[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Trying to debug VMware console connection block


On Sat, 2010-04-10 at 21:00 -0400, Nathaniel R. Reindl wrote: 
On Sat, Apr 10, 2010 at 8:47 PM, Robert G. (Doc) Savage
<dsavage@peaknet.net> wrote:
> Looks rather like the outut of 'iptables -L -v', doesn't it?

In a sense, yes, but I'm asking for this specifically to see if
iptables is actually acknowledging any parameters that wouldn't show
up by way of `iptables -L -v`.  It doesn't look to be the case.

Have you confirmed yet that you have something that matches
127.0.0.1:8333 when you examine the output from `netstat -l -Ainet`?
If so, try beating against the thing with cURL or similar to see if
it's the HTTP side of the world causing you this grief.  Something
like `curl -v http://127.0.0.1:8333/` or `curl --trace-ascii -
http://127.0.0.1:8333/` might work.
Nate,

Now comes the fun part. VMware's console connection to port 8333 is https; its http connections are supposed to use port 8222.

First, curl for the https port: See https-attach-1.txt

Following this advisory I add the -k option: See https-attach-1k.txt

The http case has no certificate problem, but it still fusses about Javascript: See http-attach-1.txt

Interestingly enough, I can actually connect to the console user interface with http://127.0.0.1:8222. That's not quite the same as being able to access any of the installed virtual machines. After combing through the wreckage for the last hour I think I've found and fixed most of the configuration loose ends. I can connect to the Windows XP virtual machine that has my last year's TurboTax files, but not using the https console. The patient is alive, but not yet ready to run the 100 meters.

--Doc


# curl -v https://127.0.0.1:8333
* About to connect() to 127.0.0.1 port 8333
*   Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 8333
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS alert, Server hello (2):
SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). The default
 bundle is named curl-ca-bundle.crt; you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.f this HTTPS server uses a certificate signed by a C

# curl -k -v https://127.0.0.1:8333
* About to connect() to 127.0.0.1 port 8333
*   Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 8333
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Request CERT (13):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
*        subject: /C=US/ST=California/L=Palo Alto/O=VMware, Inc./OU=VMware Management Interface/CN=lion.protogeek.org/unstructuredName=(1266932935),(564d7761726520496e632e)/emailAddress=ssl-certificates@vmware.com
*        start date: 2010-02-23 13:48:55 GMT
*        expire date: 2023-11-02 13:48:55 GMT
*        common name: lion.protogeek.org (does not match '127.0.0.1')
*        issuer: /C=US/ST=California/L=Palo Alto/O=VMware, Inc./OU=VMware Management Interface/CN=lion.protogeek.org/unstructuredName=(1266932935),(564d7761726520496e632e)/emailAddress=ssl-certificates@vmware.com
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Host: 127.0.0.1:8333
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Sun, 11 Apr 2010 01:18:50 GMT
< Content-Type: text/html
< Content-Length: 1833
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta name="description" content="VMware Server is virtual infrastructure software for partitioning, consolidating, and managing computer systems. VMware Server provides a virtual machine platform, which can be managed by VMware VirtualCenter Server.">

<title>VMware Server 2</title>

<script>
onload = function () {
   document.location.replace('/ui/');
};
</script>

<style type="text/css">
body {
   background: #fff;
   color: #000;
   font:11px/14px Verdana, Bitstream Vera Sans, sans-serif;
}

a:link {
   color:#06f;
   text-decoration:none;
}

a:visited {
   color:#06f;
   text-decoration:none;
}

a:hover {
   color:#f90;
   text-decoration:none;
}

div.Message {
   position: relative;
   margin: auto;
   margin-top: 44px;
   width: 362px;
}

img.MessageIcon {
   position: absolute;
   left: -44px;
   top: 0px;
}

p.MessageSubject, p.MessageBody {
   margin-top: 2px;
   margin-bottom: 10px;
}

p.MessageSubject {
   font-weight: bold;
}

ul.CommandLinks {
   padding-left: 0px;
   margin-top: 2px;
   margin-bottom: 10px;
   margin-left: 0px;
   list-style: none;
}

ul.CommandLinks li a.Command {
   font-weight: normal;
}
</style>
</head>

<body>
<noscript>
   <div class="Message">
      <img class="MessageIcon" src="error-32x32.png" alt="Error" />

      <p class="MessageSubject">VMware Infrastructure Web Access will not work unless your browser supports JavaScript.</p>

      <p class="MessageBody">Please ensure that you are using a compatible browser and that JavaScript is enabled.</p>

      <ul class="CommandLinks"><li><a class="Command" href="index.html">Try Again</a></li></ul>
   </div>
</noscript>
</body>
</html>
* Connection #0 to host 127.0.0.1 left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
Title: VMware Server 2
# curl -k http://127.0.0.1:8222 

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.