[GH-ISSUE #490] novnc wont connect #365

New issue

Open

opened 2026-02-27 16:39:01 +03:00 by kerem · 23 comments

kerem commented 2026-02-27 16:39:01 +03:00

Owner

Copy link

Originally created by @grantpasley on GitHub (Jan 19, 2015).
Original GitHub issue: https://github.com/retspen/webvirtmgr/issues/490

hi there - when i try connect to console i get errror "connect timeout". this is a new install and all working fine up until trying to connect to console to configure guest - any advise / ideas?

thanks,
grant.

Originally created by @grantpasley on GitHub (Jan 19, 2015). Original GitHub issue: https://github.com/retspen/webvirtmgr/issues/490 hi there - when i try connect to console i get errror "connect timeout". this is a new install and all working fine up until trying to connect to console to configure guest - any advise / ideas? thanks, grant.

kerem commented 2026-02-27 16:39:01 +03:00

Author

Owner

Copy link

@aafanasyev commented on GitHub (Jan 19, 2015):

Hi,

do you want connect to ssh of the guest?
do you have ssh server installed on the guest?
what is your network topology? How guests connected to the internet? Bridged or NAT?

<!-- gh-comment-id:70474696 --> @aafanasyev commented on GitHub (Jan 19, 2015): Hi, do you want connect to ssh of the guest? do you have ssh server installed on the guest? what is your network topology? How guests connected to the internet? Bridged or NAT?

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@aafanasyev commented on GitHub (Jan 19, 2015):

For vnc
do you use in your vnc client (I use tiny vnc) configuration like ip:5900 address?
what OS do you use as a Virtual host server?

<!-- gh-comment-id:70475198 --> @aafanasyev commented on GitHub (Jan 19, 2015): For vnc do you use in your vnc client (I use tiny vnc) configuration like ip:5900 address? what OS do you use as a Virtual host server?

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@grantpasley commented on GitHub (Jan 19, 2015):

hi there - this is for console access - i create the guest instance then start up in order to configure i get a timeout from the console pop-up window, please see attached screenshot.

<!-- gh-comment-id:70562586 --> @grantpasley commented on GitHub (Jan 19, 2015): hi there - this is for console access - i create the guest instance then start up in order to configure i get a timeout from the console pop-up window, please see attached screenshot. 

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@kestel commented on GitHub (Jan 22, 2015):

Hello,

The same problem for me.
My network structure: WebVirtMgr (192.168.20.10) -> NAT (10.20.10.254) -> KVM server (10.20.10.20).
Host added to the WebVirtMgr with SSH connection. SSH connection from the WebVirtMgr host to the KVM host works fine.
VNC connection to 10.20.10.20:5900 works fine too.
The guest VM connected with bridged network.
When I trying open noVNC from the WebVirtMgr I get error "Server disconnected (code: 1006)".
All hosts have no Internet connection, only local net.

UPD: all machines is Ubuntu 12.04 or 14.04.

<!-- gh-comment-id:70983874 --> @kestel commented on GitHub (Jan 22, 2015): Hello, The same problem for me. My network structure: WebVirtMgr (192.168.20.10) -> NAT (10.20.10.254) -> KVM server (10.20.10.20). Host added to the WebVirtMgr with SSH connection. SSH connection from the WebVirtMgr host to the KVM host works fine. VNC connection to 10.20.10.20:5900 works fine too. The guest VM connected with bridged network. When I trying open noVNC from the WebVirtMgr I get error "Server disconnected (code: 1006)". All hosts have no Internet connection, only local net. UPD: all machines is Ubuntu 12.04 or 14.04.

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@aafanasyev commented on GitHub (Jan 22, 2015):

I had the same problem when I installed on Ubuntu Server 14.04.1 in:

/var/www/webvirtmgr/

Like it described in installation documents. However, when I installed everything (with changing paths in the related config files) to:

/var/www/

It is worked for me just fine.

<!-- gh-comment-id:70984455 --> @aafanasyev commented on GitHub (Jan 22, 2015): I had the same problem when I installed on Ubuntu Server 14.04.1 in: ``` /var/www/webvirtmgr/ ``` Like it described in installation documents. However, when I installed everything (with changing paths in the related config files) to: ``` /var/www/ ``` It is worked for me just fine.

