You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2021/01/23 03:35:11 UTC
[GitHub] [cloudstack] nxsbi opened a new issue #4612: After Upgrade to 4.15, NoVNC Console not working - HTTP 403, legacy console works
nxsbi opened a new issue #4612:
URL: https://github.com/apache/cloudstack/issues/4612
<!--
Verify first that your issue/request is not already reported on GitHub.
Also test if the latest release and master branch are affected too.
Always add information AFTER of these HTML comments, but no need to delete the comments.
-->
##### ISSUE TYPE
<!-- Pick one below and delete the rest -->
* Bug Report
##### COMPONENT NAME
<!--
Categorize the issue, e.g. API, VR, VPN, UI, etc.
-->
~~~
UI - NoVNC
~~~
##### CLOUDSTACK VERSION
<!--
New line separated list of affected versions, commit ID for issues on master branch.
-->
~~~
4.15.0
~~~
##### CONFIGURATION
<!--
Information about the configuration if relevant, e.g. basic network, advanced networking, etc. N/A otherwise
-->
Advanced Networking, Upgrade from 4.11.1., SSL for Console Proxy enabled (certificates installed and working fine prior to upgrade)
##### OS / ENVIRONMENT
<!--
Information about the environment if relevant, N/A otherwise
-->
CentOS 7, MySQL 5.5, CS 4.15.0, xcp-ng 7.4
I use SSL Certificate for Console Proxy.
##### SUMMARY
<!-- Explain the problem/feature briefly -->
By Default,
`novnc.console.default = True`
With that, I am not able to view the Console via Web. When I click on the console icon, the new page is just blank. In Chrome, if I select "View Frame Source", I get HTTP 403 error:
URL Format = https://sitename.com/resource/noVNC/vnc.html?port=8080&token=
I went to the console vm directly using
`ssh -i /root/.ssh/id_rsa.cloud -p 3922 root@LinkLocal`
, and did troubleshooting. I am seeing a possible issue in **/var/log/cloud.log**
```
2021-01-23 03:05:22,271 INFO [cloud.consoleproxy.ConsoleProxyResourceHandler] (Thread-38:null) Get resource request for /resource/noVNC/vnc.html
2021-01-23 03:05:22,275 INFO [cloud.consoleproxy.ConsoleProxyResourceHandler] (Thread-38:null) **Resource access is forbidden, uri: /resource/noVNC/vnc.html**
```
In my CloudStack server, I cannot find any file named vnc.html, or in the console proxy either. Is it missing in upgrade? Or do I need to follow any additional steps to install noVNC required files?
If I switch
`novnc.console.default = False`
everything works fine using the old vnc console. Since I use SSL for console Proxy, I do get a SSL secured connection as well.
Please advise!
##### STEPS TO REPRODUCE
<!--
For bugs, show exactly how to reproduce the problem, using a minimal test-case. Use Screenshots if accurate.
For new features, show how the feature would be used.
-->
<!-- Paste example playbooks or commands between quotes below -->
~~~
Not working out of the box (after performing upgrade)
~~~
<!-- You can also paste gist.github.com links for larger files -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
~~~
noVNC console loads without issue.
~~~
##### ACTUAL RESULTS
<!-- What actually happened? -->
<!-- Paste verbatim command output between quotes below -->
~~~
Console is blank (no frame loads)
~~~
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] coreymr commented on issue #4612: After Upgrade to 4.15, NoVNC Console not working - HTTP 403, legacy console works
Posted by GitBox <gi...@apache.org>.
coreymr commented on issue #4612:
URL: https://github.com/apache/cloudstack/issues/4612#issuecomment-910322248
nxsbi - I'm running into an issue where noVNC is using the hypervisor host IP to launch the console instead of FQDN. You said you are using SSL as well. Is your cert a wildcard cert for domain name and/or IP address?
I'm on ACS 4.15.1 and VMware 7.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nxsbi commented on issue #4612: After Upgrade to 4.15, NoVNC Console not working - HTTP 403, legacy console works
Posted by GitBox <gi...@apache.org>.
nxsbi commented on issue #4612:
URL: https://github.com/apache/cloudstack/issues/4612#issuecomment-946318555
Writing this as an update as I wen through a Console SSL certificate update on CloudStack 4.15. In general do the steps listed at http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#changing-the-console-proxy-ssl-certificate-and-domain. Once you get the certificate issued, in my case, when I downloaded the certificate, it downloaded 3 files.
One was named same as my domain - this is the actual certificate file.
Out of the other two files one is the ROOT certificate and one is the INTERMEDIATE certificate - I dont know how you can tell what is what but in my case the files were named "AAA_Certificate_Services" this was the ROOT, and "USERTrust_RSA_Certification_Authority" this was the intermediate.
Go to your cloudstack install, Infrastructure, and click on the SSL Certificates button
In the steps above you created the private key, copy paste that into the PKCS#8 field
Find the root certificate, and copy paste that into the Root Certificate
Paste the Service certificate text into the certificate you received in the file
The DNS Domain Suffix will be consoleproxy.yoursite.com - without the *. in front - replace the consoleproxy with the actual name you use and yoursite with your actual site that you used while creating the certificate. If you used just yoursite.com in the certificate, use that - in short this is same as the site you used for certificate
Hope this clarifies any doubts
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nxsbi commented on issue #4612: After Upgrade to 4.15, NoVNC Console not working - HTTP 403, legacy console works
Posted by GitBox <gi...@apache.org>.
nxsbi commented on issue #4612:
URL: https://github.com/apache/cloudstack/issues/4612#issuecomment-913779467
not sure if you resolved this already, but double check Global Setting "consoleproxy.url.domain" - it must read the domain and not IP. Destroy and rebuild the System VMs (both storage and console).
