2106893 – remote-viewer.exe Failed to complete handshake Error in the pull function

Bug 2106893 - remote-viewer.exe Failed to complete handshake Error in the pull function

Summary: remote-viewer.exe Failed to complete handshake Error in the pull function

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	Console-Integration
Sub Component:
Version:	4.5.1.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	ovirt-4.5.3
Target Release:	---
Assignee:	Milan Zamazal
QA Contact:	Nisim Simsolo
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-07-13 19:25 UTC by md
Modified:	2022-09-15 16:26 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2022-09-15 15:04:28 UTC
oVirt Team:	Virt
Embargoed:
Dependent Products:
Flags:	pm-rhel: ovirt-4.5?

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHV-47686	0	None	None	None	2022-07-13 19:29:44 UTC

Description md 2022-07-13 19:25:46 UTC

Description of problem:

when I try to connect to a VM Console with VNC, I get the Error:

Failed to complete handshake Error in the pull function

as a popup in remote-viewer.exe

Version-Release number of selected component (if applicable):

Ovirt 4.5.1.3
VirtViewer v11.0-256

How reproducible:

alway

Steps to Reproduce:
1. Open a VM VNC Console in oVirt Engine
2.
3.

Actual results:

(remote-viewer.exe:6352): virt-viewer-WARNING **: 21:22:07.564: vnc-session: got vnc error Failed to complete handshake Error in the pull function.

Expected results:

a VNC Console

Additional info:

:\Program Files\VirtViewer v11.0-256\bin>remote-viewer.exe -vvv --gtk-vnc-debug c:\Users\md\Downloads\console.vv

C:\Program Files\VirtViewer v11.0-256\bin>Guest (NULL) has a vnc display
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:03.854: ../src/vncconnection.c Init VncConnection=00000000052fcd00
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:03.855: ../src/vncdisplaykeymap.c Using Win32 virtual keycode mapping
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:03.856: ../src/vncdisplay.c Grab sequence is now Control_L+Alt_L

(remote-viewer.exe:7752): libsoup-WARNING **: 21:23:03.868: Could not set SSL credentials from '/etc/pki/tls/certs/ca-bundle.crt': Vertrauenswürdigkeitsliste konnte nicht aus /etc/pki/tls/certs/ca-bundle.crt befüllt werden: Error while reading file.