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@kestel commented on GitHub (Jan 22, 2015):

It don't work for me =(

<!-- gh-comment-id:70988335 --> @kestel commented on GitHub (Jan 22, 2015): It don't work for me =(

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@brenard commented on GitHub (Jan 22, 2015):

Hello,

The console connection is pretty simple to understand : The web console use a websocket to connect on port 6080 of your WebVirtMgr host, on this port, the console/webvirtmg-novnc script must be listening. This script open a TCP socket to VNC console of the guest using the hostname of the KVM host and the port of the VNC console. After that, the script will made proxying between the websocket and the VNC socket.

To troubleshot, you have to verify :

• that your console/webvirtmg-novnc script is listening on 6080 port of your WebVirtMgr host. Check it with "netstat -lnp" command and if it not running, you could check to run it manually (without argument) with the same user use by supervisord.
• that you could connect to the VNC socket of your guest from the WebVirtMgr host : you could try with a telnet command if you don't have X Server on your WebVirtMgr host and if this not working, check that your VNC console is not listening on localhost.

Actualy, if you use reverse proxy in front of you WebVirtMgr instance, your browser can not connect to the websocket because the hostname that is use is the same of the one use to connect to WebVirtMgr : with a reverse proxy, this address is 127.0.0.1. I write a patch for that permitting to manually configure the public hostname to use for the websocket. It's available here : github.com/brenard/webvirtmgr@731bc3304b

If you have NAT between WebVirtMgr host and you KVM host, I mean you WebVirtMgr host can not connect to the VNC console of your guests. In this topology, WebVirtMgr have to open a SSH tunnel to connect to your KVM host. I'm working on this feature and a pull request is pending for that : https://github.com/retspen/webvirtmgr/pull/488

You could try it if you want, and give me feedback. It's could be usefull for me to debug it in others use-cases.

<!-- gh-comment-id:70992165 --> @brenard commented on GitHub (Jan 22, 2015): Hello, The console connection is pretty simple to understand : The web console use a websocket to connect on port 6080 of your WebVirtMgr host, on this port, the console/webvirtmg-novnc script must be listening. This script open a TCP socket to VNC console of the guest using the hostname of the KVM host and the port of the VNC console. After that, the script will made proxying between the websocket and the VNC socket. To troubleshot, you have to verify : - that your console/webvirtmg-novnc script is listening on 6080 port of your WebVirtMgr host. Check it with "netstat -lnp" command and if it not running, you could check to run it manually (without argument) with the same user use by supervisord. - that you could connect to the VNC socket of your guest from the WebVirtMgr host : you could try with a telnet command if you don't have X Server on your WebVirtMgr host and if this not working, check that your VNC console is not listening on localhost. Actualy, if you use reverse proxy in front of you WebVirtMgr instance, your browser can not connect to the websocket because the hostname that is use is the same of the one use to connect to WebVirtMgr : with a reverse proxy, this address is 127.0.0.1. I write a patch for that permitting to manually configure the public hostname to use for the websocket. It's available here : https://github.com/brenard/webvirtmgr/commit/731bc3304bb319656a7c1f90d9d858be736a06f5 If you have NAT between WebVirtMgr host and you KVM host, I mean you WebVirtMgr host can not connect to the VNC console of your guests. In this topology, WebVirtMgr have to open a SSH tunnel to connect to your KVM host. I'm working on this feature and a pull request is pending for that : https://github.com/retspen/webvirtmgr/pull/488 You could try it if you want, and give me feedback. It's could be usefull for me to debug it in others use-cases.

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@kestel commented on GitHub (Jan 23, 2015):

Hello brenard,

Thanks for your patch ( brenard@731bc33 ), it works well and helps me for half.
Now noVNC works fine with http connection without encryption and doesn't work via https.

I think, I need read something about wss.

