VNC Connection refused [Ubuntu 14.04 SRV, Nightlies 03.12.14]

[explanar]

telnet 192.168.2.103 6900

Escape character is '^]'.
Connection closed by foreign host.

archipel.conf: machine_ip=192.168.2.103 HTTP-Server: lighthttpd Client-Access: via http:80

archipel.log says Virtual machine vnc proxy accepts only SSL connection False.

INFO    ::2014-12-04 14:08:59::utils.py:72::TNArchipelVirtualMachine.change_presence (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::status change: Off show:xa
INFO    ::2014-12-04 14:08:59::utils.py:72::TNArchipelVirtualMachine.push_change (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::PUSH : pushing archipel:push:virtualmachine:control->shutdown
DEBUG   ::2014-12-04 14:08:59::utils.py:70::TNArchipelVirtualMachine.presence_callback (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::PRESENCE : I just set change presence. The result is <presence xmlns="jabber:client" to="db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0" from="db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0" id="db47c970-7ba0-11e4-ad94-000b0e0f00ed-90"><show>xa</show><status>Off</status></presence>
INFO    ::2014-12-04 14:08:59::utils.py:72::TNArchipelVirtualMachine.perform_hooks (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::HOOK: going to run methods for hook HOOK_VM_STOP
DEBUG   ::2014-12-04 14:08:59::utils.py:70::TNArchipelVirtualMachine.perform_hooks (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::HOOK: performing method stop_novnc_proxy registered in hook with name HOOK_VM_STOP and user_info: None (oneshot: False)
INFO    ::2014-12-04 14:08:59::utils.py:72::TNArchipelVirtualMachine.stop_novnc_proxy (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::Stopping novnc proxy.
INFO    ::2014-12-04 14:08:59::utils.py:72::TNArchipelVirtualMachine.push_change (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::PUSH : pushing archipel:push:virtualmachine:vnc->websocketvncstop
DEBUG   ::2014-12-04 14:09:03::utils.py:70::TNArchipelHypervisor.parse_own_repo (cube0@cube0/cube0)::TNHypervisorRepoManager: begin to refresh own vmcast feed
DEBUG   ::2014-12-04 14:09:03::utils.py:70::TNArchipelHypervisor.parse_own_repo (cube0@cube0/cube0)::TNHypervisorRepoManager: finish to refresh own vmcast feed
DEBUG   ::2014-12-04 14:09:03::utils.py:70::TNArchipelHypervisor.parse_own_repo (cube0@cube0/cube0)::TNHypervisorRepoManager: begin to refresh own vmcast feed
DEBUG   ::2014-12-04 14:09:03::utils.py:70::TNArchipelHypervisor.parse_own_repo (cube0@cube0/cube0)::TNHypervisorRepoManager: finish to refresh own vmcast feed
INFO    ::2014-12-04 14:09:06::utils.py:72::TNArchipelVirtualMachine.check_acp (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::acp received: from: admin@cube0/ArchipelController, type: set, namespace: archipel:vm:control, action: create
INFO    ::2014-12-04 14:09:06::utils.py:72::TNArchipelVirtualMachine.check_perm (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::Checking permission for action create asked by admin@cube0/ArchipelController
INFO    ::2014-12-04 14:09:06::utils.py:72::TNArchipelVirtualMachine.on_domain_event (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::LIBVIRTEVENT: Libvirt event received: 2 with detail 0
INFO    ::2014-12-04 14:09:06::utils.py:72::TNArchipelVirtualMachine.change_presence (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::status change: Running show:
INFO    ::2014-12-04 14:09:06::utils.py:72::TNArchipelVirtualMachine.create (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::Virtual machine created.
INFO    ::2014-12-04 14:09:06::utils.py:72::TNArchipelVirtualMachine.push_change (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::PUSH : pushing archipel:push:virtualmachine:control->created
DEBUG   ::2014-12-04 14:09:06::utils.py:70::TNArchipelVirtualMachine.presence_callback (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::PRESENCE : I just set change presence. The result is <presence xmlns="jabber:client" to="db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0" from="db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0" id="db47c970-7ba0-11e4-ad94-000b0e0f00ed-93"><status>Running</status></presence>
INFO    ::2014-12-04 14:09:06::utils.py:72::TNArchipelVirtualMachine.perform_hooks (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::HOOK: going to run methods for hook HOOK_VM_CREATE
DEBUG   ::2014-12-04 14:09:06::utils.py:70::TNArchipelVirtualMachine.perform_hooks (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::HOOK: performing method create_novnc_proxy registered in hook with name HOOK_VM_CREATE and user_info: None (oneshot: False)
INFO    ::2014-12-04 14:09:06::utils.py:72::TNArchipelVirtualMachine.create_novnc_proxy (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::NOVNC: current proxy port is 6900
INFO    ::2014-12-04 14:09:06::utils.py:72::TNArchipelVirtualMachine.create_novnc_proxy (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::Virtual machine vnc proxy is using certificate /etc/archipel/vnc.pem
INFO    ::2014-12-04 14:09:06::utils.py:72::TNArchipelVirtualMachine.create_novnc_proxy (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::Virtual machine vnc proxy accepts only SSL connection False
INFO    ::2014-12-04 14:09:06::utils.py:72::TNArchipelVirtualMachine.push_change (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::PUSH : pushing archipel:push:virtualmachine:vnc->websocketvncstart
DEBUG   ::2014-12-04 14:09:06::utils.py:70::TNArchipelVirtualMachine.perform_hooks (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::HOOK: performing method vm_create registered in hook with name HOOK_VM_CREATE and user_info: None (oneshot: False)
INFO    ::2014-12-04 14:09:06::utils.py:72::TNArchipelVirtualMachine.vm_create (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::OOM: value retrieved {'adjust': 0, 'score': 0}
INFO    ::2014-12-04 14:09:06::utils.py:72::TNArchipelVirtualMachine.vm_create (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::OOM: value for vm with uuid db47c970-7ba0-11e4-ad94-000b0e0f00ed have been restored.
INFO    ::2014-12-04 14:09:08::utils.py:72::TNArchipelVirtualMachine.check_acp (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::acp received: from: admin@cube0/ArchipelController, type: get, namespace: archipel:virtualmachine:vnc, action: display
INFO    ::2014-12-04 14:09:08::utils.py:72::TNArchipelVirtualMachine.check_perm (db47c970-7ba0-11e4-ad94-000b0e0f00ed@cube0/cube0)::Checking permission for action vnc_display asked by admin@cube0/ArchipelController

