Dear All

How to diagnose "Failed to connect to server" error when attempting to
open noVNC console in foreman web UI? I could not find anything helpful
in the logs[1]. {grep for AVC [4]}

Does the websockify process connect to the libvirt (hypervisor) host as
user foreman?

I noticed in https://foreman-test.example.com/pub/ that only the
katello-server-ca.crt was available, whereas the katello[3] docs said
to use katello-default-ca.crt

[root@foreman-test ~]# grep -r "katello-default-ca.crt" /etc/
http://paste.fedoraproject.org/336637/76107791/

That katello-default-ca.crt seems to be the one in use in the config
files, but they are the same. So that is not the problem.

On my libvert host:
~]$ firewall-cmd --list-ports
1025-65535/udp 1025-65535/tcp

I got SELinux error on Fed22 so had to do:

/sbin/restorecon -v /dev/shm/lldpad.state

BROWSER

Firefox

network.websocket.allowInsecureFromHTTPS true

BACKGROUND STUFF

I have a new install of katello on a RHEL7 server. My libvirt host is
Fedora 22 (configured as my Compute resource).

I followed foreman docs' LibVirt notes[2]

I created the foreman users on the Satellite base system and the libvirt
system (because the Satellite web UI runs as that user), I created ssh
keys for that user, ssh-copy-id to the libvirt system.

~]$ id foreman
uid=1002(foreman) gid=1012(foreman)
groups=1012(foreman),10(wheel),977(libvirt) << ADDED TO GROUP

I added this polkit rule.:

polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" && subject.local &&
subject.active && subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
// Allow any user in the 'libvirt' group to connect to system libvirtd
// without entering a password.

polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" &&
subject.isInGroup("libvirt")) {
return polkit.Result.YES;
}
});
/etc/polkit-1/rules.d/80-libvirt.rules (END)

It works for everything (virsh test commnds, the Satellite web UI lists
all the VMs, I can stop and start them) but the noVNC console always fails.

[root@foreman-test ~]# rpm -q foreman
foreman-1.10.2-1.el7.noarch
[root@foreman-test ~]# rpm -q katello
katello-2.4.0-7.el7.noarch
[root@foreman-test ~]#

chrony is running, my systems have correct time and where less than a
minute apart when I checked.

[1] https://paste.fedoraproject.org/336635/
[2] http://www.theforeman.org/manuals/1.10/index.html#5.2.5LibvirtNotes
[3] http://www.katello.org/docs/2.4/installation/index.html#katello-deploy
[4] http://paste.fedoraproject.org/336647/61275014/

Thank you for any advice

> How to diagnose "Failed to connect to server" error when attempting to open
> noVNC console in foreman web UI? I could not find anything helpful in the
> logs[1]. {grep for AVC [4]}

The first thing to check is after you open the screen, immediately list
processes on your Foreman server, you should find process websockify.py.
If you list with all parameters (ps auxwww) then you will see exactly
what certificates it was launched with.

It must match with Foreman web application server certificate, which was
loaded by the browser.

Then check connections Browser <-> websockify.py <-> libvirt VM.

Also check if the VM was launched with VNC or Spice console. The port is
usually random, something like 5900 + N. You can easily misconfigure the
VM and launch it without remote console.

Hello

I spent some time testing certificates. I am now testing on a new
install and settings are, by default:

less /etc/foreman/settings.yaml
:websockets_ssl_key: /etc/pki/katello/private/katello-apache.key
:websockets_ssl_cert: /etc/pki/katello/certs/katello-apache.crt

/etc/httpd/conf.d/05-foreman-ssl.conf: SSLCertificateFile
"/etc/pki/katello/certs/katello-apache.crt"
/etc/httpd/conf.d/05-foreman-ssl.conf: SSLCertificateKeyFile
"/etc/pki/katello/private/katello-apache.key"
/etc/httpd/conf.d/05-foreman-ssl.conf: SSLCertificateChainFile
"/etc/pki/katello/certs/katello-default-ca.crt"
/etc/httpd/conf.d/05-foreman-ssl.conf: SSLCACertificatePath
"/etc/pki/tls/certs"
/etc/httpd/conf.d/05-foreman-ssl.conf: SSLCACertificateFile
"/etc/pki/katello/certs/katello-default-ca.crt"

I see "katello-apache" in both config files.