When I try run webvirtmgr-novnc by hands I get next:

www-data$ /var/www/webvirtmgr/console/webvirtmgr-novnc 
WebSocket server settings:
  - Listen on 0.0.0.0:6080
  - Flash security policy server
  - SSL/TLS support
  - proxying from 0.0.0.0:6080 to ignore:ignore

  1: handler exception: WSRequestHandler instance has no attribute 'last_code'
  2: handler exception: WSRequestHandler instance has no attribute 'last_code'
  3: 10.10.11.11: Plain non-SSL (ws://) WebSocket connection
  3: 10.10.11.11: Version hybi-13, base64: 'False'
  3: connecting to: hv-node3.example.com:5900

1, 2 - trying connect by https
3 - successfully connection by http
10.10.11.11 (my workstation) -> NAT (10.20.10.254) -> KVM server (10.20.10.20)

<!-- gh-comment-id:71196089 --> @kestel commented on GitHub (Jan 23, 2015): Hello brenard, Thanks for your patch ( brenard@731bc33 ), it works well and helps me for half. Now noVNC works fine with http connection without encryption and doesn't work via https. I think, I need read something about wss. When I try run webvirtmgr-novnc by hands I get next: ``` www-data$ /var/www/webvirtmgr/console/webvirtmgr-novnc WebSocket server settings: - Listen on 0.0.0.0:6080 - Flash security policy server - SSL/TLS support - proxying from 0.0.0.0:6080 to ignore:ignore 1: handler exception: WSRequestHandler instance has no attribute 'last_code' 2: handler exception: WSRequestHandler instance has no attribute 'last_code' 3: 10.10.11.11: Plain non-SSL (ws://) WebSocket connection 3: 10.10.11.11: Version hybi-13, base64: 'False' 3: connecting to: hv-node3.example.com:5900 ``` 1, 2 - trying connect by https 3 - successfully connection by http 10.10.11.11 (my workstation) -> NAT (10.20.10.254) -> KVM server (10.20.10.20)

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@brenard commented on GitHub (Jan 23, 2015):

Hello kestel,

I mean your installation is too old, could you try to upgrade it ? WSRequestHandler does not exist for me in the current version.

Concerning HTTPS access, you have to know that WebVirtMgr automatically enable SSL on websocket too. So you have to configure a correct SSL certificate and key for webvirtmgr-novnc. You have to edit webvirtmgr-novnc and modify CERT variable at the top of the file. This file must content both private key and public key (as you can see in cert.pem file in console folder). This certificate must be consider as valid for your web browser.

<!-- gh-comment-id:71229663 --> @brenard commented on GitHub (Jan 23, 2015): Hello kestel, I mean your installation is too old, could you try to upgrade it ? WSRequestHandler does not exist for me in the current version. Concerning HTTPS access, you have to know that WebVirtMgr automatically enable SSL on websocket too. So you have to configure a correct SSL certificate and key for webvirtmgr-novnc. You have to edit webvirtmgr-novnc and modify CERT variable at the top of the file. This file must content both private key and public key (as you can see in cert.pem file in console folder). This certificate must be consider as valid for your web browser.

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@goshlanguage commented on GitHub (Apr 21, 2015):

After changing the WS_CERT param in webvirtmgr/settings.py, I am getting the following errors:

x webvirtmgr]# /usr/bin/python /var/www/webvirtmgr/console/webvirtmgr-console
WARNING:root:No local_settings file found.
WebSocket server settings:
  - Listen on 0.0.0.0:6080
  - Flash security policy server
  - SSL/TLS support
  - Deny non-SSL/TLS connections
  - proxying from 0.0.0.0:6080 to ignore:ignore

  1: handler exception: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
  1: Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 696, in top_new_client
    self.client = self.do_handshake(startsock, address)
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 604, in do_handshake
    keyfile=self.key)
  File "/usr/lib64/python2.7/ssl.py", line 387, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib64/python2.7/ssl.py", line 141, in __init__
    ciphers)
SSLError: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib

  2: handler exception: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
  2: Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 696, in top_new_client
    self.client = self.do_handshake(startsock, address)
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 604, in do_handshake
    keyfile=self.key)
  File "/usr/lib64/python2.7/ssl.py", line 387, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib64/python2.7/ssl.py", line 141, in __init__
    ciphers)
SSLError: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib

  3: 72.183.110.211: new handler Process
  3: handler exception: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
  3: Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 696, in top_new_client
    self.client = self.do_handshake(startsock, address)
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 604, in do_handshake
    keyfile=self.key)
  File "/usr/lib64/python2.7/ssl.py", line 387, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib64/python2.7/ssl.py", line 141, in __init__
    ciphers)
SSLError: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib

  4: 72.183.110.211: new handler Process
  4: handler exception: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
  4: Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 696, in top_new_client
    self.client = self.do_handshake(startsock, address)
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 604, in do_handshake
    keyfile=self.key)
  File "/usr/lib64/python2.7/ssl.py", line 387, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib64/python2.7/ssl.py", line 141, in __init__
    ciphers)
SSLError: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib

Is there anything else I should consider? This is supposed to be a regular crt converted via openssl x509 to a .pem file, with no password protection, right?

Thanks for any help!

<!-- gh-comment-id:94965255 --> @goshlanguage commented on GitHub (Apr 21, 2015): After changing the WS_CERT param in webvirtmgr/settings.py, I am getting the following errors: ``` ssh x webvirtmgr]# /usr/bin/python /var/www/webvirtmgr/console/webvirtmgr-console WARNING:root:No local_settings file found. WebSocket server settings: - Listen on 0.0.0.0:6080 - Flash security policy server - SSL/TLS support - Deny non-SSL/TLS connections - proxying from 0.0.0.0:6080 to ignore:ignore 1: handler exception: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib 1: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 696, in top_new_client self.client = self.do_handshake(startsock, address) File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 604, in do_handshake keyfile=self.key) File "/usr/lib64/python2.7/ssl.py", line 387, in wrap_socket ciphers=ciphers) File "/usr/lib64/python2.7/ssl.py", line 141, in __init__ ciphers) SSLError: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib 2: handler exception: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib 2: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 696, in top_new_client self.client = self.do_handshake(startsock, address) File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 604, in do_handshake keyfile=self.key) File "/usr/lib64/python2.7/ssl.py", line 387, in wrap_socket ciphers=ciphers) File "/usr/lib64/python2.7/ssl.py", line 141, in __init__ ciphers) SSLError: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib 3: 72.183.110.211: new handler Process 3: handler exception: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib 3: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 696, in top_new_client self.client = self.do_handshake(startsock, address) File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 604, in do_handshake keyfile=self.key) File "/usr/lib64/python2.7/ssl.py", line 387, in wrap_socket ciphers=ciphers) File "/usr/lib64/python2.7/ssl.py", line 141, in __init__ ciphers) SSLError: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib 4: 72.183.110.211: new handler Process 4: handler exception: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib 4: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 696, in top_new_client self.client = self.do_handshake(startsock, address) File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 604, in do_handshake keyfile=self.key) File "/usr/lib64/python2.7/ssl.py", line 387, in wrap_socket ciphers=ciphers) File "/usr/lib64/python2.7/ssl.py", line 141, in __init__ ciphers) SSLError: [Errno 336445449] _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib ``` Is there anything else I should consider? This is supposed to be a regular crt converted via openssl x509 to a .pem file, with no password protection, right? Thanks for any help!

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@brenard commented on GitHub (Apr 21, 2015):

@RyanHartje : I mean your cert file content is incorrect. It must content both private and public in x509 format (private key first). You could verify the file format in the example file provide in console/cert.pem. Check also if your cert file path is correctly handle by the script (use absoluted path to be sure) and check if this file is readable by user that running webvirtmgr-console script (user configured in supervisord).

<!-- gh-comment-id:94968059 --> @brenard commented on GitHub (Apr 21, 2015): @RyanHartje : I mean your cert file content is incorrect. It must content both private and public in x509 format (private key first). You could verify the file format in the example file provide in console/cert.pem. Check also if your cert file path is correctly handle by the script (use absoluted path to be sure) and check if this file is readable by user that running webvirtmgr-console script (user configured in supervisord).

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@goshlanguage commented on GitHub (Apr 22, 2015):

Thanks for the help Brenard, I'm still having a bit of trouble.

I have converted my .key and .crt to pem (key first, followed by crt), I have also tried the crt and key by themselves (the key with rsa), but I am receiving errors for all of them.

