>> [virt-viewer] >>>> type=vnc >>>> host=192.168.122.2 >>>> port=5900 >>>> password=fxLazJu6BUmL >>>> # Password is valid for 120 seconds. >>>> ... >>>> >>>> Regards, >>>> Milan >>>> >>>>> 2020-03-26 2:22 GMT+04:00, Nir Soffer <nsoffer@redhat.com>: >>>>>> On Wed, Mar 25, 2020 at 12:45 PM David David <dd432690@gmail.com> >>>>>> wrote: >>>>>>> >>>>>>> ovirt 4.3.8.2-1.el7 >>>>>>> gtk-vnc2-1.0.0-1.fc31.x86_64 >>>>>>> remote-viewer version 8.0-3.fc31 >>>>>>> >>>>>>> can't open vm console by remote-viewer >>>>>>> vm has vnc console protocol >>>>>>> when click on console button to connect to a vm, the >remote-viewer >>>>>>> console disappear immediately >>>>>>> >>>>>>> remote-viewer debug in attachment >>>>>> >>>>>> You an issue with the certificates: >>>>>> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.238: >>>>>> ../src/vncconnection.c Set credential 2 libvirt >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>>> ../src/vncconnection.c Searching for certs in /etc/pki >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>>> ../src/vncconnection.c Searching for certs in /root/.pki >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>>> ../src/vncconnection.c Failed to find certificate CA/cacert.pem >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>>> ../src/vncconnection.c No CA certificate provided, using GNUTLS >global >>>>>> trust >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>>> ../src/vncconnection.c Failed to find certificate CA/cacrl.pem >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>>> ../src/vncconnection.c Failed to find certificate >>>>>> libvirt/private/clientkey.pem >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>>> ../src/vncconnection.c Failed to find certificate >>>>>> libvirt/clientcert.pem >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>>> ../src/vncconnection.c Waiting for missing credentials >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>>> ../src/vncconnection.c Got all credentials >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>>>>> ../src/vncconnection.c No CA certificate provided; trying the >system >>>>>> trust store instead >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >>>>>> ../src/vncconnection.c Using the system trust store and CRL >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >>>>>> ../src/vncconnection.c No client cert or key provided >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >>>>>> ../src/vncconnection.c No CA revocation list provided >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.241: >>>>>> ../src/vncconnection.c Handshake was blocking >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.243: >>>>>> ../src/vncconnection.c Handshake was blocking >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.251: >>>>>> ../src/vncconnection.c Handshake was blocking >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.298: >>>>>> ../src/vncconnection.c Handshake done >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.298: >>>>>> ../src/vncconnection.c Validating >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.301: >>>>>> ../src/vncconnection.c Error: The certificate is not trusted >>>>>> >>>>>> Adding people that may know more about this. >>>>>> >>>>>> Nir >>>>>> >>>>>> >>>> >>>> >> >>
Hello,
You can try to take the engine's CA (maybe it's useless) and put it on your system in: /etc/pki/ca-trust/source/anchors (if it's EL7 or a Fedora) and then run update-ca-trust
Best Regards, Strahil Nikolov
Hey David,
What is you workstation's OS ? Also, have you tried from another workstation ?
Best Regards, Strahil Nikolov
Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/MACDEEWMWOTPGH...
solved using this link https://bugzilla.redhat.com/show_bug.cgi?id=1672587 чт, 2 апр. 2020 г. в 16:11, Milan Zamazal <mzamazal@redhat.com>:
David David <dd432690@gmail.com> writes:
can connect to a vm which has spice console protocol by remote-viewer but that not working with vnc protocol the remote-viewer can't validate the server certs, is this a bug on the remote-viewerside or in the hypervisor? this problem is generally known? will it be fixed?
It works for me, so it's either a problem with your remote-viewer or an unknown problem on the oVirt side. I'd suggest paying attention to the authentication method negotiation as pointed out earlier. I'm not expert in that area, so I can't help you with that but maybe someone else can.