(remote-viewer.exe:7752): libsoup-WARNING **: 21:23:03.870: Could not set SSL credentials from '/etc/pki/tls/certs/ca-bundle.crt': Vertrauenswürdigkeitsliste konnte nicht aus /etc/pki/tls/certs/ca-bundle.crt befüllt werden: Error while reading file.
Opening connection to display at c:\Users\md\Downloads\console.vv
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:03.942: ../src/vncconnection.c Open host=192.168.0.33 port=5900
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.318: ../src/vncconnection.c Open coroutine starting
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.318: ../src/vncconnection.c Started background coroutine
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.319: ../src/vncconnection.c Resolving host 192.168.0.33 5900
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.319: ../src/vncconnection.c Trying one socket
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.320: ../src/vncconnection.c Schedule socket timeout 00000000052fbab0
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.320: ../src/vncconnection.c Socket pending
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.329: ../src/vncconnection.c Finally connected
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.329: ../src/vncconnection.c Remove timeout 00000000052fbab0
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.329: ../src/vncconnection.c Emit main context 13
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.330: ../src/vncdisplay.c Grab sequence is now
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.335: ../src/vncdisplay.c Connected to VNC server
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.335: ../src/vncconnection.c Protocol initialization
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.336: ../src/vncconnection.c Schedule greeting timeout 00000000052fbab0
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.336: ../src/vncconnection.c Remove timeout 00000000052fbab0
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.336: ../src/vncconnection.c Server version: 3.8
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.336: ../src/vncconnection.c Sending full greeting
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.337: ../src/vncconnection.c Using version: 3.8
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.400: ../src/vncconnection.c Possible auth 19
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.412: ../src/vncconnection.c Emit main context 11
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.412: ../src/vncconnection.c Thinking about auth type 19
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.413: ../src/vncconnection.c Decided on auth type 19
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.414: ../src/vncconnection.c Waiting for auth type
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.415: ../src/vncconnection.c Choose auth 19
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.418: ../src/vncconnection.c Checking if credentials are needed
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.419: ../src/vncconnection.c No credentials required
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.426: ../src/vncconnection.c Read error Ein nicht blockierender Socketvorgang konnte nicht sofort ausgeführt werden.
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.438: ../src/vncconnection.c Read error Ein nicht blockierender Socketvorgang konnte nicht sofort ausgeführt werden.
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.439: ../src/vncconnection.c Possible VeNCrypt sub-auth 261
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.439: ../src/vncconnection.c Emit main context 12
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.450: ../src/vncconnection.c Requested auth subtype 261
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.451: ../src/vncconnection.c Waiting for VeNCrypt auth subtype
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.459: ../src/vncconnection.c Choose auth 261
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.460: ../src/vncconnection.c Checking if credentials are needed
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.462: ../src/vncconnection.c No credentials required
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.466: ../src/vncconnection.c Read error Ein nicht blockierender Socketvorgang konnte nicht sofort ausgeführt werden.
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.467: ../src/vncconnection.c Do TLS handshake
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.473: ../src/vncconnection.c Checking if credentials are needed
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.474: ../src/vncconnection.c Want a TLS clientname
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.475: ../src/vncconnection.c Requesting missing credentials
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.485: ../src/vncconnection.c Emit main context 10
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.485: ../src/vncconnection.c Set credential 2 libvirt
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.486: ../src/vncconnection.c Searching for certs in /usr/x86_64-w64-mingw32/sys-root/mingw/etc/pki
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.494: ../src/vncconnection.c Failed to find certificate CA/cacert.pem
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.497: ../src/vncconnection.c No CA certificate provided, using GNUTLS global trust
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.498: ../src/vncconnection.c Failed to find certificate CA/cacrl.pem
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.506: ../src/vncconnection.c Failed to find certificate libvirt/private/clientkey.pem
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.507: ../src/vncconnection.c Failed to find certificate libvirt/clientcert.pem
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.508: ../src/vncconnection.c Waiting for missing credentials
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.508: ../src/vncconnection.c Got all credentials
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.510: ../src/vncconnection.c No CA certificate provided; trying the system trust store instead
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.545: ../src/vncconnection.c Using the system trust store and CRL
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.545: ../src/vncconnection.c No client cert or key provided
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.546: ../src/vncconnection.c No CA revocation list provided
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.548: ../src/vncconnection.c Error: Failed to complete handshake Error in the pull function.
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.554: ../src/vncconnection.c Emit main context 16

(remote-viewer.exe:7752): virt-viewer-WARNING **: 21:23:05.555: vnc-session: got vnc error Failed to complete handshake Error in the pull function.
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.556: ../src/vncdisplay.c VNC server error
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.566: ../src/vncconnection.c Auth failed
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.568: ../src/vncconnection.c Doing final VNC cleanup
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.569: ../src/vncconnection.c Close VncConnection=00000000052fcd00
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.570: ../src/vncconnection.c Emit main context 15
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.571: ../src/vncdisplay.c Disconnected from VNC server
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:05.573: ../src/vncdisplay.c Grab sequence is now
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:06.771: ../src/vncconnection.c Init VncConnection=0000000009d46520
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:06.772: ../src/vncdisplaykeymap.c Using Win32 virtual keycode mapping
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:06.773: ../src/vncdisplay.c Grab sequence is now Control_L+Alt_L
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:06.776: ../src/vncdisplay.c Display destroy, requesting that VNC connection close
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:06.777: ../src/vncdisplay.c Releasing VNC widget
(remote-viewer.exe:7752): gtk-vnc-DEBUG: 21:23:06.779: ../src/vncconnection.c Finalize VncConnection=0000000009d46520



Spice and noVNC works, the problem occured after upgrading 4.4 to 4.5

Comment 1 Milan Zamazal 2022-07-14 07:09:22 UTC

From the error messages, it looks to me like you don't have your Engine CA certificate set as trusted in your environment. A possible location is ~/.pki/CA/cacert.pem, I'm not sure about mingw environment though, the messages above suggest /usr/x86_64-w64-mingw32/sys-root/mingw/etc/pki/CA/cacert.pem if the home directory location doesn't work there.

Comment 2 RHEL Program Management 2022-07-14 07:09:29 UTC

The documentation text flag should only be set after 'doc text' field is provided. Please provide the documentation text and set the flag to '?' again.