I have VM set to use VNC and port is set to auto (currently 5902)

I have found out how to disable authentication and I still get an error:

foreman 29822 0.0 0.2 105800 8608 ? S 11:33 0:00
/usr/bin/python /usr/share/foreman/extras/noVNC/websockify.py --daemon
–idle-timeout=120 --timeout=120 5927 dhcp-4-151.brq.redhat.com:5902
foreman 29828 0.0 0.2 105800 8612 ? S 11:33 0:00
/usr/bin/python /usr/share/foreman/extras/noVNC/websockify.py --daemon
–idle-timeout=120 --timeout=120 5911 dhcp-4-151.brq.redhat.com:5902

Thank you

>
> > How to diagnose "Failed to connect to server" error when attempting to
open
> > noVNC console in foreman web UI? I could not find anything helpful in
the
> > logs[1]. {grep for AVC [4]}
>
> The first thing to check is after you open the screen, immediately list
> processes on your Foreman server, you should find process websockify.py.
> If you list with all parameters (ps auxwww) then you will see exactly
> what certificates it was launched with.
>
> It must match with Foreman web application server certificate, which was
> loaded by the browser.
>
> Then check connections Browser <-> websockify.py <-> libvirt VM.
>
> Also check if the VM was launched with VNC or Spice console. The port is
> usually random, something like 5900 + N. You can easily misconfigure the
> VM and launch it without remote console.
>
> –
> Later,
> Lukas #lzap Zapletal
>
> –
> You received this message because you are subscribed to the Google Groups
"Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
> To post to this group, send email to foreman-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.

I've also seen recently that browsers now reject sha1 based certificates,
YMMV.

Ohad

I did see that mentioned and sha1 is still used downstream, for which I
raised a bug, but latest katello and foreman has sha256

Thank you

>>> How to diagnose "Failed to connect to server" error when attempting
>>> to open
>>> noVNC console in foreman web UI? I could not find anything helpful in
>>> the
>>> logs[1]. {grep for AVC [4]}
>>
>> The first thing to check is after you open the screen, immediately list
>> processes on your Foreman server, you should find process websockify.py.
>> If you list with all parameters (ps auxwww) then you will see exactly
>> what certificates it was launched with.
>>
>> It must match with Foreman web application server certificate, which was
>> loaded by the browser.
>>
>> Then check connections Browser <-> websockify.py <-> libvirt VM.
>>
>> Also check if the VM was launched with VNC or Spice console. The port is
>> usually random, something like 5900 + N. You can easily misconfigure the
>> VM and launch it without remote console.
>>
> Hello
>
> I spent some time testing certificates. I am now testing on a new
> install and settings are, by default:
>
> less /etc/foreman/settings.yaml
> :websockets_ssl_key: /etc/pki/katello/private/katello-apache.key
> :websockets_ssl_cert: /etc/pki/katello/certs/katello-apache.crt
>
> /etc/httpd/conf.d/05-foreman-ssl.conf: SSLCertificateFile
> "/etc/pki/katello/certs/katello-apache.crt"
> /etc/httpd/conf.d/05-foreman-ssl.conf: SSLCertificateKeyFile
> "/etc/pki/katello/private/katello-apache.key"
> /etc/httpd/conf.d/05-foreman-ssl.conf: SSLCertificateChainFile
> "/etc/pki/katello/certs/katello-default-ca.crt"
> /etc/httpd/conf.d/05-foreman-ssl.conf: SSLCACertificatePath
> "/etc/pki/tls/certs"
> /etc/httpd/conf.d/05-foreman-ssl.conf: SSLCACertificateFile
> "/etc/pki/katello/certs/katello-default-ca.crt"
>
>
> I see "katello-apache" in both config files.
>
>
> I have VM set to use VNC and port is set to auto (currently 5902)
>
> I have found out how to disable authentication
:websockets_encrypt: false

and I still get an error:
>
> foreman 29822 0.0 0.2 105800 8608 ? S 11:33 0:00
> /usr/bin/python /usr/share/foreman/extras/noVNC/websockify.py --daemon
> --idle-timeout=120 --timeout=120 5927 dhcp-4-151.brq.redhat.com:5902
> foreman 29828 0.0 0.2 105800 8612 ? S 11:33 0:00
> /usr/bin/python /usr/share/foreman/extras/noVNC/websockify.py --daemon
> --idle-timeout=120 --timeout=120 5911 dhcp-4-151.brq.redhat.com:5902
>
>
> Thank you
>

I have set:
:websockets_encrypt: false

I have tested using vncviwer, the VNC proto is working, I can view the
target VMs desktop on port 5902.

