novnc wont connect

[grantpasley]

hi there - when i try connect to console i get errror "connect timeout". this is a new install and all working fine up until trying to connect to console to configure guest - any advise / ideas?

thanks, grant.

[aafanasyev]

Hi,

do you want connect to ssh of the guest? do you have ssh server installed on the guest? what is your network topology? How guests connected to the internet? Bridged or NAT?

[aafanasyev]

For vnc do you use in your vnc client (I use tiny vnc) configuration like ip:5900 address? what OS do you use as a Virtual host server?

[grantpasley]

hi there - this is for console access - i create the guest instance then start up in order to configure i get a timeout from the console pop-up window, please see attached screenshot.

[kestel]

Hello,

The same problem for me. My network structure: WebVirtMgr (192.168.20.10) -> NAT (10.20.10.254) -> KVM server (10.20.10.20). Host added to the WebVirtMgr with SSH connection. SSH connection from the WebVirtMgr host to the KVM host works fine. VNC connection to 10.20.10.20:5900 works fine too. The guest VM connected with bridged network. When I trying open noVNC from the WebVirtMgr I get error "Server disconnected (code: 1006)". All hosts have no Internet connection, only local net.

UPD: all machines is Ubuntu 12.04 or 14.04.

[aafanasyev]

I had the same problem when I installed on Ubuntu Server 14.04.1 in:

/var/www/webvirtmgr/

Like it described in installation documents. However, when I installed everything (with changing paths in the related config files) to:

/var/www/

It is worked for me just fine.

[kestel]

It don't work for me =(

[brenard]

Hello,

The console connection is pretty simple to understand : The web console use a websocket to connect on port 6080 of your WebVirtMgr host, on this port, the console/webvirtmg-novnc script must be listening. This script open a TCP socket to VNC console of the guest using the hostname of the KVM host and the port of the VNC console. After that, the script will made proxying between the websocket and the VNC socket.

To troubleshot, you have to verify :

• that your console/webvirtmg-novnc script is listening on 6080 port of your WebVirtMgr host. Check it with "netstat -lnp" command and if it not running, you could check to run it manually (without argument) with the same user use by supervisord.
• that you could connect to the VNC socket of your guest from the WebVirtMgr host : you could try with a telnet command if you don't have X Server on your WebVirtMgr host and if this not working, check that your VNC console is not listening on localhost.

Actualy, if you use reverse proxy in front of you WebVirtMgr instance, your browser can not connect to the websocket because the hostname that is use is the same of the one use to connect to WebVirtMgr : with a reverse proxy, this address is 127.0.0.1. I write a patch for that permitting to manually configure the public hostname to use for the websocket. It's available here : https://github.com/brenard/webvirtmgr/commit/731bc3304bb319656a7c1f90d9d858be736a06f5

If you have NAT between WebVirtMgr host and you KVM host, I mean you WebVirtMgr host can not connect to the VNC console of your guests. In this topology, WebVirtMgr have to open a SSH tunnel to connect to your KVM host. I'm working on this feature and a pull request is pending for that : https://github.com/retspen/webvirtmgr/pull/488

You could try it if you want, and give me feedback. It's could be usefull for me to debug it in others use-cases.

[kestel]

Hello brenard,

Thanks for your patch ( brenard@731bc33 ), it works well and helps me for half. Now noVNC works fine with http connection without encryption and doesn't work via https.

I think, I need read something about wss.

When I try run webvirtmgr-novnc by hands I get next:

www-data$ /var/www/webvirtmgr/console/webvirtmgr-novnc 
WebSocket server settings:
  - Listen on 0.0.0.0:6080
  - Flash security policy server
  - SSL/TLS support
  - proxying from 0.0.0.0:6080 to ignore:ignore

  1: handler exception: WSRequestHandler instance has no attribute 'last_code'
  2: handler exception: WSRequestHandler instance has no attribute 'last_code'
  3: 10.10.11.11: Plain non-SSL (ws://) WebSocket connection
  3: 10.10.11.11: Version hybi-13, base64: 'False'
  3: connecting to: hv-node3.example.com:5900

1, 2 - trying connect by https 3 - successfully connection by http 10.10.11.11 (my workstation) -> NAT (10.20.10.254) -> KVM server (10.20.10.20)

[brenard]

Hello kestel,

I mean your installation is too old, could you try to upgrade it ? WSRequestHandler does not exist for me in the current version.

Concerning HTTPS access, you have to know that WebVirtMgr automatically enable SSL on websocket too. So you have to configure a correct SSL certificate and key for webvirtmgr-novnc. You have to edit webvirtmgr-novnc and modify CERT variable at the top of the file. This file must content both private key and public key (as you can see in cert.pem file in console folder). This certificate must be consider as valid for your web browser.

