can connect to a vm which has spice console protocol by remote-viewer but that not working with vnc protocol the remote-viewer can't validate the server certs, is this a bug on the remote-viewerside or in the hypervisor? this problem is generally known? will it be fixed?
вс, 29 мар. 2020 г. в 12:52, David David <dd432...@gmail.com>: > there is no such problem with the ovirt-engine 4.2.5.2-1.el7 > it appeared when upgrading to 4.3.* > > вс, 29 мар. 2020 г. в 12:46, David David <dd432...@gmail.com>: > >> tested on four different workstations with: fedora20, fedora31 and >> windows10(remote-manager last vers) >> >> вс, 29 мар. 2020 г. в 12:39, Strahil Nikolov <hunter86...@yahoo.com>: >> >>> On March 29, 2020 9:47:02 AM GMT+03:00, David David <dd432...@gmail.com> >>> wrote: >>> >I did as you said: >>> >copied from engine /etc/ovirt-engine/ca.pem onto my desktop into >>> >/etc/pki/ca-trust/source/anchors and then run update-ca-trust >>> >it didn’t help, still the same errors >>> > >>> > >>> >пт, 27 мар. 2020 г. в 21:56, Strahil Nikolov <hunter86...@yahoo.com>: >>> > >>> >> On March 27, 2020 12:23:10 PM GMT+02:00, David David >>> ><dd432...@gmail.com> >>> >> wrote: >>> >> >here is debug from opening console.vv by remote-viewer >>> >> > >>> >> >2020-03-27 14:09 GMT+04:00, Milan Zamazal <mzama...@redhat.com>: >>> >> >> David David <dd432...@gmail.com> writes: >>> >> >> >>> >> >>> yes i have >>> >> >>> console.vv attached >>> >> >> >>> >> >> It looks the same as mine. >>> >> >> >>> >> >> There is a difference in our logs, you have >>> >> >> >>> >> >> Possible auth 19 >>> >> >> >>> >> >> while I have >>> >> >> >>> >> >> Possible auth 2 >>> >> >> >>> >> >> So I still suspect a wrong authentication method is used, but I >>> >don't >>> >> >> have any idea why. >>> >> >> >>> >> >> Regards, >>> >> >> Milan >>> >> >> >>> >> >>> 2020-03-26 21:38 GMT+04:00, Milan Zamazal <mzama...@redhat.com>: >>> >> >>>> David David <dd432...@gmail.com> writes: >>> >> >>>> >>> >> >>>>> copied from qemu server all certs except "cacrl" to my >>> >> >desktop-station >>> >> >>>>> into /etc/pki/ >>> >> >>>> >>> >> >>>> This is not needed, the CA certificate is included in console.vv >>> >> >and no >>> >> >>>> other certificate should be needed. >>> >> >>>> >>> >> >>>>> but remote-viewer is still didn't work >>> >> >>>> >>> >> >>>> The log looks like remote-viewer is attempting certificate >>> >> >>>> authentication rather than password authentication. Do you have >>> >> >>>> password in console.vv? It should look like: >>> >> >>>> >>> >> >>>> [virt-viewer] >>> >> >>>> type=vnc >>> >> >>>> host=192.168.122.2 >>> >> >>>> port=5900 >>> >> >>>> password=fxLazJu6BUmL >>> >> >>>> # Password is valid for 120 seconds. >>> >> >>>> ... >>> >> >>>> >>> >> >>>> Regards, >>> >> >>>> Milan >>> >> >>>> >>> >> >>>>> 2020-03-26 2:22 GMT+04:00, Nir Soffer <nsof...@redhat.com>: >>> >> >>>>>> On Wed, Mar 25, 2020 at 12:45 PM David David >>> ><dd432...@gmail.com> >>> >> >>>>>> wrote: >>> >> >>>>>>> >>> >> >>>>>>> ovirt 4.3.8.2-1.el7 >>> >> >>>>>>> gtk-vnc2-1.0.0-1.fc31.x86_64 >>> >> >>>>>>> remote-viewer version 8.0-3.fc31 >>> >> >>>>>>> >>> >> >>>>>>> can't open vm console by remote-viewer >>> >> >>>>>>> vm has vnc console protocol >>> >> >>>>>>> when click on console button to connect to a vm, the >>> >> >remote-viewer >>> >> >>>>>>> console disappear immediately >>> >> >>>>>>> >>> >> >>>>>>> remote-viewer debug in attachment >>> >> >>>>>> >>> >> >>>>>> You an issue with the certificates: >>> >> >>>>>> >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.238: >>> >> >>>>>> ../src/vncconnection.c Set credential 2 libvirt >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> >> >>>>>> ../src/vncconnection.c Searching for certs in /etc/pki >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> >> >>>>>> ../src/vncconnection.c Searching for certs in /root/.pki >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> >> >>>>>> ../src/vncconnection.c Failed to find certificate >>> >CA/cacert.pem >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> >> >>>>>> ../src/vncconnection.c No CA certificate provided, using >>> >GNUTLS >>> >> >global >>> >> >>>>>> trust >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> >> >>>>>> ../src/vncconnection.c Failed to find certificate CA/cacrl.pem >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> >> >>>>>> ../src/vncconnection.c Failed to find certificate >>> >> >>>>>> libvirt/private/clientkey.pem >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> >> >>>>>> ../src/vncconnection.c Failed to find certificate >>> >> >>>>>> libvirt/clientcert.pem >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> >> >>>>>> ../src/vncconnection.c Waiting for missing credentials >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> >> >>>>>> ../src/vncconnection.c Got all credentials >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.239: >>> >> >>>>>> ../src/vncconnection.c No CA certificate provided; trying the >>> >> >system >>> >> >>>>>> trust store instead >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >>> >> >>>>>> ../src/vncconnection.c Using the system trust store and CRL >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >>> >> >>>>>> ../src/vncconnection.c No client cert or key provided >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.240: >>> >> >>>>>> ../src/vncconnection.c No CA revocation list provided >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.241: >>> >> >>>>>> ../src/vncconnection.c Handshake was blocking >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.243: >>> >> >>>>>> ../src/vncconnection.c Handshake was blocking >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.251: >>> >> >>>>>> ../src/vncconnection.c Handshake was blocking >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.298: >>> >> >>>>>> ../src/vncconnection.c Handshake done >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.298: >>> >> >>>>>> ../src/vncconnection.c Validating >>> >> >>>>>> (remote-viewer:2721): gtk-vnc-DEBUG: 11:56:25.301: >>> >> >>>>>> ../src/vncconnection.c Error: The certificate is not trusted >>> >> >>>>>> >>> >> >>>>>> Adding people that may know more about this. >>> >> >>>>>> >>> >> >>>>>> Nir >>> >> >>>>>> >>> >> >>>>>> >>> >> >>>> >>> >> >>>> >>> >> >> >>> >> >> >>> >> >>> >> Hello, >>> >> >>> >> You can try to take the engine's CA (maybe it's useless) and put it >>> >on >>> >> your system in: >>> >> /etc/pki/ca-trust/source/anchors (if it's EL7 or a Fedora) and then >>> >run >>> >> update-ca-trust >>> >> >>> >> Best Regards, >>> >> Strahil Nikolov >>> >> >>> >>> Hey David, >>> >>> What is you workstation's OS ? >>> Also, have you tried from another workstation ? >>> >>> Best Regards, >>> Strahil Nikolov >>> >>
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/MACDEEWMWOTPGHIJ24WTQI5KAL4TMYS7/