Found logs, this is extract:

var/log/foreman/production.log:2016-03-11 18:01:35 [app] [D] VNCProxy
Error: WebSocket server settings:
/var/log/foreman/production.log:2016-03-11 18:01:35 [app] [D] VNCProxy
Error: - Listen on :5928
/var/log/foreman/production.log:2016-03-11 18:01:35 [app] [D] VNCProxy
Error: - Flash security policy server
/var/log/foreman/production.log:2016-03-11 18:01:35 [app] [D] VNCProxy
Error: - No SSL/TLS support (no cert file)
/var/log/foreman/production.log:2016-03-11 18:01:35 [app] [D] VNCProxy
Error: - Backgrounding (daemon)

Longer extract and pretty version of logs here:
https://paste.fedoraproject.org/337262/45771622/

Why is "No SSL/TLS support (no cert file)" listed as an error now that I
have "websockets_encrypt: false"?

Thank you

Resurrecting the thread, sorry for the delay.

> I have tested using vncviwer, the VNC proto is working, I can view the
> target VMs desktop on port 5902.

Ok, good test.

> Found logs, this is extract:
>
> var/log/foreman/production.log:2016-03-11 18:01:35 [app] [D] VNCProxy Error:
> WebSocket server settings:
> /var/log/foreman/production.log:2016-03-11 18:01:35 [app] [D] VNCProxy
> Error: - Listen on :5928
> /var/log/foreman/production.log:2016-03-11 18:01:35 [app] [D] VNCProxy
> Error: - Flash security policy server
> /var/log/foreman/production.log:2016-03-11 18:01:35 [app] [D] VNCProxy
> Error: - No SSL/TLS support (no cert file)
> /var/log/foreman/production.log:2016-03-11 18:01:35 [app] [D] VNCProxy
> Error: - Backgrounding (daemon)
>
> Why is "No SSL/TLS support (no cert file)" listed as an error now that I
> have "websockets_encrypt: false"?

This is actually not an error, but standard output of the websockify.py
program but we mis-print it the output with error level. Everything
should be operating correctly, it simply informs you that no certificate
file was provided on the command line (which matches your ps output):

Now, if you restarted httpd you the NoVNC console should attempt to
communicate with websockify over non-SSL connection. Now, it depends on
the browser policy if it allows this or not (Foreman WebUI is always
HTTPS unless you turn this off).

I doubt todays browsers allows this, and this is a good thing. The key
is to enable SSL again to get this working.

What setup are you trying? Is this upstream Katello? Which version?

Yes
Which version?
[root@foreman-test ~]# rpm -q katello
katello-2.4.1-1.el7.noarch

[root@foreman-test ~]# rpm -q foreman
foreman-1.10.2-1.el7.noarch

I tested again after rebooting, does not work.

Set this back to true: :websockets_encrypt: true
uncommented the certs, restarted httpd, tested again, still fails.

BTW, I have to do this on Fedora 22 (where my browser and lbivird is
running)
/sbin/restorecon -v /dev/shm/lldpad.state

Are there any logs that can help?

Thank you

> I tested again after rebooting, does not work.

Ok, now what's important - how you installed katello. Can you dig your
installer options? Perhaps send me your answers file or foreman-debug -u

> Set this back to true: :websockets_encrypt: true
> uncommented the certs, restarted httpd, tested again, still fails.

This should be by default turned on and working as expected. Have you
touched these files after installation? Have you regenerated some certs
or something like that?

> Are there any logs that can help?

foreman-debug -u

>> I tested again after rebooting, does not work.
>
> Ok, now what's important - how you installed katello. Can you dig your
I followed http://www.katello.org/docs/2.4/installation/index.html

> installer options? Perhaps send me your answers file or foreman-debug -u
OK, see http://paste.fedoraproject.org/344132/14587375/
>
>> Set this back to true: :websockets_encrypt: true
>> uncommented the certs, restarted httpd, tested again, still fails.
>
> This should be by default turned on and working as expected. Have you
It was on, but nothing worked, so I tried disabling it just to see if I
could get VNC console to work without SSL
> touched these files after installation? Have you regenerated some certs
> or something like that?
This is a new clean install I did specifically to debug this issue (as I
had been making changes to a previous test instance).
>
>> Are there any logs that can help?
>
> foreman-debug -u
>
http://debugs.theforeman.org/foreman-debug-3CFQz.tar.xz

Thank you

> http://debugs.theforeman.org/foreman-debug-3CFQz.tar.xz

Works fine here, the only difference is you have an extra
SSLCACertificatePath option. Can you comment it out and restart httpd
process? Make sure your websocket options are set correctly.