Am I supposed to use the CA Bundle? The file is chowned by nginx:nginx, and is the correct permissions (644 should suffice). I have also tried using full paths, but I believe my issue is with my understanding of what the cert.pem should contain.

I am using the crt and key from the SSL that is connecting to the Hypervisor running webvirtmgr-novnc, is this correct?

<!-- gh-comment-id:95172905 --> @goshlanguage commented on GitHub (Apr 22, 2015): Thanks for the help Brenard, I'm still having a bit of trouble. I have converted my .key and .crt to pem (key first, followed by crt), I have also tried the crt and key by themselves (the key with rsa), but I am receiving errors for all of them. Am I supposed to use the CA Bundle? The file is chowned by nginx:nginx, and is the correct permissions (644 should suffice). I have also tried using full paths, but I believe my issue is with my understanding of what the cert.pem should contain. I am using the crt and key from the SSL that is connecting to the Hypervisor running webvirtmgr-novnc, is this correct?

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@brenard commented on GitHub (Apr 22, 2015):

@RyanHartje : I don't understand what you mean about CA Bundle. Here, an example of your cert.pem file content :

-----BEGIN PRIVATE KEY-----
MIICdgIBADANB~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[...]
~~~~~~~~~~~~~~~~~~~~~mxxJ1iHfKROzfg==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIC3DCCAkW~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[...]
~~~~~~~~~~~~~~~~~~~~~AwLWmFwb3Jvemhre==
-----END CERTIFICATE-----

Concerning rights, check that the directory that contain cert.pem file is accessible by that the user running webvirtmgr-console script.

You could also try to connect to this script socket using openssl s_client command to view witch certificate is indeed used :

openssl s_client -connect 127.0.0.1:6080

<!-- gh-comment-id:95199378 --> @brenard commented on GitHub (Apr 22, 2015): @RyanHartje : I don't understand what you mean about CA Bundle. Here, an example of your _cert.pem_ file content : ``` -----BEGIN PRIVATE KEY----- MIICdgIBADANB~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [...] ~~~~~~~~~~~~~~~~~~~~~mxxJ1iHfKROzfg== -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIC3DCCAkW~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [...] ~~~~~~~~~~~~~~~~~~~~~AwLWmFwb3Jvemhre== -----END CERTIFICATE----- ``` Concerning rights, check that the directory that contain _cert.pem_ file is accessible by that the user running _webvirtmgr-console_ script. You could also try to connect to this script socket using _openssl s_client_ command to view witch certificate is indeed used : ``` openssl s_client -connect 127.0.0.1:6080 ```

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@goshlanguage commented on GitHub (Apr 22, 2015):

Thank you for pointing that out, my key and crt were already in pem format, so just pasting them together in cert.pem resolved that, now I get return data on openssl s_client (thank you for showing me this as well, very helpful!):

$ openssl s_client -connect 192.168.60.90:6080
CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.com
verify error:num=20:unable to get local issuer certificate
verify return:1

[truncated for brevity]

No client certificate CA names sent
---
SSL handshake has read 1546 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: [omitted]
    Session-ID-ctx:
    Master-Key: [omitted]
    Key-Arg   : None
    Start Time: 1429718376
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

It says its not able to verify it, but its actually connecting, I'm not sure what behavior to expect from webvirtmgr-novnc from this. The cert is issued from a trusted source.

My connection is still dropping, and I am getting this again:

  2: handler exception: WSRequestHandler instance has no attribute 'last_code'

This kind of brings me full circle though, as I tried to apply the crt files from the client server on the hypervisor, to allow novnc to connect over SSL. Do you have any recommendations?

Just a note, I am changing the ssl_only=False to true, to force SSL. If this is problematic, please let me know.

Another note, my key, if converted with openssl rsa will end up in ==, but converting my .crt to .pem with openssl x509 does not result in the same outcome. If I paste these outputs together, I get similar errors to my initial error from webvirtmgr-novnc. If you find this problematic, can you explain your process of converting the SSL?

These are the commands I've tried:

openssl rsa -in ./my.key -out ./key.pem -outform PEM
openssl x509 -in ./my.crt -out ./crt.pem -outform PEM
cat ./key.pem > ./cert.pem
cat ./crt.pem >> ./cert.pem

This results in the _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM type issues. Alternatively, what I've done to resolve the errors is this:

cat ./my.key > ./cert.pem
cat ./my.crt >> ./cert.pem

We can ignore perms issues, as Im running webvirtmgr as root to test, and its owned by nginx/644.