ejabberd.conf

%%%
%%%               ejabberd configuration file
%%%
%%%              Archipel Sample Configuration

%%%   =======================
%%%   OVERRIDE STORED OPTIONS

%% loglevel: Verbosity of log files generated by ejabberd.
{loglevel, 3}.

%%%   ================
%%%   SERVED HOSTNAMES

%% CHANGE FQDN to your FQDN
{hosts, ["cube0"]}.

%%%   ===============
%%%   LISTENING PORTS

{listen,
 [

  %% If you have compiled the ejabberd-xmlrpc, uncomment the following line
  %%{4560, ejabberd_xmlrpc, [{access_commands, [{xmlrpcaccess, all, []}]}]},

  {5222, ejabberd_c2s, [
            {access, c2s},
            starttls,
            {certfile, "/etc/ejabberd/ejabberd.pem"},
            {max_stanza_size, 65536000}
               ]},

  %% if you notice some issues with the health monitoring, it is likely that you need to comment the lines
  %% starttls and certfile or upgrade archipel from source to be able to use SECURE BOSH
  %% more information at https://github.com/ArchipelProject/Archipel/wiki/Installation:-Agent

  {5269, ejabberd_s2s_in, [
            {max_stanza_size, 65536000}
               ]},

  %% BOSH service
  {5280, ejabberd_http, [
             http_bind,
             http_poll
               ]},

  %% Make a SSL version of the BOSH service
  {5281, ejabberd_http, [
             http_bind,
             http_poll,
             web_admin,
             tls,{certfile, "/etc/ejabberd/ejabberd.pem"}
               ]}
 ]}.

%%%   ===============
%%%   S2S

{route_subdomains, s2s}.
{s2s_use_starttls, true}.
{s2s_default_policy, allow}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.

%%%   ==============
%%%   AUTHENTICATION

{auth_method, internal}.

%%%   ===============
%%%   TRAFFIC SHAPERS

{shaper, normal, {maxrate, 1000}}.
{shaper, fast, {maxrate, 50000}}.

%%%   ====================
%%%   ACCESS CONTROL LISTS

%% CHANGE FQDN to your FQDN
{acl, admin, {user, "admin", "cube0"}}.
{acl, local, {user_regexp, ""}}.

%% if you HAVE NOT compiled ejabberd-xmlrpc module, you
%% Need to declare all your hypervisors as ejabberd admin
%% The hypervisor JID is defined in archipel.conf. By default it
%% it is hypervisor@FQDN.
%% You can also use archipel-ejabberdadmin tool to add them
%% directly to the ejabberd database.

