[GH-ISSUE #557] https breaking vnc

kerem commented

2026-02-27 16:39:14 +03:00

Owner

Originally created by @masau on GitHub (May 19, 2015).
Original GitHub issue: https://github.com/retspen/webvirtmgr/issues/557

I can't get vnc over https working. Running on Arch Linux.

My nginx server config:

server {
#    listen 80 default_server;

    listen 443 ssl;
    server_name localhost;

    ssl_certificate cert.crt;
    ssl_certificate_key cert.key;

    server_name $hostname;
    #access_log /var/log/nginx/webvirtmgr_access_log; 

    location /static/ {
        root /usr/lib/webvirtmgr/webvirtmgr; # or /srv instead of /var
        expires max;
    }

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
#        proxy_set_header Host $host:$server_port;
        proxy_set_header X-Forwarded-Proto $remote_addr;
        proxy_connect_timeout 600;
        proxy_read_timeout 600;
        proxy_send_timeout 600;
        client_max_body_size 1024M; # Set higher depending on your needs 
    }
}

cert.pem location

ls /usr/lib/webvirtmgr/webvirtmgr/local/cert.pem 
/usr/lib/webvirtmgr/webvirtmgr/local/cert.pem

webvirtmgr-console output

python2 ./webvirtmgr-console -d -c /usr/lib/webvirtmgr/webvirtmgr/local/cert.pem 
2015-05-19 04:52:26,676 - websocket.type - INFO : WebSocket server settings:
2015-05-19 04:52:26,677 - websocket.type - INFO :   - Listen on 0.0.0.0:6080
2015-05-19 04:52:26,677 - websocket.type - INFO :   - Flash security policy server
2015-05-19 04:52:26,677 - websocket.type - INFO :   - SSL/TLS support
2015-05-19 04:52:26,677 - websocket.type - INFO :   - proxying from 0.0.0.0:6080 to ignore:ignore
2015-05-19 04:52:36,005 - websocket.type - DEBUG : 192.168.41.17: new handler Process
2015-05-19 04:52:36,027 - websocket.type - INFO : handler exception: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1750)
2015-05-19 04:52:36,028 - websocket.type - DEBUG : exception
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 874, in top_new_client
    client = self.do_handshake(startsock, address)
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 809, in do_handshake
    self.RequestHandlerClass(retsock, address, self)
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 112, in __init__
    SimpleHTTPRequestHandler.__init__(self, req, addr, server)
  File "/usr/lib/python2.7/SocketServer.py", line 655, in __init__
    self.handle()
  File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 540, in handle
    SimpleHTTPRequestHandler.handle(self)
  File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle
    self.handle_one_request()
  File "/usr/lib/python2.7/BaseHTTPServer.py", line 310, in handle_one_request
    self.raw_requestline = self.rfile.readline(65537)
  File "/usr/lib/python2.7/socket.py", line 476, in readline
    data = self._sock.recv(self._rbufsize)
  File "/usr/lib/python2.7/ssl.py", line 714, in recv
    return self.read(buflen)
  File "/usr/lib/python2.7/ssl.py", line 608, in read
    v = self._sslobj.read(len or 1024)
SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1750)
2015-05-19 04:52:36,032 - websocket.type - DEBUG : Reaing zombies, active child count is 0
2015-05-19 04:52:36,033 - websocket.type - DEBUG : Ignoring interrupted syscall
^C2015-05-19 04:52:50,065 - websocket.type - INFO : Got SIGINT, exiting
2015-05-19 04:52:50,065 - websocket.type - INFO : In exit
2015-05-19 04:52:50,066 - websocket.type - DEBUG : Closing socket listening at 0.0.0.0:6080

When I open a console in the browser, I just get "Server disconnected (code: 1006)"

When I disable ssl in nginx vnc works fine.