<!-- gh-comment-id:95250319 --> @goshlanguage commented on GitHub (Apr 22, 2015): Thank you for pointing that out, my key and crt were already in pem format, so just pasting them together in cert.pem resolved that, now I get return data on openssl s_client (thank you for showing me this as well, very helpful!): ``` ssh $ openssl s_client -connect 192.168.60.90:6080 CONNECTED(00000003) depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.com verify error:num=20:unable to get local issuer certificate verify return:1 [truncated for brevity] No client certificate CA names sent --- SSL handshake has read 1546 bytes and written 456 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: [omitted] Session-ID-ctx: Master-Key: [omitted] Key-Arg : None Start Time: 1429718376 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- ``` It says its not able to verify it, but its actually connecting, I'm not sure what behavior to expect from webvirtmgr-novnc from this. The cert is issued from a trusted source. My connection is still dropping, and I am getting this again: ``` ssh 2: handler exception: WSRequestHandler instance has no attribute 'last_code' ``` This kind of brings me full circle though, as I tried to apply the crt files from the client server on the hypervisor, to allow novnc to connect over SSL. Do you have any recommendations? Just a note, I am changing the ssl_only=False to true, to force SSL. If this is problematic, please let me know. Another note, my key, if converted with openssl rsa will end up in ==, but converting my .crt to .pem with openssl x509 does not result in the same outcome. If I paste these outputs together, I get similar errors to my initial error from webvirtmgr-novnc. If you find this problematic, can you explain your process of converting the SSL? These are the commands I've tried: ``` ssh openssl rsa -in ./my.key -out ./key.pem -outform PEM openssl x509 -in ./my.crt -out ./crt.pem -outform PEM cat ./key.pem > ./cert.pem cat ./crt.pem >> ./cert.pem ``` This results in the _ssl.c:365: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM type issues. Alternatively, what I've done to resolve the errors is this: ``` ssh cat ./my.key > ./cert.pem cat ./my.crt >> ./cert.pem ``` We can ignore perms issues, as Im running webvirtmgr as root to test, and its owned by nginx/644.

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@goshlanguage commented on GitHub (Apr 22, 2015):

The more I look into it, the more I suspect the cert isn't associated with a known CA. I'll try a different SSL provider shortly and see if this resolves the issue.

<!-- gh-comment-id:95297072 --> @goshlanguage commented on GitHub (Apr 22, 2015): The more I look into it, the more I suspect the cert isn't associated with a known CA. I'll try a different SSL provider shortly and see if this resolves the issue.

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@brenard commented on GitHub (Apr 22, 2015):

@RyanHartje : You'r write, it's a CA certificate problem :

depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.com
verify error:num=20:unable to get local issuer certificate
verify return:1

You have to put your CA chain certificate(s) in cert.pem file as explain here :

https://docs.python.org/dev/library/ssl.html#certificate-chains

Your private key must at the top of the file, your certificate in second position and after put the CA chain certificate(s). I just try with this kind of cert.pem file and it's work well. After that, if you use openssl s_client command to connect on the webvirtmgr-console script, you could see that more than one certificate is provide.

Example :

~$ openssl s_client -connect 127.0.0.1:6080
CONNECTED(00000003)
[...]
---
Certificate chain
 0 s:/C=FR/ST=Ile de France/L=Paris/O=Easter-eggs/CN=*.aconit.easter-eggs.fr/emailAddress=admin@easter-eggs.com
   i:/C=FR/O=Easter-eggs/OU=Certification services/CN=Easter-eggs Root CA/emailAddress=admin@easter-eggs.com
 1 s:/C=FR/O=Easter-eggs/OU=Certification services/CN=Easter-eggs Root CA/emailAddress=admin@easter-eggs.com
   i:/C=FR/O=Easter-eggs/OU=Certification services/CN=Easter-eggs Root CA/emailAddress=admin@easter-eggs.com
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/C=FR/ST=Ile de France/L=Paris/O=Easter-eggs/CN=*.aconit.easter-eggs.fr/emailAddress=admin@easter-eggs.com
issuer=/C=FR/O=Easter-eggs/OU=Certification services/CN=Easter-eggs Root CA/emailAddress=admin@easter-eggs.com

