remote-viewer, vnc console, error certificate's owner does not match hostname

Friday, 20 January 2023

Hello,

I have recently enrolled new certificates on all hosts in our RHV 
(4.5.3.5-1.el8ev) cluster but now I cannot connect to VNC or SPICE+VNC 
console via remote-viewer (virt-viewer-11.0-2.fc36.x86_64) because of error

The certificate's owner does not match hostname '10.224.102.72'

10.224.102.72 is host's ip address

Connection through spice protocol works fine

.vv file looks like

[virt-viewer]
type=vnc
host=10.224.102.72
port=5910
password=*******
# Password is valid for 120 seconds.
delete-this-file=1
fullscreen=0
title=srv.example.com:%d
toggle-fullscreen=shift+f11
release-cursor=shift+f12
secure-attention=ctrl+alt+end
versions=rhev-win64:2.0-160;rhev-win32:2.0-160;rhel8:7.0-3;rhel7:2.0-6;rhel6:99.0-1
newer-version-url=https://rhv.example.com/ovirt-engine/rhv/client-resources

[ovirt]
host=rhv.example.com:443
vm-guid=d9f1e9f8-1111-2222-3333-1c1db6704f21
sso-token=K9r1tHadO7H8oB........JMCSwtcwyD0syaENFA
admin=1

I also tried to copy oVirt's CA cert to ~/.pki/CA/cacert.pem as 
mentioned in https://access.redhat.com/solutions/6217601 but error persists.

Debug log looks like

remote-viewer --debug Downloads/console.vv --gtk-vnc-debug

(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.160: 
../src/vncdisplay.c Connected to VNC server
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.160: 
../src/vncconnection.c Protocol initialization
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.160: 
../src/vncconnection.c Schedule greeting timeout 0x5621f9d53478
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.161: 
../src/vncconnection.c Remove timeout 0x5621f9d53478
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.161: 
../src/vncconnection.c Server version: 3.8
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.161: 
../src/vncconnection.c Sending full greeting
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.161: 
../src/vncconnection.c Using version: 3.8
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.190: 
../src/vncconnection.c Possible auth 19
(remote-viewer:2445675): virt-viewer-DEBUG: 14:36:54.191: Allocated 1024x768
(remote-viewer:2445675): virt-viewer-DEBUG: 14:36:54.191: Child allocate 
1024x768
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.192: 
../src/vncconnection.c Emit main context 14
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.192: 
../src/vncconnection.c Thinking about auth type 19
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.192: 
../src/vncconnection.c Decided on auth type 19
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.192: 
../src/vncconnection.c Waiting for auth type
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.192: 
../src/vncconnection.c Choose auth 19
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.192: 
../src/vncconnection.c Checking if credentials are needed
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.192: 
../src/vncconnection.c No credentials required
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.194: 
../src/vncconnection.c Possible VeNCrypt sub-auth 261
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.194: 
../src/vncconnection.c Emit main context 15
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.194: 
../src/vncconnection.c Requested auth subtype 261
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.194: 
../src/vncconnection.c Waiting for VeNCrypt auth subtype
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.194: 
../src/vncconnection.c Choose auth subtype 261
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.194: 
../src/vncconnection.c Checking if credentials are needed
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.194: 
../src/vncconnection.c No credentials required
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.194: 
../src/vncconnection.c Do TLS handshake
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195: 
../src/vncconnection.c Checking if credentials are needed
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195: 
../src/vncconnection.c Want a TLS clientname
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195: 
../src/vncconnection.c Requesting missing credentials
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195: 
../src/vncconnection.c Emit main context 13
(remote-viewer:2445675): virt-viewer-DEBUG: 14:36:54.195: Got VNC 
credential request for 1 credential(s)
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195: 
../src/vncconnection.c Set credential 2 libvirt
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195: 
../src/vncconnection.c Searching for certs in /etc/pki
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195: 
../src/vncconnection.c Searching for certs in /home/user/.pki
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195: 
../src/vncconnection.c Failed to find certificate CA/cacrl.pem
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195: 
../src/vncconnection.c Failed to find certificate 
libvirt/private/clientkey.pem
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195: 
../src/vncconnection.c Failed to find certificate libvirt/clientcert.pem
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195: 
../src/vncconnection.c Waiting for missing credentials
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195: 
../src/vncconnection.c Got all credentials
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195: 
../src/vncconnection.c No client cert or key provided
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195: 
../src/vncconnection.c No CA revocation list provided
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195: 
../src/vncconnection.c Handshake was blocking
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.197: 
../src/vncconnection.c Handshake was blocking
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.199: 
../src/vncconnection.c Handshake was blocking
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.200: 
../src/vncconnection.c Handshake was blocking
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.200: 
../src/vncconnection.c Handshake done
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.200: 
../src/vncconnection.c Validating
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.200: 
../src/vncconnection.c Certificate is valid.
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.200: 
../src/vncconnection.c Checking chain 0
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.200: 
../src/vncconnection.c Error: The certificate's owner does not match 
hostname '10.224.102.72'
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.200: 
../src/vncconnection.c Emit main context 19

(remote-viewer:2445675): virt-viewer-WARNING **: 14:36:54.200: 
vnc-session: got vnc error The certificate's owner does not match 
hostname '10.224.102.72'
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.200: 
../src/vncdisplay.c VNC server error
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.200: 
../src/vncconnection.c Auth failed

Also noVNC client throws "Something went wrong, connection is closed"

Certificate on one of hosts looks like

[root@rhev01 ~]# openssl x509 -in 
/etc/pki/vdsm/libvirt-vnc/server-cert.pem -text -noout

Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 165 (0xa5)
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, O = SU Opava, CN = CA-rhv.example.com.51627
         Validity
             Not Before: Jan 11 12:06:21 2023 GMT
             Not After : Jan 13 12:06:21 2028 GMT
         Subject: O = SU Opava, CN = rhev01.net.slu.cz
...
             X509v3 Subject Alternative Name:
                 DNS:rhev01.net.slu.cz

Yes, certificate has dns name of host inside, .vv file uses an ip 
address. Is it a bug? Can I disable hostname checking in remote-viewer 
somehow?

Thanks in advance,

Jiri

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011