/etc/httpd/conf.d/05-foreman-ssl.conf

SSLEngine on
SSLCertificateFile "/etc/pki/katello/certs/katello-apache.crt"
SSLCertificateKeyFile "/etc/pki/katello/private/katello-apache.key"
SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt"
SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt"
#SSLCACertificatePath "/etc/pki/tls/certs" # THIS LINE
SSLVerifyClient optional
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData

grep websocket /etc/foreman/settings.yaml
:websockets_encrypt: on
:websockets_ssl_key: /etc/pki/katello/private/katello-apache.key
:websockets_ssl_cert: /etc/pki/katello/certs/katello-apache.crt

Check the permissions and SELinux contexts on these files:

ls -laZ /etc/pki/katello/private/katello-apache.key /etc/pki/katello/certs/katello-apache.crt

-rw-r–r--. root root unconfined_u:object_r:cert_t:s0 /etc/pki/katello/certs/katello-apache.crt
-r–r-----. apache foreman system_u:object_r:cert_t:s0 /etc/pki/katello/private/katello-apache.key

Also make sure you match the requirements described in
http://theforeman.org/manuals/1.10/index.html#7.1NoVNC

• When using Firefox, if you use Foreman via HTTPS, Firefox might block
  the connection. To fix it, go to about:config and enable
  network.websocket.allowInsecureFromHTTPS.

• When using Chrome, browse to chrome://flags/ and enable
  allow-insecure-websocket-from-https-origin. Recent versions of Chrome
  (e.g. 44) have removed the flag. An alternative workaround is to launch
  Chrome with a command-line argument like this $ google-chrome-stable
  –allow-running-insecure-content &

Restart (!) your browser and report version you have it this fails for
you again.

Hello

I commented out the SSLCACertificatePath directive

Reviewed other settings (they are as you suggest and as per my original
e-mail).

I am using Firefox 45.0
(I also tested with epiphany)

VNC Handshake starts, then
Failed to connect to server

I have already spent time checking logs, but do not know what to make of
them.

For example:

/var/log/foreman/production.log:2016-03-24 16:37:11 [app] [D] VNCProxy
Error: WebSocket server settings:
/var/log/foreman/production.log:2016-03-24 16:37:11 [app] [D] VNCProxy
Error: - Listen on :5915
/var/log/foreman/production.log:2016-03-24 16:37:11 [app] [D] VNCProxy
Error: - Flash security policy server
/var/log/foreman/production.log:2016-03-24 16:37:11 [app] [D] VNCProxy
Error: - SSL/TLS support
/var/log/foreman/production.log:2016-03-24 16:37:11 [app] [D] VNCProxy
Error: - Backgrounding (daemon)
/var/log/foreman/production.log:2016-03-24 16:37:11 [app] [I] Rendered
hosts/console/vnc.html.erb within layouts/application (3.3ms)
/var/log/foreman/production.log:2016-03-24 16:37:11 [app] [D] Starting
VNC Proxy: /usr/share/foreman/extras/noVNC/websockify.py --daemon
–idle-timeout=120 --timeout=120 5914 <my-host>:5902 --cert
/etc/pki/katello/certs/katello-apache.crt --key
/etc/pki/katello/private/katello-apache.key

I wonder would making libvirt produce verbose logs help?

Thank you

For the benefit of the list and the Interwebs, I eventually got this
working:

You need to use the host name in the browser URL field for the web UI
which matches the one used in the certificate as the CN value. If you
have configured the Foreman server with a FQDN before installation, then
the certificate should contain that FQDN. Testing using short host names
will not work.

Visit the public downloads page of the Satellite Server, for example
https://satellite.example.com/pub/, and click the certificate file
katello-server-ca.crt.

Check the CN value and compare it to the host name in your browser URL
field. It should match.

Select to trust the cert for websites.

using "ps -aux | grep websock" on the Foreman server and checking the
host name and port in use can be very helpful when you understand the
importance the host name and ports you are looking at. I found I had to
open ports 5900 to 5930 for TCP.

HTH