<!-- gh-comment-id:95325210 --> @brenard commented on GitHub (Apr 22, 2015): @RyanHartje : You'r write, it's a CA certificate problem : <pre>depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.com verify error:num=20:unable to get local issuer certificate verify return:1</pre> You have to put your CA chain certificate(s) in _cert.pem_ file as explain here : https://docs.python.org/dev/library/ssl.html#certificate-chains Your private key must at the top of the file, your certificate in second position and after put the CA chain certificate(s). I just try with this kind of _cert.pem_ file and it's work well. After that, if you use _openssl s_client_ command to connect on the _webvirtmgr-console_ script, you could see that more than one certificate is provide. **Example :** <pre>~$ openssl s_client -connect 127.0.0.1:6080 CONNECTED(00000003) [...] --- Certificate chain 0 s:/C=FR/ST=Ile de France/L=Paris/O=Easter-eggs/CN=*.aconit.easter-eggs.fr/emailAddress=admin@easter-eggs.com i:/C=FR/O=Easter-eggs/OU=Certification services/CN=Easter-eggs Root CA/emailAddress=admin@easter-eggs.com 1 s:/C=FR/O=Easter-eggs/OU=Certification services/CN=Easter-eggs Root CA/emailAddress=admin@easter-eggs.com i:/C=FR/O=Easter-eggs/OU=Certification services/CN=Easter-eggs Root CA/emailAddress=admin@easter-eggs.com --- Server certificate -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- subject=/C=FR/ST=Ile de France/L=Paris/O=Easter-eggs/CN=*.aconit.easter-eggs.fr/emailAddress=admin@easter-eggs.com issuer=/C=FR/O=Easter-eggs/OU=Certification services/CN=Easter-eggs Root CA/emailAddress=admin@easter-eggs.com</pre>

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@goshlanguage commented on GitHub (Apr 22, 2015):

Great! Thank you for this help! I now have the cert working great! Although novnc still doesn't work, I think its from a modification I am testing:

# /usr/bin/python /var/www/webvirtmgr/console/webvirtmgr-console
WARNING:root:No local_settings file found.
WebSocket server settings:
  - Listen on 0.0.0.0:6080
  - Flash security policy server
  - SSL/TLS support
  - Deny non-SSL/TLS connections
  - proxying from 0.0.0.0:6080 to ignore:ignore

  2: handler exception: WSRequestHandler instance has no attribute 'last_code'

I know its out of scope at this point, but do you have any further ideas for how to troubleshoot this issue? The cert is certainly correct now:

# openssl s_client -connect 192.168.60.90:6080
CONNECTED(00000003)
[...]
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
---
Server certificate
[...]
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

As you see, the cert is correct, but I'm still getting the last_code issue. I appreciate any advice you might have.

Thanks again for all your help.

<!-- gh-comment-id:95330158 --> @goshlanguage commented on GitHub (Apr 22, 2015): Great! Thank you for this help! I now have the cert working great! Although novnc still doesn't work, I think its from a modification I am testing: ``` ssh # /usr/bin/python /var/www/webvirtmgr/console/webvirtmgr-console WARNING:root:No local_settings file found. WebSocket server settings: - Listen on 0.0.0.0:6080 - Flash security policy server - SSL/TLS support - Deny non-SSL/TLS connections - proxying from 0.0.0.0:6080 to ignore:ignore 2: handler exception: WSRequestHandler instance has no attribute 'last_code' ``` I know its out of scope at this point, but do you have any further ideas for how to troubleshoot this issue? The cert is certainly correct now: ``` ssh # openssl s_client -connect 192.168.60.90:6080 CONNECTED(00000003) [...] --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority --- Server certificate [...] subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.com issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA ``` As you see, the cert is correct, but I'm still getting the last_code issue. I appreciate any advice you might have. Thanks again for all your help.