Comment 3 md 2022-07-14 18:52:28 UTC

The Client is a Windows System, the Root CA is in the System Certificate Store. I get no certificate error when I connect to the Engine in Firefox, Internet Explorer and Edge.
If I delete the Root CA from the System Store I get errors in all browsers, but I can still open a Spice console.
Perhaps the problem is that remote-viewer.exe tries to connect directly to host where the VM is running (192.168.0.33)?
The Hostname of the oVirt Host is ovnode01.dnetz.org, I installed the root CA from /etc/cockpit/ws-certs.d/0-self-signed-ca.pem of the Node on the Client, now I can connect to https://ovnode01.dnetz.org:9090 without a certificate error, but the certifica is no valid for 192.168.0.33, and 192.168.0.33 is shown in the "Hostname/IP" column in the Engine for Host column "Name" ovnode01.dnetz.org. Perhaps I need to connect my hosts with fqdns instead IPs since 4.5?

Comment 4 Milan Zamazal 2022-07-15 17:58:24 UTC

> the Root CA is in the System Certificate Store

Ah, right, this is apparently used:

  No CA certificate provided; trying the system trust store instead
  Using the system trust store and CRL
  No client cert or key provided
  No CA revocation list provided

> Perhaps the problem is that remote-viewer.exe tries to connect directly to host where the VM is running (192.168.0.33)?

I don't think this should cause a problem.

> but the certifica is no valid for 192.168.0.33, and 192.168.0.33 is shown in the "Hostname/IP" column in the Engine

This can be a problem. I'd suggest checking the certificates in /etc/pki/vdsm/libvirt-vnc/ on the host. ca-cert.pem should be the Engine CA certificate and the same one as in the console.vv file. server-cert.pem should have the hostname or IP address used in console.vv as the connection destination and should be signed by the Engine CA certificate. And both the certificates should be valid for the current date.

If anything doesn't match then putting the host into maintenance and regenerating its certificates from the webadmin should help.

> Perhaps I need to connect my hosts with fqdns instead IPs since 4.5?

I don't think so but if you opt for a FQDN or IP then the certificate must be issued for exactly what you've chosen, FQDN and IP cannot be mixed.

Comment 5 md 2022-07-28 18:22:21 UTC

I checked the certificates under /etc/pki/vdsm/libvirt-vnc/ on the host 192.168.0.33:

- /etc/pki/vdsm/libvirt-vnc/ca-cert.pem -> It's the engines CA and it's installed on the client
- /etc/pki/vdsm/libvirt-vnc/server-cert.pem -> It's singned by the engine CA and it's valid for the IP adress 192.168.0.33 of the host
- when I open the /etc/pki/vdsm/libvirt-vnc/server-cert.pem on Windows with the buid in CryptoShell Extension I have a valid chain for 192.168.0.33

So regeneration of the certificates should make no difference, anyway I'll try it on weekend, it's my only hosts and so it's not always possible to put it into maintenance.

Comment 6 md 2022-07-28 18:55:30 UTC

This could be the same issue: https://access.redhat.com/solutions/5695951 
Perhaps you have an account which has permission to read it, my account has not.

Comment 7 Milan Zamazal 2022-07-29 14:02:05 UTC

Hm, sorry, I don't have a better advice than putting the host into maintenance and trying to renew the certificates. I tried adding a host named and identified by its IP address and it works for me (it's on 4.5.2 but all important stuff should be in 4.5.1 already; I use remote-viewer on Linux as the client). FWIW the subject in /etc/pki/vdsm/libvirt-vnc/server-cert.pem is `O = localdomain, CN = 192.168.122.22' where `localdomain' is the organization set in the CA certificate and `192.168.122.22' is the host IP address.

Comment 8 Milan Zamazal 2022-09-05 12:23:15 UTC

Did you manage to resolve the problem some way?

Comment 9 Milan Zamazal 2022-09-15 15:04:28 UTC

There is not enough information to be able to work on this. Please submit a new issue at https://github.com/oVirt/ovirt-engine/issues if it is still relevant, with a reference to this bug.

Comment 10 md 2022-09-15 16:26:50 UTC

I did set the Host to Maintenance and regenerated the Certificates, no difference. Next will be a upgrade to 4.5.2.

Note You need to log in before you can comment on or make changes to this bug.