1757793 – virt-viewer ignores CA-Cert in .vv file for encrypted VNC

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1757793 - virt-viewer ignores CA-Cert in .vv file for encrypted VNC

Summary: virt-viewer ignores CA-Cert in .vv file for encrypted VNC

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	virt-viewer
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Virtualization Maintenance
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-10-02 13:11 UTC by Tomasz Barański
Modified:	2021-04-05 13:42 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-04-05 13:42:44 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Example console.vv file (1.92 KB, text/plain) 2019-10-02 13:12 UTC, Tomasz Barański	no flags	Details
debug log on rhel8 (9.53 KB, text/plain) 2019-10-10 10:43 UTC, zhoujunqin	no flags	Details
console.vv file_juzhou (2.14 KB, text/plain) 2019-10-15 09:31 UTC, zhoujunqin	no flags	Details
debug_rhel7 (15.42 KB, text/plain) 2019-10-15 09:33 UTC, zhoujunqin	no flags	Details
View All

Description Tomasz Barański 2019-10-02 13:11:13 UTC

Description of problem:


When encrypted VNC connection is used, virt-viewer needs the CA certificate. Even though the certificate is present in the .vv file (in [ovirt] section, see example file attached), virt-viewer does not recognize it and expects the certificate to be available at ~/.pki/CA/cacert.pem


How reproducible:
100%


Steps to Reproduce:
1. Setup oVirt to use encrypted VNC connections.
2. Start a VM.
3. Connect to the VM using downloaded console.vv file.

Actual results:
virt-viewer refuses to connect.


Expected results:
virt-viewer connects to the VM.


Additional info:
Existing workaround: manually copy the certificate from console.vv to ~/.pki/CA/cacert.pem

Comment 2 Tomasz Barański 2019-10-02 13:12:01 UTC

Created attachment 1621839 [details]
Example console.vv file

Comment 3 Michal Skrivanek 2019-10-03 08:59:56 UTC

AFAICT this is missing from gtk-vnc as well.

I think it's best to track this in current RHEL version

Comment 4 John Call 2019-10-04 00:57:20 UTC

(In reply to Michal Skrivanek from comment #3)
> AFAICT this is missing from gtk-vnc as well.
> 
> I think it's best to track this in current RHEL version

Would a backport to RHEL 7 be likely/considered as well?

Comment 5 zhoujunqin 2019-10-08 08:21:32 UTC

Hi all,
I guess it's the same issue with Bug 1751065.

My reproduce steps:
Package version on rhel7:
virt-viewer-5.0-15.el7.x86_64
rhv:4.3.6.5-0.1.el7


Steps:
1.Prepare a guest set graphics protocol as vnc on rhv
2. Start a VM.
3. Connect to the VM using downloaded console.vv file.

$ remote-viewer Downloads/console.vv

Result: The console will be disappeared immediately, failed to connect to vm
4. Download certificate file to ~/.pki/CA/cacert.pem

$ wget -O ~/.pki/CA/cacert.pem  http://ibm-x3xxxxx/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA

5. Rerun step3 again.

Result: The vm's console will be displayed successfully.

Package version on rhel8:
virt-viewer-7.0-8.el8.x86_64
rhv:4.3.6.5-0.1.el7


Steps:
Rerun above steps, but i cannot connect to vm's console all the time(Even though I do as step4).

Comment 6 John Call 2019-10-09 14:56:13 UTC

(In reply to zhoujunqin from comment #5)
> Steps:
> Rerun above steps, but i cannot connect to vm's console all the time(Even
> though I do as step4).

Did you run remote/virt-viewer in debug mode to look for errors?
# remote-viewer --debug -v --gtk-vnc-debug ~/Downloads/console.vv

Comment 7 zhoujunqin 2019-10-10 10:42:36 UTC

(In reply to John Call from comment #6)
> (In reply to zhoujunqin from comment #5)
> > Steps:
> > Rerun above steps, but i cannot connect to vm's console all the time(Even
> > though I do as step4).
> 
> Did you run remote/virt-viewer in debug mode to look for errors?
> # remote-viewer --debug -v --gtk-vnc-debug ~/Downloads/console.vv

Packages:
virt-viewer-7.0-8.el8.x86_64
gtk-vnc2.x86_64

$ ll .pki/CA/cacert.pem 
-rw-rw-r--. 1 juzhou juzhou 1497 Oct  8 04:18 .pki/CA/cacert.pem

$ remote-viewer --debug -v --gtk-vnc-debug ~/Downloads/console.vv
...
(remote-viewer:4337): gtk-vnc-DEBUG: 06:39:16.332: vncconnection.c Error: The certificate's owner does not match hostname '10.73.224.197'
(remote-viewer:4337): gtk-vnc-DEBUG: 06:39:16.332: vncconnection.c Emit main context 16
(remote-viewer:4337): gtk-vnc-DEBUG: 06:39:16.332: vncdisplay.c VNC server error
(remote-viewer:4337): gtk-vnc-DEBUG: 06:39:16.332: vncconnection.c Auth failed
...

I will attach the whole debug log, called log_rhel8

Comment 8 zhoujunqin 2019-10-10 10:43:16 UTC

Created attachment 1624252 [details]
debug log on rhel8

Comment 9 John Call 2019-10-10 19:34:13 UTC

(In reply to zhoujunqin from comment #5)
> $ wget -O ~/.pki/CA/cacert.pem http://ibm-x3xxxxx/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA

(In reply to zhoujunqin from comment #7)
> Error: The certificate's owner does not match hostname '10.73.224.197'

It looks like you're using the FQDN and IP address of RHVM interchangeably, which is not well tolerated.  You could probably get this to work if the certificate's CN value was consistent.

Comment 10 zhoujunqin 2019-10-15 07:36:12 UTC

Hi John,
I checked my testing environment again, my rhv server is machine-A, and my vm is running on a host machine-B registered on RHV system.

> Error: The certificate's owner does not match hostname '10.73.224.197'
This ip address is for machine-B, even i registered machine-B on machine-A again, it didn't work.

>http://ibm-x3xxxxx/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
This hostname is for machine-A.

We always register several hosts on the same rhv system.

And as Comment 5, it works on rhel7, i don't know why it doesn't work on rhel8.

Comment 11 zhoujunqin 2019-10-15 09:31:06 UTC

Created attachment 1625887 [details]
console.vv file_juzhou

Comment 12 zhoujunqin 2019-10-15 09:33:37 UTC

Created attachment 1625888 [details]
debug_rhel7

After I register machine-B with hostname on rhv, i cannot connect to vm console both with rhel7 and rhel8 virt-viewer version.

Comment 16 Daniel Berrangé 2020-04-07 16:56:09 UTC

Note that virt-viewer does not actually decide/control where the certificates must live. This is defined by the gtk-vnc library to require $HOME/.pkig.  So to address this limitation will require new work on gtk-vnc to make it possible to set certs via a new API. virt-viewer will then need updating to use the new APIs if available.

Comment 20 RHEL Program Management 2021-04-05 13:42:44 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Note You need to log in before you can comment on or make changes to this bug.