[goshlanguage]

After changing the WS_CERT param in webvirtmgr/settings.py, I am getting the following errors:

x webvirtmgr]# /usr/bin/python /var/www/webvirtmgr/console/webvirtmgr-console
WARNING:root:No local_settings file found.
WebSocket server settings:
  - Listen on 0.0.0.0:6080
  - Flash security policy server
  - SSL/TLS support
  - Deny non-SSL/TLS connections
  - proxying from 0.0.0.0:6080 to ignore:ignore

  1: handler exception: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
  1: Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 696, in top_new_client
    self.client = self.do_handshake(startsock, address)
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 604, in do_handshake
    keyfile=self.key)
  File "/usr/lib64/python2.7/ssl.py", line 387, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib64/python2.7/ssl.py", line 141, in __init__
    ciphers)
SSLError: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib

  2: handler exception: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
  2: Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 696, in top_new_client
    self.client = self.do_handshake(startsock, address)
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 604, in do_handshake
    keyfile=self.key)
  File "/usr/lib64/python2.7/ssl.py", line 387, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib64/python2.7/ssl.py", line 141, in __init__
    ciphers)
SSLError: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib

  3: 72.183.110.211: new handler Process
  3: handler exception: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
  3: Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 696, in top_new_client
    self.client = self.do_handshake(startsock, address)
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 604, in do_handshake
    keyfile=self.key)
  File "/usr/lib64/python2.7/ssl.py", line 387, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib64/python2.7/ssl.py", line 141, in __init__
    ciphers)
SSLError: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib

  4: 72.183.110.211: new handler Process
  4: handler exception: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
  4: Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 696, in top_new_client
    self.client = self.do_handshake(startsock, address)
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 604, in do_handshake
    keyfile=self.key)
  File "/usr/lib64/python2.7/ssl.py", line 387, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib64/python2.7/ssl.py", line 141, in __init__
    ciphers)
SSLError: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib

Is there anything else I should consider? This is supposed to be a regular crt converted via openssl x509 to a .pem file, with no password protection, right?

Thanks for any help!

[brenard]

@RyanHartje : I mean your cert file content is incorrect. It must content both private and public in x509 format (private key first). You could verify the file format in the example file provide in console/cert.pem. Check also if your cert file path is correctly handle by the script (use absoluted path to be sure) and check if this file is readable by user that running webvirtmgr-console script (user configured in supervisord).

[goshlanguage]

Thanks for the help Brenard, I'm still having a bit of trouble.

I have converted my .key and .crt to pem (key first, followed by crt), I have also tried the crt and key by themselves (the key with rsa), but I am receiving errors for all of them.

Am I supposed to use the CA Bundle? The file is chowned by nginx:nginx, and is the correct permissions (644 should suffice). I have also tried using full paths, but I believe my issue is with my understanding of what the cert.pem should contain.

I am using the crt and key from the SSL that is connecting to the Hypervisor running webvirtmgr-novnc, is this correct?

[brenard]

@RyanHartje : I don't understand what you mean about CA Bundle. Here, an example of your cert.pem file content :

-----BEGIN PRIVATE KEY-----
MIICdgIBADANB~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[...]
~~~~~~~~~~~~~~~~~~~~~mxxJ1iHfKROzfg==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIC3DCCAkW~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[...]
~~~~~~~~~~~~~~~~~~~~~AwLWmFwb3Jvemhre==
-----END CERTIFICATE-----

Concerning rights, check that the directory that contain cert.pem file is accessible by that the user running webvirtmgr-console script.

You could also try to connect to this script socket using _openssl sclient command to view witch certificate is indeed used :

openssl s_client -connect 127.0.0.1:6080

[goshlanguage]

Thank you for pointing that out, my key and crt were already in pem format, so just pasting them together in cert.pem resolved that, now I get return data on openssl s_client (thank you for showing me this as well, very helpful!):

$ openssl s_client -connect 192.168.60.90:6080
CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.com
verify error:num=20:unable to get local issuer certificate
verify return:1

[truncated for brevity]

No client certificate CA names sent
---
SSL handshake has read 1546 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: [omitted]
    Session-ID-ctx:
    Master-Key: [omitted]
    Key-Arg   : None
    Start Time: 1429718376
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

It says its not able to verify it, but its actually connecting, I'm not sure what behavior to expect from webvirtmgr-novnc from this. The cert is issued from a trusted source.

My connection is still dropping, and I am getting this again:

  2: handler exception: WSRequestHandler instance has no attribute 'last_code'

This kind of brings me full circle though, as I tried to apply the crt files from the client server on the hypervisor, to allow novnc to connect over SSL. Do you have any recommendations?

Just a note, I am changing the ssl_only=False to true, to force SSL. If this is problematic, please let me know.

Another note, my key, if converted with openssl rsa will end up in ==, but converting my .crt to .pem with openssl x509 does not result in the same outcome. If I paste these outputs together, I get similar errors to my initial error from webvirtmgr-novnc. If you find this problematic, can you explain your process of converting the SSL?