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@brenard commented on GitHub (Apr 22, 2015):

Great ! For your problem, you are not the first with this last_code error. After some search, I found that is could only append if you are using Nova novnc python lib. Personally, I'm using lib from websockify package (from Debian Jessie websockify package) and I don't have this error. Could you try to install websockify package ? Webvirtmgr will firstly try to use this lib. If you don't use Debian, you could install websockify package by using command :

pip install websockify

<!-- gh-comment-id:95347563 --> @brenard commented on GitHub (Apr 22, 2015): Great ! For your problem, you are not the first with this _last_code_ error. After some search, I found that is could only append if you are using Nova novnc python lib. Personally, I'm using lib from websockify package (from Debian Jessie websockify package) and I don't have this error. Could you try to install websockify package ? Webvirtmgr will firstly try to use this lib. If you don't use Debian, you could install websockify package by using command : ``` pip install websockify ```

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@goshlanguage commented on GitHub (Apr 22, 2015):

I use websockify:

# pip install websockify
Requirement already satisfied (use --upgrade to upgrade): websockify in /usr/lib/python2.7/site-packages
Cleaning up...

Is it possible its old? I'm on Centos7:
websockify (0.5.1)

I upgraded it to 0.6.0 but webvirtmgr-console no longer starts up.

<!-- gh-comment-id:95348384 --> @goshlanguage commented on GitHub (Apr 22, 2015): I use websockify: ``` ssh # pip install websockify Requirement already satisfied (use --upgrade to upgrade): websockify in /usr/lib/python2.7/site-packages Cleaning up... ``` Is it possible its old? I'm on Centos7: websockify (0.5.1) I upgraded it to 0.6.0 but webvirtmgr-console no longer starts up.

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@brenard commented on GitHub (Apr 22, 2015):

Furthermore, I'm working on a patch that permit (amongst others things) to pass parameter to webvirtmgr-console and in particular -d parameter to enable debug. This could be help full to understand your problem. I also fix a problem when using SPICE console over HTTPS.

You could get this patch on my fork : https://github.com/brenard/webvirtmgr

<!-- gh-comment-id:95350537 --> @brenard commented on GitHub (Apr 22, 2015): Furthermore, I'm working on a patch that permit (amongst others things) to pass parameter to _webvirtmgr-console_ and in particular _-d_ parameter to enable debug. This could be help full to understand your problem. I also fix a problem when using SPICE console over HTTPS. You could get this patch on my fork : https://github.com/brenard/webvirtmgr

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@brenard commented on GitHub (Apr 22, 2015):

It's not the laster version, the version 0.6.0 is available and I'm using it : https://pypi.python.org/pypi/websockify

You could try to upgrade.

<!-- gh-comment-id:95351018 --> @brenard commented on GitHub (Apr 22, 2015): It's not the laster version, the version 0.6.0 is available and I'm using it : https://pypi.python.org/pypi/websockify You could try to upgrade.

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@johnerramirez commented on GitHub (Oct 15, 2015):

Im also having the same error
I already updated with git pull

what I can see is there is no file
console/webvirtmg-novnc script

Please explain clearly what is the solution

<!-- gh-comment-id:148335908 --> @johnerramirez commented on GitHub (Oct 15, 2015): Im also having the same error I already updated with git pull what I can see is there is no file console/webvirtmg-novnc script Please explain clearly what is the solution

kerem commented 2026-02-27 16:39:02 +03:00

Author

Owner

Copy link

@pitachx commented on GitHub (Nov 2, 2015):

Change all webvirtmg-novnc to webvirtmg-console in /etc/supervisor/conf.d/webvirtmgr.conf and restart supervisor (work fine on Debain 7)

<!-- gh-comment-id:153016260 --> @pitachx commented on GitHub (Nov 2, 2015): Change all webvirtmg-novnc to webvirtmg-console in /etc/supervisor/conf.d/webvirtmgr.conf and restart supervisor (work fine on Debain 7)

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

v4.8.9

v4.8.8

4.8.7

v4.1.0

v4.0.1

v3.0.0

v2.3.2

Labels

Clear labels   

bug

  

pull-request

Mirrored from GitHub Pull Request

  

wontfix

No labels

bug

pull-request

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/webvirtmgr#365

No description provided.