Bug 2106893
| Summary: | remote-viewer.exe Failed to complete handshake Error in the pull function | ||
|---|---|---|---|
| Product: | [oVirt] ovirt-engine | Reporter: | md |
| Component: | Console-Integration | Assignee: | Milan Zamazal <mzamazal> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Nisim Simsolo <nsimsolo> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.5.1.2 | CC: | bugs, mzamazal |
| Target Milestone: | ovirt-4.5.3 | Flags: | pm-rhel:
ovirt-4.5?
|
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-09-15 15:04:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Virt | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
md
2022-07-13 19:25:46 UTC
From the error messages, it looks to me like you don't have your Engine CA certificate set as trusted in your environment. A possible location is ~/.pki/CA/cacert.pem, I'm not sure about mingw environment though, the messages above suggest /usr/x86_64-w64-mingw32/sys-root/mingw/etc/pki/CA/cacert.pem if the home directory location doesn't work there. The documentation text flag should only be set after 'doc text' field is provided. Please provide the documentation text and set the flag to '?' again. The Client is a Windows System, the Root CA is in the System Certificate Store. I get no certificate error when I connect to the Engine in Firefox, Internet Explorer and Edge. If I delete the Root CA from the System Store I get errors in all browsers, but I can still open a Spice console. Perhaps the problem is that remote-viewer.exe tries to connect directly to host where the VM is running (192.168.0.33)? The Hostname of the oVirt Host is ovnode01.dnetz.org, I installed the root CA from /etc/cockpit/ws-certs.d/0-self-signed-ca.pem of the Node on the Client, now I can connect to https://ovnode01.dnetz.org:9090 without a certificate error, but the certifica is no valid for 192.168.0.33, and 192.168.0.33 is shown in the "Hostname/IP" column in the Engine for Host column "Name" ovnode01.dnetz.org. Perhaps I need to connect my hosts with fqdns instead IPs since 4.5? > the Root CA is in the System Certificate Store Ah, right, this is apparently used: No CA certificate provided; trying the system trust store instead Using the system trust store and CRL No client cert or key provided No CA revocation list provided > Perhaps the problem is that remote-viewer.exe tries to connect directly to host where the VM is running (192.168.0.33)? I don't think this should cause a problem. > but the certifica is no valid for 192.168.0.33, and 192.168.0.33 is shown in the "Hostname/IP" column in the Engine This can be a problem. I'd suggest checking the certificates in /etc/pki/vdsm/libvirt-vnc/ on the host. ca-cert.pem should be the Engine CA certificate and the same one as in the console.vv file. server-cert.pem should have the hostname or IP address used in console.vv as the connection destination and should be signed by the Engine CA certificate. And both the certificates should be valid for the current date. If anything doesn't match then putting the host into maintenance and regenerating its certificates from the webadmin should help. > Perhaps I need to connect my hosts with fqdns instead IPs since 4.5? I don't think so but if you opt for a FQDN or IP then the certificate must be issued for exactly what you've chosen, FQDN and IP cannot be mixed. I checked the certificates under /etc/pki/vdsm/libvirt-vnc/ on the host 192.168.0.33: - /etc/pki/vdsm/libvirt-vnc/ca-cert.pem -> It's the engines CA and it's installed on the client - /etc/pki/vdsm/libvirt-vnc/server-cert.pem -> It's singned by the engine CA and it's valid for the IP adress 192.168.0.33 of the host - when I open the /etc/pki/vdsm/libvirt-vnc/server-cert.pem on Windows with the buid in CryptoShell Extension I have a valid chain for 192.168.0.33 So regeneration of the certificates should make no difference, anyway I'll try it on weekend, it's my only hosts and so it's not always possible to put it into maintenance. This could be the same issue: https://access.redhat.com/solutions/5695951 Perhaps you have an account which has permission to read it, my account has not. Hm, sorry, I don't have a better advice than putting the host into maintenance and trying to renew the certificates. I tried adding a host named and identified by its IP address and it works for me (it's on 4.5.2 but all important stuff should be in 4.5.1 already; I use remote-viewer on Linux as the client). FWIW the subject in /etc/pki/vdsm/libvirt-vnc/server-cert.pem is `O = localdomain, CN = 192.168.122.22' where `localdomain' is the organization set in the CA certificate and `192.168.122.22' is the host IP address. Did you manage to resolve the problem some way? There is not enough information to be able to work on this. Please submit a new issue at https://github.com/oVirt/ovirt-engine/issues if it is still relevant, with a reference to this bug. I did set the Host to Maintenance and regenerated the Certificates, no difference. Next will be a upgrade to 4.5.2. |