Regards, Milan
вс, 29 мар. 2020 г. в 12:52, David David <dd432690@gmail.com>:
there is no such problem with the ovirt-engine 4.2.5.2-1.el7 it appeared when upgrading to 4.3.*
вс, 29 мар. 2020 г. в 12:46, David David <dd432690@gmail.com>:
tested on four different workstations with: fedora20, fedora31 and windows10(remote-manager last vers)
вс, 29 мар. 2020 г. в 12:39, Strahil Nikolov <hunter86_bg@yahoo.com>:
I did as you said: copied from engine /etc/ovirt-engine/ca.pem onto my desktop into /etc/pki/ca-trust/source/anchors and then run update-ca-trust it didn’t help, still the same errors
пт, 27 мар. 2020 г. в 21:56, Strahil Nikolov <hunter86_bg@yahoo.com :
> On March 27, 2020 12:23:10 PM GMT+02:00, David David <dd432690@gmail.com> > wrote: > >here is debug from opening console.vv by remote-viewer > > > >2020-03-27 14:09 GMT+04:00, Milan Zamazal <mzamazal@redhat.com>: > >> David David <dd432690@gmail.com> writes: > >> > >>> yes i have > >>> console.vv attached > >> > >> It looks the same as mine. > >> > >> There is a difference in our logs, you have > >> > >> Possible auth 19 > >> > >> while I have > >> > >> Possible auth 2 > >> > >> So I still suspect a wrong authentication method is used, but I don't > >> have any idea why. > >> > >> Regards, > >> Milan > >> > >>> 2020-03-26 21:38 GMT+04:00, Milan Zamazal <mzamazal@redhat.com : > >>>> David David <dd432690@gmail.com> writes: > >>>> > >>>>> copied from qemu server all certs except "cacrl" to my > >desktop-station > >>>>> into /etc/pki/ > >>>> > >>>> This is not needed, the CA certificate is included in console.vv > >and no > >>>> other certificate should be needed. > >>>> > >>>>> but remote-viewer is still didn't work > >>>> > >>>> The log looks like remote-viewer is attempting certificate > >>>> authentication rather than password authentication. Do you have > >>>> password in console.vv? It should look like: > >>>> > >>>> [virt-viewer] > >>>> type=vnc > >>>> host=192.168.122.2 > >>>> port=5900 > >>>> password=fxLazJu6BUmL > >>>> # Password is valid for 120 seconds. > >>>> ... > >>>> > >>>> Regards, > >>>> Milan > >>>> > >>>>> 2020-03-26 2:22 GMT+04:00, Nir Soffer <nsoffer@redhat.com>: > >>>>>> On Wed, Mar 25, 2020 at 12:45 PM David David <dd432690@gmail.com> > >>>>>> wrote: > >>>>>>> > >>>>>>> ovirt 4.3.8.2-1.el7 > >>>>>>> gtk-vnc2-1.0.0-1.fc31.x86_64 > >>>>>>> remote-viewer version 8.0-3.fc31 > >>>>>>> > >>>>>>> can't open vm console by remote-viewer > >>>>>>> vm has vnc console protocol > >>>>>>> when click on console button to connect to a vm, the > >remote-viewer > >>>>>>> console disappear immediately > >>>>>>> > >>>>>>> remote-viewer debug in attachment > >>>>>> > >>>>>> You an issue with the certificates: > >>>>>> > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.238: > >>>>>> ../src/vncconnection.c Set credential 2 libvirt > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: > >>>>>> ../src/vncconnection.c Searching for certs in /etc/pki > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: > >>>>>> ../src/vncconnection.c Searching for certs in /root/.pki > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: > >>>>>> ../src/vncconnection.c Failed to find certificate CA/cacert.pem > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: > >>>>>> ../src/vncconnection.c No CA certificate provided, using GNUTLS > >global > >>>>>> trust > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: > >>>>>> ../src/vncconnection.c Failed to find certificate CA/cacrl.pem > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: > >>>>>> ../src/vncconnection.c Failed to find certificate > >>>>>> libvirt/private/clientkey.pem > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: > >>>>>> ../src/vncconnection.c Failed to find certificate > >>>>>> libvirt/clientcert.pem > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: > >>>>>> ../src/vncconnection.c Waiting for missing credentials > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: > >>>>>> ../src/vncconnection.c Got all credentials > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: > >>>>>> ../src/vncconnection.c No CA certificate provided; trying
> >system > >>>>>> trust store instead > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: > >>>>>> ../src/vncconnection.c Using the system trust store and CRL > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: > >>>>>> ../src/vncconnection.c No client cert or key provided > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: > >>>>>> ../src/vncconnection.c No CA revocation list provided > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.241: > >>>>>> ../src/vncconnection.c Handshake was blocking > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.243: > >>>>>> ../src/vncconnection.c Handshake was blocking > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.251: > >>>>>> ../src/vncconnection.c Handshake was blocking > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.298: > >>>>>> ../src/vncconnection.c Handshake done > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.298: > >>>>>> ../src/vncconnection.c Validating > >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.301: > >>>>>> ../src/vncconnection.c Error: The certificate is not trusted > >>>>>> > >>>>>> Adding people that may know more about this. > >>>>>> > >>>>>> Nir > >>>>>> > >>>>>> > >>>> > >>>> > >> > >> > > Hello, > > You can try to take the engine's CA (maybe it's useless) and put it on > your system in: > /etc/pki/ca-trust/source/anchors (if it's EL7 or a Fedora) and
On March 29, 2020 9:47:02 AM GMT+03:00, David David < dd432690@gmail.com> wrote: the then
run > update-ca-trust > > Best Regards, > Strahil Nikolov >
Hey David,
What is you workstation's OS ? Also, have you tried from another workstation ?
