Hello
Von: Patrick Hibbs <[email protected]>
Gesendet: Sonntag, 25. Juni 2023 03:14
An: R A <[email protected]>; [email protected]
Betreff: Re: [ovirt-users] ovirt 4.5 VNC Failed to complete handshake Error in
the pull function on Windows
Hello,
On 6/23/23 13:23, R A wrote:
Hello,
i am using ovirt 4.5.4-1.el9 standalone on Rocky Linux and have some struggle
with vnc connection.
I ve engine.mydomain.de which contains the ovirt-engine. I installed third
party certificate successfully. So when i call engine.mydomain.de/ovirt-engine
or node1.mydomain.de:9090 the browser tell me that connection is secured.
My first host is node1.mydomain.de, which has currently one VM up.
On Linux Client (Rocky Linux 9.2)
1. When i run „remote-viewer --debug /home/user1/Downloads/console.vv
--gtk-vnc-debug“ everything works fine. RemoteViewer opens and i can see the
console of my vm
2. When i try to open the console.vv directly via remoteViewer from
enngine-portal i get feedback from remoteViewer: „The certificate is not
trusted“
Did you do that after opening console.vv manually? Or did you
download a new console.vv before doing so?
console.vv files are good for one use only. As they contain a
one-time password that is revoked after use.
I fetched a new console.vv after each test for sure.
1. 3. When i try to open via novnc a new tab opens and i get „Something went
wrong, connection is closed“
Again, did you reuse that console.vv file? Or did you download a new
one? FYI: The file should be deleted automatically after remote-viewer opens
it. As it's not supposed to be reused.
Same here
On Windows 11
1. When i generate the console.vv and copy the password and hostadress +
port to TigerVNC client everything work fine. TigerVNC tells me that connection
is secured
2. When opening console.vv directly via RemoteViewer i get „Filed to
complete handshake Error in the pull function
3. When i try to open via novnc a new tab opens and i get „Something went
wrong, connection is closed“
4. When i run "C:\ProgramData\Microsoft\Windows\Start
Menu\Programs\VirtViewer\Remote viewer.lnk" --debug
C:\Users\rezaa\Downloads\console.vv --gtk-vnc-debug
I get :
C:\Users\rezaa>"C:\ProgramData\Microsoft\Windows\Start
Menu\Programs\VirtViewer\Remote viewer.lnk" --debug
C:\Users\rezaa\Downloads\console.vv --gtk-vnc-debug
C:\Users\rezaa>(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.218:
keymap string is empty - nothing to do
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.264: Opening display to
C:\Users\rezaa\Downloads\console.vv
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.265: Guest (NULL) has a
vnc display
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.271: ../src/vncconnection.c
Init VncConnection=00000000070f1c90
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.271:
../src/vncdisplaykeymap.c Using Win32 virtual keycode mapping
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.272: ../src/vncdisplay.c Grab
sequence is now Control_L+Alt_L
(remote-viewer.exe:9460): libsoup-WARNING **: 19:16:33.277: Could not set SSL
credentials from '/etc/pki/tls/certs/ca-bundle.crt': Vertrauenswürdigkeitsliste
konnte nicht aus /etc/pki/tls/certs/ca-bundle.crt befüllt werden: Error while
reading file.
(remote-viewer.exe:9460): libsoup-WARNING **: 19:16:33.277: Could not set SSL
credentials from '/etc/pki/tls/certs/ca-bundle.crt': Vertrauenswürdigkeitsliste
konnte nicht aus /etc/pki/tls/certs/ca-bundle.crt befüllt werden: Error while
reading file.