Originally created by @masau on GitHub (May 19, 2015). Original GitHub issue: https://github.com/retspen/webvirtmgr/issues/557 I can't get vnc over https working. Running on Arch Linux. My nginx server config: ``` server { # listen 80 default_server; listen 443 ssl; server_name localhost; ssl_certificate cert.crt; ssl_certificate_key cert.key; server_name $hostname; #access_log /var/log/nginx/webvirtmgr_access_log; location /static/ { root /usr/lib/webvirtmgr/webvirtmgr; # or /srv instead of /var expires max; } location / { proxy_pass http://127.0.0.1:8000; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for; # proxy_set_header Host $host:$server_port; proxy_set_header X-Forwarded-Proto $remote_addr; proxy_connect_timeout 600; proxy_read_timeout 600; proxy_send_timeout 600; client_max_body_size 1024M; # Set higher depending on your needs } } ``` cert.pem location ``` ls /usr/lib/webvirtmgr/webvirtmgr/local/cert.pem /usr/lib/webvirtmgr/webvirtmgr/local/cert.pem ``` webvirtmgr-console output ``` python2 ./webvirtmgr-console -d -c /usr/lib/webvirtmgr/webvirtmgr/local/cert.pem 2015-05-19 04:52:26,676 - websocket.type - INFO : WebSocket server settings: 2015-05-19 04:52:26,677 - websocket.type - INFO : - Listen on 0.0.0.0:6080 2015-05-19 04:52:26,677 - websocket.type - INFO : - Flash security policy server 2015-05-19 04:52:26,677 - websocket.type - INFO : - SSL/TLS support 2015-05-19 04:52:26,677 - websocket.type - INFO : - proxying from 0.0.0.0:6080 to ignore:ignore 2015-05-19 04:52:36,005 - websocket.type - DEBUG : 192.168.41.17: new handler Process 2015-05-19 04:52:36,027 - websocket.type - INFO : handler exception: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1750) 2015-05-19 04:52:36,028 - websocket.type - DEBUG : exception Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 874, in top_new_client client = self.do_handshake(startsock, address) File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 809, in do_handshake self.RequestHandlerClass(retsock, address, self) File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 112, in __init__ SimpleHTTPRequestHandler.__init__(self, req, addr, server) File "/usr/lib/python2.7/SocketServer.py", line 655, in __init__ self.handle() File "/usr/lib/python2.7/site-packages/websockify/websocket.py", line 540, in handle SimpleHTTPRequestHandler.handle(self) File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle self.handle_one_request() File "/usr/lib/python2.7/BaseHTTPServer.py", line 310, in handle_one_request self.raw_requestline = self.rfile.readline(65537) File "/usr/lib/python2.7/socket.py", line 476, in readline data = self._sock.recv(self._rbufsize) File "/usr/lib/python2.7/ssl.py", line 714, in recv return self.read(buflen) File "/usr/lib/python2.7/ssl.py", line 608, in read v = self._sslobj.read(len or 1024) SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1750) 2015-05-19 04:52:36,032 - websocket.type - DEBUG : Reaing zombies, active child count is 0 2015-05-19 04:52:36,033 - websocket.type - DEBUG : Ignoring interrupted syscall ^C2015-05-19 04:52:50,065 - websocket.type - INFO : Got SIGINT, exiting 2015-05-19 04:52:50,065 - websocket.type - INFO : In exit 2015-05-19 04:52:50,066 - websocket.type - DEBUG : Closing socket listening at 0.0.0.0:6080 ``` When I open a console in the browser, I just get "Server disconnected (code: 1006)" When I disable ssl in nginx vnc works fine.

kerem closed this issue

2026-02-27 16:39:14 +03:00

kerem commented

2026-02-27 16:39:14 +03:00

Author

Owner

@brenard commented on GitHub (May 24, 2015):

Hi,

Your certificate seam to not be recognized by your local installationof cacertificate. Witch kind of certificate are you using ? If it's issued by an valid CA, I mean you have to put CA certificate chain in your cert.pem file according to the documentation :

https://github.com/retspen/webvirtmgr/wiki/Console#encrypted-and-unencrypted-connections
https://docs.python.org/dev/library/ssl.html#certificate-chains

Futhermore, could you say us witch is your certificate's subject. In this question (http://stackoverflow.com/questions/29243042/unable-to-get-ssl-working-on-tornado), the same error is return by python because the user generated his certificate with the IP address instead of FQDN of his host as subject.

@brenard commented on GitHub (May 24, 2015): Hi, Your certificate seam to not be recognized by your local installationof _cacertificate_. Witch kind of certificate are you using ? If it's issued by an valid CA, I mean you have to put CA certificate chain in your cert.pem file according to the documentation : https://github.com/retspen/webvirtmgr/wiki/Console#encrypted-and-unencrypted-connections https://docs.python.org/dev/library/ssl.html#certificate-chains Futhermore, could you say us witch is your certificate's subject. In this question (http://stackoverflow.com/questions/29243042/unable-to-get-ssl-working-on-tornado), the same error is return by python because the user generated his certificate with the IP address instead of FQDN of his host as subject.

kerem commented

2026-02-27 16:39:14 +03:00

Author

Owner

@masau commented on GitHub (May 25, 2015):

I had been using a self-signed certificate. I finally got around to setting up a self-signed CA and adding it to my browser. It's working w/ a cert signed by my CA server now.

@masau commented on GitHub (May 25, 2015): I had been using a self-signed certificate. I finally got around to setting up a self-signed CA and adding it to my browser. It's working w/ a cert signed by my CA server now.

kerem commented

2026-02-27 16:39:14 +03:00

Author

Owner

@brenard commented on GitHub (May 26, 2015):

Ok, it's a better way. Could you please close this issue ?

@brenard commented on GitHub (May 26, 2015): Ok, it's a better way. Could you please close this issue ?

Rows
Columns

[GH-ISSUE #557] https breaking vnc #418