These are the commands I've tried:

openssl rsa -in ./my.key -out ./key.pem -outform PEM
openssl x509 -in ./my.crt -out ./crt.pem -outform PEM
cat ./key.pem > ./cert.pem
cat ./crt.pem >> ./cert.pem

This results in the _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM type issues. Alternatively, what I've done to resolve the errors is this:

cat ./my.key > ./cert.pem
cat ./my.crt >> ./cert.pem

We can ignore perms issues, as Im running webvirtmgr as root to test, and its owned by nginx/644.

[goshlanguage]

The more I look into it, the more I suspect the cert isn't associated with a known CA. I'll try a different SSL provider shortly and see if this resolves the issue.

[brenard]

@RyanHartje : You'r write, it's a CA certificate problem :

depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.com
verify error:num=20:unable to get local issuer certificate
verify return:1

You have to put your CA chain certificate(s) in cert.pem file as explain here :

https://docs.python.org/dev/library/ssl.html#certificate-chains

Your private key must at the top of the file, your certificate in second position and after put the CA chain certificate(s). I just try with this kind of cert.pem file and it's work well. After that, if you use _openssl sclient command to connect on the webvirtmgr-console script, you could see that more than one certificate is provide.

Example :

~$ openssl s_client -connect 127.0.0.1:6080
CONNECTED(00000003)
[...]
---
Certificate chain
 0 s:/C=FR/ST=Ile de France/L=Paris/O=Easter-eggs/CN=*.aconit.easter-eggs.fr/emailAddress=admin@easter-eggs.com
   i:/C=FR/O=Easter-eggs/OU=Certification services/CN=Easter-eggs Root CA/emailAddress=admin@easter-eggs.com
 1 s:/C=FR/O=Easter-eggs/OU=Certification services/CN=Easter-eggs Root CA/emailAddress=admin@easter-eggs.com
   i:/C=FR/O=Easter-eggs/OU=Certification services/CN=Easter-eggs Root CA/emailAddress=admin@easter-eggs.com
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/C=FR/ST=Ile de France/L=Paris/O=Easter-eggs/CN=*.aconit.easter-eggs.fr/emailAddress=admin@easter-eggs.com
issuer=/C=FR/O=Easter-eggs/OU=Certification services/CN=Easter-eggs Root CA/emailAddress=admin@easter-eggs.com

[goshlanguage]

Great! Thank you for this help! I now have the cert working great! Although novnc still doesn't work, I think its from a modification I am testing:

# /usr/bin/python /var/www/webvirtmgr/console/webvirtmgr-console
WARNING:root:No local_settings file found.
WebSocket server settings:
  - Listen on 0.0.0.0:6080
  - Flash security policy server
  - SSL/TLS support
  - Deny non-SSL/TLS connections
  - proxying from 0.0.0.0:6080 to ignore:ignore

  2: handler exception: WSRequestHandler instance has no attribute 'last_code'

I know its out of scope at this point, but do you have any further ideas for how to troubleshoot this issue? The cert is certainly correct now:

# openssl s_client -connect 192.168.60.90:6080
CONNECTED(00000003)
[...]
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
---
Server certificate
[...]
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

As you see, the cert is correct, but I'm still getting the last_code issue. I appreciate any advice you might have.

Thanks again for all your help.

[brenard]

Great ! For your problem, you are not the first with this _lastcode error. After some search, I found that is could only append if you are using Nova novnc python lib. Personally, I'm using lib from websockify package (from Debian Jessie websockify package) and I don't have this error. Could you try to install websockify package ? Webvirtmgr will firstly try to use this lib. If you don't use Debian, you could install websockify package by using command :

pip install websockify

[goshlanguage]

I use websockify:

# pip install websockify
Requirement already satisfied (use --upgrade to upgrade): websockify in /usr/lib/python2.7/site-packages
Cleaning up...

Is it possible its old? I'm on Centos7: websockify (0.5.1)

I upgraded it to 0.6.0 but webvirtmgr-console no longer starts up.

[brenard]

Furthermore, I'm working on a patch that permit (amongst others things) to pass parameter to webvirtmgr-console and in particular -d parameter to enable debug. This could be help full to understand your problem. I also fix a problem when using SPICE console over HTTPS.

You could get this patch on my fork : https://github.com/brenard/webvirtmgr

[brenard]

It's not the laster version, the version 0.6.0 is available and I'm using it : https://pypi.python.org/pypi/websockify

You could try to upgrade.

[johnerramirez]

Im also having the same error I already updated with git pull

what I can see is there is no file console/webvirtmg-novnc script

Please explain clearly what is the solution

[pitachx]

Change all webvirtmg-novnc to webvirtmg-console in /etc/supervisor/conf.d/webvirtmgr.conf and restart supervisor (work fine on Debain 7)