Best Regards, Strahil Nikolov
Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MACDEEWMWOTPGH...
David David <dd432690@gmail.com> writes:
solved using this link https://bugzilla.redhat.com/show_bug.cgi?id=1672587
Great, good to know.
чт, 2 апр. 2020 г. в 16:11, Milan Zamazal <mzamazal@redhat.com>:
David David <dd432690@gmail.com> writes:
can connect to a vm which has spice console protocol by remote-viewer but that not working with vnc protocol the remote-viewer can't validate the server certs, is this a bug on the remote-viewerside or in the hypervisor? this problem is generally known? will it be fixed?
It works for me, so it's either a problem with your remote-viewer or an unknown problem on the oVirt side. I'd suggest paying attention to the authentication method negotiation as pointed out earlier. I'm not expert in that area, so I can't help you with that but maybe someone else can.
Regards, Milan
вс, 29 мар. 2020 г. в 12:52, David David <dd432690@gmail.com>:
there is no such problem with the ovirt-engine 4.2.5.2-1.el7 it appeared when upgrading to 4.3.*
вс, 29 мар. 2020 г. в 12:46, David David <dd432690@gmail.com>:
tested on four different workstations with: fedora20, fedora31 and windows10(remote-manager last vers)
вс, 29 мар. 2020 г. в 12:39, Strahil Nikolov <hunter86_bg@yahoo.com>:
On March 29, 2020 9:47:02 AM GMT+03:00, David David < dd432690@gmail.com> wrote: >I did as you said: >copied from engine /etc/ovirt-engine/ca.pem onto my desktop into >/etc/pki/ca-trust/source/anchors and then run update-ca-trust >it didn’t help, still the same errors > > >пт, 27 мар. 2020 г. в 21:56, Strahil Nikolov <hunter86_bg@yahoo.com : > >> On March 27, 2020 12:23:10 PM GMT+02:00, David David ><dd432690@gmail.com> >> wrote: >> >here is debug from opening console.vv by remote-viewer >> > >> >2020-03-27 14:09 GMT+04:00, Milan Zamazal <mzamazal@redhat.com>: >> >> David David <dd432690@gmail.com> writes: >> >> >> >>> yes i have >> >>> console.vv attached >> >> >> >> It looks the same as mine. >> >> >> >> There is a difference in our logs, you have >> >> >> >> Possible auth 19 >> >> >> >> while I have >> >> >> >> Possible auth 2 >> >> >> >> So I still suspect a wrong authentication method is used, but I >don't >> >> have any idea why. >> >> >> >> Regards, >> >> Milan >> >> >> >>> 2020-03-26 21:38 GMT+04:00, Milan Zamazal <mzamazal@redhat.com : >> >>>> David David <dd432690@gmail.com> writes: >> >>>> >> >>>>> copied from qemu server all certs except "cacrl" to my >> >desktop-station >> >>>>> into /etc/pki/ >> >>>> >> >>>> This is not needed, the CA certificate is included in console.vv >> >and no >> >>>> other certificate should be needed. >> >>>> >> >>>>> but remote-viewer is still didn't work >> >>>> >> >>>> The log looks like remote-viewer is attempting certificate >> >>>> authentication rather than password authentication. Do you have >> >>>> password in console.vv? It should look like: >> >>>> >> >>>> [virt-viewer] >> >>>> type=vnc >> >>>> host=192.168.122.2 >> >>>> port=5900 >> >>>> password=fxLazJu6BUmL >> >>>> # Password is valid for 120 seconds. >> >>>> ... >> >>>> >> >>>> Regards, >> >>>> Milan >> >>>> >> >>>>> 2020-03-26 2:22 GMT+04:00, Nir Soffer <nsoffer@redhat.com>: >> >>>>>> On Wed, Mar 25, 2020 at 12:45 PM David David ><dd432690@gmail.com> >> >>>>>> wrote: >> >>>>>>> >> >>>>>>> ovirt 4.3.8.2-1.el7 >> >>>>>>> gtk-vnc2-1.0.0-1.fc31.x86_64 >> >>>>>>> remote-viewer version 8.0-3.fc31 >> >>>>>>> >> >>>>>>> can't open vm console by remote-viewer >> >>>>>>> vm has vnc console protocol >> >>>>>>> when click on console button to connect to a vm, the >> >remote-viewer >> >>>>>>> console disappear immediately >> >>>>>>> >> >>>>>>> remote-viewer debug in attachment >> >>>>>> >> >>>>>> You an issue with the certificates: >> >>>>>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.238: >> >>>>>> ../src/vncconnection.c Set credential 2 libvirt >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >> >>>>>> ../src/vncconnection.c Searching for certs in /etc/pki >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >> >>>>>> ../src/vncconnection.c Searching for certs in /root/.pki >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >> >>>>>> ../src/vncconnection.c Failed to find certificate >CA/cacert.pem >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >> >>>>>> ../src/vncconnection.c No CA certificate provided, using >GNUTLS >> >global >> >>>>>> trust >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >> >>>>>> ../src/vncconnection.c Failed to find certificate CA/cacrl.pem >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >> >>>>>> ../src/vncconnection.c Failed to find certificate >> >>>>>> libvirt/private/clientkey.pem >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >> >>>>>> ../src/vncconnection.c Failed to find certificate >> >>>>>> libvirt/clientcert.pem >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >> >>>>>> ../src/vncconnection.c Waiting for missing credentials >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >> >>>>>> ../src/vncconnection.c Got all credentials >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >> >>>>>> ../src/vncconnection.c No CA certificate provided; trying the >> >system >> >>>>>> trust store instead >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >> >>>>>> ../src/vncconnection.c Using the system trust store and CRL >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >> >>>>>> ../src/vncconnection.c No client cert or key provided >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >> >>>>>> ../src/vncconnection.c No CA revocation list provided >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.241: >> >>>>>> ../src/vncconnection.c Handshake was blocking >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.243: >> >>>>>> ../src/vncconnection.c Handshake was blocking >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.251: >> >>>>>> ../src/vncconnection.c Handshake was blocking >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.298: >> >>>>>> ../src/vncconnection.c Handshake done >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.298: >> >>>>>> ../src/vncconnection.c Validating >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.301: >> >>>>>> ../src/vncconnection.c Error: The certificate is not trusted >> >>>>>> >> >>>>>> Adding people that may know more about this. >> >>>>>> >> >>>>>> Nir >> >>>>>> >> >>>>>> >> >>>> >> >>>> >> >> >> >> >> >> Hello, >> >> You can try to take the engine's CA (maybe it's useless) and put it >on >> your system in: >> /etc/pki/ca-trust/source/anchors (if it's EL7 or a Fedora) and then >run >> update-ca-trust >> >> Best Regards, >> Strahil Nikolov >>
Hey David,
What is you workstation's OS ? Also, have you tried from another workstation ?
Best Regards, Strahil Nikolov
Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MACDEEWMWOTPGH...
On Mon, Apr 20, 2020 at 9:49 AM David David <dd432690@gmail.com> wrote:
solved using this link https://bugzilla.redhat.com/show_bug.cgi?id=1672587
Does this mean that you are still using 4.3.0 or that the fix in 4.3.1 was not applied into your environment? Gianluca
I have version 4.3.8 пн, 20 апр. 2020 г. в 12:46, Gianluca Cecchi <gianluca.cecchi@gmail.com>:
On Mon, Apr 20, 2020 at 9:49 AM David David <dd432690@gmail.com> wrote:
solved using this link https://bugzilla.redhat.com/show_bug.cgi?id=1672587
Does this mean that you are still using 4.3.0 or that the fix in 4.3.1 was not applied into your environment?
Gianluca
participants (3)
-
David David -
Gianluca Cecchi -
Milan Zamazal