%% {acl, admin, {user, "hypervisor", "FQDN"}}.
%% {acl, admin, {user, "hypervisor-x", "FQDN"}}.

%%%   ============
%%%   ACCESS RULES

{access, max_user_sessions, [{10, all}]}.
{access, local, [{allow, local}]}.
{access, c2s, [{deny, blocked}, {allow, all}]}.
{access, c2s_shaper, [{none, admin}, {fast, all}]}.
{access, s2s_shaper, [{fast, all}]}.
{access, announce, [{allow, admin}]}.
{access, configure, [{allow, admin}]}.
{access, muc_admin, [{allow, admin}]}.
{access, muc, [{allow, all}]}.
{access, muc_create, [{allow, local}]}.
{access, pubsub_createnode, [{allow, all}]}.
{access, xmlrpcaccess, [{allow, admin}]}.

%%%   ================
%%%   DEFAULT LANGUAGE

{language, "de"}.

%%%   =======
%%%   REGISTRATION

{access, register, [{allow, all}]}.
{registration_timeout, infinity}.

%%%   =======
%%%   MODULES

{modules,
 [
  {mod_adhoc,    []},
  {mod_announce, [{access, announce}]}, % requires mod_adhoc
  {mod_caps,     []},
  {mod_configure,[]},
  {mod_disco,    []},
  {mod_http_bind,[
               {max_inactivity, 480}   % timeout value for the BOSH, usefull for a large number of VM
             ]},
  {mod_irc,      []},
  {mod_last,     []},
  {mod_muc,      [
          {access, muc},
          {access_create, muc_create},
          {access_persistent, muc_create},
          {access_admin, muc_admin}
         ]},
  {mod_offline,  []},
  {mod_privacy,  []},
  {mod_private,  []},
  {mod_pubsub,   [ % requires mod_caps
          {access_createnode, pubsub_createnode},
          {ignore_pep_from_offline, true},
          {last_item_cache, false},
          {plugins, ["flat", "hometree", "pep"]},
          {max_items_node, 1000}
         ]},
  {mod_register, [
          {access, register}
         ]},
  {mod_roster,   []},
  {mod_shared_roster,[]},
  {mod_time,     []},
  {mod_vcard,    []},
  {mod_version,  []},
  {mod_admin_extra, []}
 ]}.

archipel.conf:

#
# archipel.conf
#
# Copyright (C) 2010 Antoine Mercadal <antoine.mercadal@inframonde.eu>
#               2014 Cyril Peponnet <cyril@peponnet.fr>
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

###############################################################################
###############################################################################

#
# General configuration. You should just need to edit these values
#
[DEFAULT]

# the default XMPP server to user
xmpp_server                 = cube0

# archipel's data folder
archipel_folder_lib         = /var/lib/archipel/

# this UUID will be used to identify the hypervisor
# internally. It MUST be different foreach one over
# your platform. You can generate a new one using
# uuidgen command
archipel_general_uuid       = 03f6d04a-515f-4da3-aa67-2bc28878917a

# the base working folder, where virtual machine related
# stuff will be stored
archipel_folder_data        = /vm/

###############################################################################
###############################################################################

#
# This is the main configuration parameters
#
[GLOBAL]

# jid of the xmpp pubsub server
xmpp_pubsub_server          = pubsub.%(xmpp_server)s

# jids of the root administrator separated with spaces
archipel_root_admins        = admin@%(xmpp_server)s

# the ip of this machine. It can be :
# - auto : the IP if found using a Internet request.
# - gateway_interface : Using ip address configured on default gateway interface
# - X.X.X.X : manual ip
machine_ip                  = 192.168.2.103

# if set to True, XMPP layer uses avatars
use_avatar                  = True

# Folder of the avatars
machine_avatar_directory    = %(archipel_folder_lib)s/avatars

# the uri of hypervisor
libvirt_uri                 = qemu:///system

# [OPTIONAL] if set, this parameter is send to other hypervisors as migration UI
# migration_uri               = qemu+ssh://mydomain/system

# path were modules configuration are stored (*.conf)
modules_configuration_path = /etc/archipel/modules.d/

# default loading module policy
# - permissive : if no entry are found in the conf file in section MODULES, the module will be loaded anyway
# - restrictive: you need to explicitely declare what modules to load in MODULES
module_loading_policy       = restrictive

# [OPTIONAL] This parameters makes Archipel able to run in stateless mode.
# stateless mode needs some kernel parameters. please read the documentation (which is not available now :)
# about it, or leave it set to False
stateless_node              = False

