Bug 1757793
| Summary: | virt-viewer ignores CA-Cert in .vv file for encrypted VNC | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Tomasz Barański <tbaransk> | ||||||||||
| Component: | virt-viewer | Assignee: | Virtualization Maintenance <virt-maint> | ||||||||||
| Status: | CLOSED WONTFIX | QA Contact: | Virtualization Bugs <virt-bugs> | ||||||||||
| Severity: | unspecified | Docs Contact: | |||||||||||
| Priority: | medium | ||||||||||||
| Version: | 8.0 | CC: | berrange, dfediuck, jcall, juzhou, michal.skrivanek, mtessun, tzheng, xiaodwan | ||||||||||
| Target Milestone: | rc | Keywords: | Triaged | ||||||||||
| Target Release: | 8.0 | ||||||||||||
| Hardware: | Unspecified | ||||||||||||
| OS: | Unspecified | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2021-04-05 13:42:44 UTC | Type: | Bug | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Tomasz Barański
2019-10-02 13:11:13 UTC
Created attachment 1621839 [details]
Example console.vv file
AFAICT this is missing from gtk-vnc as well. I think it's best to track this in current RHEL version (In reply to Michal Skrivanek from comment #3) > AFAICT this is missing from gtk-vnc as well. > > I think it's best to track this in current RHEL version Would a backport to RHEL 7 be likely/considered as well? Hi all, I guess it's the same issue with Bug 1751065. My reproduce steps: Package version on rhel7: virt-viewer-5.0-15.el7.x86_64 rhv:4.3.6.5-0.1.el7 Steps: 1.Prepare a guest set graphics protocol as vnc on rhv 2. Start a VM. 3. Connect to the VM using downloaded console.vv file. $ remote-viewer Downloads/console.vv Result: The console will be disappeared immediately, failed to connect to vm 4. Download certificate file to ~/.pki/CA/cacert.pem $ wget -O ~/.pki/CA/cacert.pem http://ibm-x3xxxxx/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA 5. Rerun step3 again. Result: The vm's console will be displayed successfully. Package version on rhel8: virt-viewer-7.0-8.el8.x86_64 rhv:4.3.6.5-0.1.el7 Steps: Rerun above steps, but i cannot connect to vm's console all the time(Even though I do as step4). (In reply to zhoujunqin from comment #5) > Steps: > Rerun above steps, but i cannot connect to vm's console all the time(Even > though I do as step4). Did you run remote/virt-viewer in debug mode to look for errors? # remote-viewer --debug -v --gtk-vnc-debug ~/Downloads/console.vv (In reply to John Call from comment #6) > (In reply to zhoujunqin from comment #5) > > Steps: > > Rerun above steps, but i cannot connect to vm's console all the time(Even > > though I do as step4). > > Did you run remote/virt-viewer in debug mode to look for errors? > # remote-viewer --debug -v --gtk-vnc-debug ~/Downloads/console.vv Packages: virt-viewer-7.0-8.el8.x86_64 gtk-vnc2.x86_64 $ ll .pki/CA/cacert.pem -rw-rw-r--. 1 juzhou juzhou 1497 Oct 8 04:18 .pki/CA/cacert.pem $ remote-viewer --debug -v --gtk-vnc-debug ~/Downloads/console.vv ... (remote-viewer:4337): gtk-vnc-DEBUG: 06:39:16.332: vncconnection.c Error: The certificate's owner does not match hostname '10.73.224.197' (remote-viewer:4337): gtk-vnc-DEBUG: 06:39:16.332: vncconnection.c Emit main context 16 (remote-viewer:4337): gtk-vnc-DEBUG: 06:39:16.332: vncdisplay.c VNC server error (remote-viewer:4337): gtk-vnc-DEBUG: 06:39:16.332: vncconnection.c Auth failed ... I will attach the whole debug log, called log_rhel8 Created attachment 1624252 [details]
debug log on rhel8
(In reply to zhoujunqin from comment #5) > $ wget -O ~/.pki/CA/cacert.pem http://ibm-x3xxxxx/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA (In reply to zhoujunqin from comment #7) > Error: The certificate's owner does not match hostname '10.73.224.197' It looks like you're using the FQDN and IP address of RHVM interchangeably, which is not well tolerated. You could probably get this to work if the certificate's CN value was consistent. Hi John, I checked my testing environment again, my rhv server is machine-A, and my vm is running on a host machine-B registered on RHV system. > Error: The certificate's owner does not match hostname '10.73.224.197' This ip address is for machine-B, even i registered machine-B on machine-A again, it didn't work. >http://ibm-x3xxxxx/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA This hostname is for machine-A. We always register several hosts on the same rhv system. And as Comment 5, it works on rhel7, i don't know why it doesn't work on rhel8. Created attachment 1625887 [details]
console.vv file_juzhou
Created attachment 1625888 [details]
debug_rhel7
After I register machine-B with hostname on rhv, i cannot connect to vm console both with rhel7 and rhel8 virt-viewer version.
Note that virt-viewer does not actually decide/control where the certificates must live. This is defined by the gtk-vnc library to require $HOME/.pkig. So to address this limitation will require new work on gtk-vnc to make it possible to set certs via a new API. virt-viewer will then need updating to use the new APIs if available. After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. |