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.278: Spice foreign menu
updated
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.278: After open
connection callback fd=-1
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.279: Opening connection
to display at C:\Users\rezaa\Downloads\console.vv
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.289: fullscreen display
0: 0
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.289: ../src/vncconnection.c
Open host=node1.mydomain.de port=5900
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.289: notebook show status
0000000004408580
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.875: ../src/vncconnection.c
Open coroutine starting
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.876: ../src/vncconnection.c
Started background coroutine
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.877: ../src/vncconnection.c
Resolving host node1.mydomain.de 5900
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.880: ../src/vncconnection.c
Trying one socket
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.881: ../src/vncconnection.c
Schedule socket timeout 00000000070f0a40
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.882: ../src/vncconnection.c
Socket pending
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.914: ../src/vncconnection.c
Finally connected
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.915: ../src/vncconnection.c
Remove timeout 00000000070f0a40
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.916: ../src/vncconnection.c
Emit main context 13
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.917: ../src/vncdisplay.c Grab
sequence is now
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.917: notebook show status
0000000004408580
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.919: Insert display 0
0000000007572f80
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.919: notebook show status
0000000004408580
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.920: ../src/vncdisplay.c
Connected to VNC server
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.920: ../src/vncconnection.c
Protocol initialization
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.920: ../src/vncconnection.c
Schedule greeting timeout 00000000070f0a40
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.921: ../src/vncconnection.c
Read error Ein nicht blockierender Socketvorgang konnte nicht sofort ausgeführt
werden.
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.922: Allocated 1024x768
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:33.922: Child allocate
1024x640
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.946: ../src/vncconnection.c
Remove timeout 00000000070f0a40
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.947: ../src/vncconnection.c
Server version: 3.8
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.950: ../src/vncconnection.c
Sending full greeting
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.951: ../src/vncconnection.c
Using version: 3.8
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.964: ../src/vncconnection.c
Read error Ein nicht blockierender Socketvorgang konnte nicht sofort ausgeführt
werden.
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.983: ../src/vncconnection.c
Possible auth 19
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.984: ../src/vncconnection.c
Emit main context 11
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.984: ../src/vncconnection.c
Thinking about auth type 19
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.985: ../src/vncconnection.c
Decided on auth type 19
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.985: ../src/vncconnection.c
Waiting for auth type
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.986: ../src/vncconnection.c
Choose auth 19
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.986: ../src/vncconnection.c
Checking if credentials are needed
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.987: ../src/vncconnection.c
No credentials required
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:33.987: ../src/vncconnection.c
Read error Ein nicht blockierender Socketvorgang konnte nicht sofort ausgeführt
werden.
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.019: ../src/vncconnection.c
Read error Ein nicht blockierender Socketvorgang konnte nicht sofort ausgeführt
werden.
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.050: ../src/vncconnection.c
Possible VeNCrypt sub-auth 261
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.051: ../src/vncconnection.c
Emit main context 12
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.052: ../src/vncconnection.c
Requested auth subtype 261
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.053: ../src/vncconnection.c
Waiting for VeNCrypt auth subtype
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.054: ../src/vncconnection.c
Choose auth 261
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.055: ../src/vncconnection.c
Checking if credentials are needed
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.056: ../src/vncconnection.c
No credentials required
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.056: ../src/vncconnection.c
Read error Ein nicht blockierender Socketvorgang konnte nicht sofort ausgeführt
werden.
(remote-viewer.exe:9460): GLib-GIO-WARNING **: 19:16:34.073: Unexpectedly, UWP
app `Microsoft.ScreenSketch_11.2303.17.0_x64__8wekyb3d8bbwe' (AUMId
`Microsoft.ScreenSketch_8wekyb3d8bbwe!App') supports 29 extensions but has no
verbs
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.088: ../src/vncconnection.c
Do TLS handshake
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.089: ../src/vncconnection.c
Checking if credentials are needed
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.092: ../src/vncconnection.c
Want a TLS clientname
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.094: ../src/vncconnection.c
Requesting missing credentials
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.102: ../src/vncconnection.c
Emit main context 10
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:34.105: Got VNC credential
request for 1 credential(s)
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.105: ../src/vncconnection.c
Set credential 2 libvirt
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.106: ../src/vncconnection.c
Searching for certs in /usr/x86_64-w64-mingw32/sys-root/mingw/etc/pki
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.108: ../src/vncconnection.c
Failed to find certificate CA/cacert.pem
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.109: ../src/vncconnection.c
No CA certificate provided, using GNUTLS global trust
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.111: ../src/vncconnection.c
Failed to find certificate CA/cacrl.pem
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.113: ../src/vncconnection.c
Failed to find certificate libvirt/private/clientkey.pem
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.113: ../src/vncconnection.c
Failed to find certificate libvirt/clientcert.pem
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.114: ../src/vncconnection.c
Waiting for missing credentials
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.117: ../src/vncconnection.c
Got all credentials
(
remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.120: ../src/vncconnection.c No
CA certificate provided; trying the system trust store instead
(remote-viewer.exe:9460): GLib-GIO-WARNING **: 19:16:34.120: Unexpectedly, UWP
app `Clipchamp.Clipchamp_2.6.2.0_neutral__yxz26nhyzhsrt' (AUMId
`Clipchamp.Clipchamp_yxz26nhyzhsrt!App') supports 41 extensions but has no verbs
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.132: ../src/vncconnection.c
Using the system trust store and CRL
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.132: ../src/vncconnection.c
No client cert or key provided
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.133: ../src/vncconnection.c
No CA revocation list provided
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.133: ../src/vncconnection.c
Error: Failed to complete handshake Error in the pull function.