#
# VCARD information - They CANNOT be empty
#
[VCARD]
orgname     = Archipel Corp
orgunit     = Dev
userid      = contact@archipelproject.org
locality    = San Francisco
url         = http://archipelproject.org
categories  = Archipel

#
# The hypervisor configuration
#
[HYPERVISOR]

# the JID of this hypervisor. It MUST be different foreach one over
# your platform.
# If this account not exists, it will be created on the fly
hypervisor_xmpp_jid         = cube0@%(xmpp_server)s

# the XMPP password of this hypervisor
hypervisor_xmpp_password    = 4I563hBl

# the vCard name of hypervisor. if set to "auto"
# the hostname is used
hypervisor_name             = auto

# the sqlite3 db file to store hypervisor informations
hypervisor_database_path    = %(archipel_folder_lib)s/hypervisor.sqlite3

# the default avatar to use for hypervisor, relative to
# GLOBAL:machine_avatar_directory and if GLOBAL:use_avatar is set to True
hypervisor_default_avatar   = defaulthypervisor.png

# the file contaning auto generated names for virtual machine creation
# must be a text file containing one name per line
name_generation_file        = %(archipel_folder_lib)s/names.txt

# the database file for storing permissions (full path required)
hypervisor_permissions_database_path = %(archipel_folder_lib)s/permissions.sqlite3

#
# The virtual machines configuration
#
[VIRTUALMACHINE]

# the base folder to use to store virtual machine's own
# informations (drives, etc...)
vm_base_path                    = %(archipel_folder_data)s/drives

# [OPTIONAL] the base folder to store virtual machine permissions
# if not set, permissions are stored in the base folder
# vm_perm_path                    = %(archipel_folder_data)s/drives

# the default avatar to use for virtual machine, relative to
# GLOBAL:machine_avatar_directory and if GLOBAL:use_avatar is set to True
vm_default_avatar               = defaultvm.png

# the size of the random generated XMPP password
xmpp_password_size              = 32

# the maximum lifetime of a lock (in seconds)
maximum_lock_time               = 1

# the database file for storing permissions (relative path required)
vm_permissions_database_path    = /permissions.sqlite3

# if set to false, all space in virtual machine names will be replaced by a '-'
# note that for xen backend this option has no effect as xen does'nt handle spaces in names.
allow_blank_space_in_vm_name    = True

# [OPTIONAL] this will allow to block access to block devices
# when defining virtual machines
enable_block_device_access      = True

# [OPTIONAL] this will disable the screenshot feature. Libvirt 0.9.5+ is bugged
# If you use these versions, set this value to True. Default value (i.e not set) is False
disable_screenshot              = False

#
# Logging configuration
#
[LOGGING]

# minimal log level. it can be in order:
# - debug
# - info
# - warning
# - error
# - critical
logging_level               = debug

# max life time of a log node in the pubsub
log_pubsub_item_expire      = 3600

# max number of stored log in the pubsub log node
log_pubsub_max_items        = 1000

# the path of file to store logs
logging_file_path           = /var/log/archipel/archipel.log

# max size in bytes of a log file before rotation
logging_max_bytes           = 5000000

# number of log backup file to keep
logging_backup_count        = 5

# the date format to use in log file.
# See http://docs.python.org/library/logging.html#formatter-objects
logging_date_format         = %Y-%m-%d %H:%M:%S

# the log format to use in log file.
# See http://docs.python.org/library/datetime.html?highlight=date#strftime-and-strptime-behavior
logging_formatter           = %(levelname)s::%(asctime)s::%(filename)s:%(lineno)s::%(message)s

# If this is True, xmpppy will be in debug mode
xmpppy_debug                = False

# [VNC]
# vnc_certificate_file = None
# vnc_only_ssl         = False

As you can see i already tried vnc_certificate_file = None vnc_only_ssl = False

Any suggestion?

Thank you in advance.

[CyrilPeponnet]

Can you check:

• That something is listening on port 0.0.0.0:6900
• That something is listening on port localhost:5900

[explanar]

Thank you for your very fast reply CyrilPeponnet!

$ netstat -a | egrep 'Proto|LISTEN' | grep 6900
tcp        0      0 *:6900                  *:*                     LISTEN

$ netstat -a | egrep 'Proto|LISTEN' | grep 5900
tcp        0      0 localhost:5900          *:*                     LISTEN

You're right. What have i configured wrong?

Best regards.

[CyrilPeponnet]

On hypervisor itself try to telnet localhost:6900

[explanar]

$ telnet localhost 6900
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

duration: ca. 1-2 seconds.