Few other things to check,
- verify that the certificate is correctly loaded. Google search for that error message points to potential certificate issues.
- verify via ping from internet that your console domain and external IP is pingable
- verify internally within your network that the domain name and internal IP is pingable
If all that fails, since your issue is specific to VMWare 7 and it worked in 6.7, I would suggest file a new bug report if you haven't already.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nxsbi edited a comment on issue #4612: After Upgrade to 4.15, NoVNC Console not working - HTTP 403, legacy console works
Posted by GitBox <gi...@apache.org>.
nxsbi edited a comment on issue #4612:
URL: https://github.com/apache/cloudstack/issues/4612#issuecomment-946318555
Writing this as an update as I wen through a Console SSL certificate update on CloudStack 4.15. In general do the steps listed at http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#changing-the-console-proxy-ssl-certificate-and-domain. Once you get the certificate issued, in my case, when I downloaded the certificate, it downloaded 3 files.
One was named same as my domain - this is the actual certificate file.
Out of the other two files one is the ROOT certificate and one is the INTERMEDIATE certificate - I dont know how you can tell what is what but in my case the files were named "AAA_Certificate_Services" this was the ROOT, and "USERTrust_RSA_Certification_Authority" this was the intermediate.
Go to your cloudstack install, Infrastructure, and click on the SSL Certificates button
In the steps above you created the private key, copy paste that into the PKCS#8 field
Find the root certificate, and copy paste that into the Root Certificate
Paste the Service certificate text into the certificate you received in the file
The DNS Domain Suffix will be consoleproxy.yoursite.com - without the *. in front - replace the consoleproxy with the actual name you use and yoursite with your actual site that you used while creating the certificate. If you used just yoursite.com in the certificate, use that - in short this is same as the site you used for certificate
Hope this clarifies any doubts
Once I did this, the storage and consoleproxy system vm restarted automatically and after a few minutes of wait (15-20) I was able to use the noVNC console.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd commented on issue #4612: After Upgrade to 4.15, NoVNC Console not working - HTTP 403, legacy console works
Posted by GitBox <gi...@apache.org>.
rhtyd commented on issue #4612:
URL: https://github.com/apache/cloudstack/issues/4612#issuecomment-910480201
cc @davidjumani
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nxsbi commented on issue #4612: After Upgrade to 4.15, NoVNC Console not working - HTTP 403, legacy console works
Posted by GitBox <gi...@apache.org>.
nxsbi commented on issue #4612:
URL: https://github.com/apache/cloudstack/issues/4612#issuecomment-765858883
I Destroyed the Console Proxy System VM. Once new one was Built up, no VNC started working!
Apologies for the false Alarm.
NOTE - I HAD done a Manual restart of the Console Proxy and the version did show the 4.15 after restart.
It seems a Restart alone may not be enough for an upgrade! I also restarted all Virtual routers, and SSVM, as well as Cloudstack-management service prior to posting this issue.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nxsbi commented on issue #4612: After Upgrade to 4.15, NoVNC Console not working - HTTP 403, legacy console works
Posted by GitBox <gi...@apache.org>.
nxsbi commented on issue #4612:
URL: https://github.com/apache/cloudstack/issues/4612#issuecomment-910516377
> nxsbi - I'm running into an issue where noVNC is using the hypervisor host IP to launch the console instead of FQDN. You said you are using SSL as well. Is your cert a wildcard cert for domain name and/or IP address?
>
> I'm on ACS 4.15.1 and VMware 7.
I use a wildcard certificate *.consoleproxy.yoursite.com
You need to also make sure your Global Setting "consoleproxy.url.domain" parameter shows the exact same domain consoleproxysecure.yoursite.com - where the consoleproxy.yoursite.com is a publicly available domain. I had to add an A record on my domain to forward the console proxy external IP to resolve to that name.
Once you have added the certificate, as listed on http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a-ssl-certificate-for-the-console-proxy
you should destroy the console proxy VM so a new one gets created. Restarting did not work for me.
In my case I did not add the ROOT CA or Intermediate CA
Hope this helps
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] nxsbi closed issue #4612: After Upgrade to 4.15, NoVNC Console not working - HTTP 403, legacy console works
Posted by GitBox <gi...@apache.org>.
nxsbi closed issue #4612:
URL: https://github.com/apache/cloudstack/issues/4612
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] coreymr commented on issue #4612: After Upgrade to 4.15, NoVNC Console not working - HTTP 403, legacy console works
Posted by GitBox <gi...@apache.org>.
coreymr commented on issue #4612:
URL: https://github.com/apache/cloudstack/issues/4612#issuecomment-910523062
Yes - all that is how I have it configured. Console actually worked with VMware 6.7, but after upgrade to VMware 7 that is when the issue came up. My issue is that the console proxy is passing the IP as the "host" parameter instead of FQDN.
2021-09-01 16:55:22,163 INFO [cloud.consoleproxy.ConsoleProxyNoVncClient] (Thread-130:null) Connect to VNC over websocket URL: wss://<hypervisor IP>:443/ticket/c63e7b287dabc7e4
2021-09-01 16:55:22,186 INFO [consoleproxy.websocket.WebSocketReverseProxy] (WebSocketWriteThread-176:null) Closing connection to websocket: reason= code=-1 remote=true
2021-09-01 16:55:22,186 ERROR [consoleproxy.websocket.WebSocketReverseProxy] (WebSocketConnectReadThread-175:null) Error on connection to websocket: No subject alternative names matching IP address <hypervisor IP> found
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org