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.134: ../src/vncconnection.c
Emit main context 16
(remote-viewer.exe:9460): virt-viewer-WARNING **: 19:16:34.134: vnc-session:
got vnc error Failed to complete handshake Error in the pull function.
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.135: ../src/vncdisplay.c VNC
server error
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.135: ../src/vncconnection.c
Auth failed
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.135: ../src/vncconnection.c
Doing final VNC cleanup
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.136: ../src/vncconnection.c
Close VncConnection=00000000070f1c90
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.136: ../src/vncconnection.c
Emit main context 15
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.137: ../src/vncdisplay.c
Disconnected from VNC server
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:34.137: Not removing main
window 0 00000000044694d0
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:34.138: ../src/vncdisplay.c Grab
sequence is now
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:34.138: Disconnected
(remote-viewer.exe:9460): virt-viewer-DEBUG: 19:16:47.126: close
vnc=00000000070ec090
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:47.127: ../src/vncconnection.c
Init VncConnection=00000000053f6af0
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:47.127:
../src/vncdisplaykeymap.c Using Win32 virtual keycode mapping
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:47.128: ../src/vncdisplay.c Grab
sequence is now Control_L+Alt_L
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:47.129: ../src/vncdisplay.c
Display destroy, requesting that VNC connection close
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:47.129: ../src/vncdisplay.c
Releasing VNC widget
(remote-viewer.exe:9460): gtk-vnc-DEBUG: 19:16:47.129: ../src/vncconnection.c
Finalize VncConnection=00000000053f6af0
This looks like your Windows host lacks the ovirt-engine CA in it's
trust store. You should try importing the CA first before opening the
console.vv file.
I imported the engine-ca from here
https://<engine-url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA<https://%3cengine-url%3e/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA>
via MMC and the Certificate SnapIn to
my Windows. But still getting the same error.
It's not possible* to use a third party CA to secure the VNC
connections. As the VNC connections originate on the virtualization hosts
themselves, the CA that they use is the internal ovirt-engine CA that was
automatically generated by engine-setup.
Yeah, i know that the thrid party CA is only fort he website
communication but not for communication between the hosts.
If you don't want to import the ovirt-engine CA on the end-user
machines, your best option is to force end users through the end-user portal.
Alternatively, you could disable VNC encryption entirely and secure the link
via other means.
What do you mean exactly with „through the end-user portal“ ? I
generated the console.vv always from adminportal or vmportal.
*: Technically it is possible to use a third party CA cert on the
VNC connections, but it will only work until VDSM reboots the host or performs
a host upgrade. As there is no way to force VDSM to ignore the "invalid" custom
cert.
I importe the engine-ca on my RockyLinux into
/etc/pki/ca-trust/source/anchors and now its working on Rocky Linux and now it
works when openeing the console.vv directly via RemoteViewer. But still having
problem openening via „novnc“ option via browser.
But having still struggle with Windows (nativeClient and novnc option)
-Patrick Hibbs
The solutions provided here was not successfull
https://access.redhat.com/solutions/6217601
BR
R A
_______________________________________________
Users mailing list -- [email protected]<mailto:[email protected]>
To unsubscribe send an email to
[email protected]<mailto:[email protected]>
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/[email protected]/message/XG7T3A77SJKNTFBEOCVETNOXLJM4VZS5/
_______________________________________________
Users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/[email protected]/message/MH2GT3PYQOAF6DLSIKX7FNECKOGWOCVV/