[CyrilPeponnet]

stop the agent, set vnc_enable_websocket_debug = True in configuration file, launch the agent with runarchipel -n, retry the telnet and post all outputs

[explanar]

Maybe the fault is in the hosts file /etc/hosts with commented

# 127.0.1.1       hostname
192.168.2.103  hostname

?

Here what i did as you adviced:

$ cd /etc/archipel
$ sudo grep -R 'vnc_enable_websocket_debug'
modules.d/virtualmachine-vnc.conf:vnc_enable_websocket_debug  = False

changed to "True".

$ sudo service archipel stop
* Stopping Archipel: [OK]
$ sudo runarchipel -n
WebSocket server settings:
  - Listen on 0.0.0.0:6900
  - Flash security policy server
  - SSL/TLS support
  - proxying from 0.0.0.0:6900 to 127.0.0.1:5900

  1: 127.0.0.1: new handler Process
  1: 127.0.0.1: ignoring socket not ready

[in the meantime from another tty:]

$ telnet localhost 6900
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

Duration ca. 4 seconds.

[CyrilPeponnet]

Try to type something like HELLO in your telnet session it should respond with 400 HTML retour code.

[CyrilPeponnet]

And one last thing, if you get connexion refused from the UI be sure that the machine displaying the UI (your client machine with the browser) can reach your hypervisor directly.

Try to telnet from this machine to your hypervisor.

[explanar]

Hi,

Thank you again for your excellent support!

The "Hello" Test worked from localhost as well as from 1nother IP to 192.168.2.103:

$ telnet localhost 6900
$ telnet 192.168.2.103 6900
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HELLO
<head>
<title>Error response</title>
</head>
<body>
<h1>Error response</h1>
<p>Error code 400.
<p>Message: Bad request syntax ('HELLO').
<p>Error code explanation: 400 = Bad request syntax or unsupported method.
</body>
Connection closed by foreign host.

The machine with running UI in browser can reach hypervisor directly if you mean e.g. ping by that (?)

[explanar]

Sorry, forgot the internal output of runarchipel -n: First i did the "hello" test as described and after that i tried to open VNCviewer from UI (localhost) once:

  1: 127.0.0.1: new handler Process
  1: 127.0.0.1: ignoring socket not ready
  2: 127.0.0.1: new handler Process
  2: 127.0.0.1: "HELLO" 400 -
  3: 192.168.2.105: new handler Process
  3: 192.168.2.105: "HELLO" 400 -
  4: 192.168.2.103: new handler Process
  4: handler exception: WSRequestHandler instance has no attribute 'last_code'
  4: Traceback (most recent call last):
  File "/opt/ArchipelAgent/archipel-agent-virtualmachine-vnc/archipelagentvirtualmachinevnc/websocket.py", line 775, in top_new_client
    self.client = self.do_handshake(startsock, address)
  File "/opt/ArchipelAgent/archipel-agent-virtualmachine-vnc/archipelagentvirtualmachinevnc/websocket.py", line 707, in do_handshake
    if wsh.last_code == 101:
AttributeError: WSRequestHandler instance has no attribute 'last_code'

Bildschirmfoto gespeichert [=screenshot saved] in /tmp/tmpEhkUJe, mit Typ image/x-portable-pixmap

May the problem be that a new handler process comes from UI as "192.168.2.103" while in /etc/hosts is configured

192.168.2.103 hostname

?

[CyrilPeponnet]

I mean the machine running the browser with UI must have access to 192.168.2.103:6900

[explanar]

It has access:

via

$ telnet 192.168.3.103 6900

It produces the html 400 Message after e.g. "hello".

[CyrilPeponnet]

And using UI what is the message you get in javascript error console?

[CyrilPeponnet]

You can find more details here: https://github.com/ArchipelProject/Archipel/issues/467

[explanar]

I get the same error in UI when trying with firefox 33.0 (installed on 12.04 elementary_64)

[CyrilPeponnet]

Hum:

# vnc_certificate_file = None
# vnc_only_ssl         = False

Try uncomment the lines...

[explanar]

I am Sorry. Forgot to validate obviously "non-secure ssl cert" via https://192.168.2.103:6900 from Client-UI Browser. Now works.

That'll never happen to me now ... :-\

[CyrilPeponnet]

:) Good have fun!

[explanar]

I just want to add comment for readers:

Use Firefox to browse https://hypervisor:690**0, but then only the first VM is SSL-confirmed. For 2nd, 3rd VM they have to be running while you browse https://hypervisor:6901, https://hypervisor:6902** etc....