403 Permission check failed (permission denied - invalid PVEVNC ticket)

U

unixpert

Member
Nov 4, 2011
22
0
21
Hello all forum,

I have cluster proxmox with CEPH. I am doing a NOVNC function, but have some errors.

Debug:

$response = $pve2->post("/nodes/host001/qemu/26252625/vncproxy",$parameters);

--> POST HTTP/1.1 200 OK Cache-Control: max-age=0 Connection: close Connection: Keep-Alive Date: Thu, 13 Apr 2017 07:09:17 GMT Pragma: no-cache Server: pve-api-daemon/3.0 Content-Length: 2588 Content-Type: application/json;charset=UTF-8 Expires: Thu, 13 Apr 2017 07:09:17 GMT {"data":{"ticket":"PVEVNC:58EF241D::rsuSry0AsciSoPT2lC6Y6qjagMyReADGdUBUHTvBQUeMTePRjpiJWi3F0sHlDKS4Fe+71g40AQGnJTv3ID0+jhbkwgXLJLpwt6OS1brk+ZEvBmlHGe4WjOwDNNEX2QQHxLhF+PTu1IEZ/ANr6uQBBwXuyUZcsP1caNu3Sv47BMFdJdBeBUb/qwcU49wyeTpD317s41OiVgqsiCKhO1Nj9rNEyr8+wVNjAE2MKP2dVjr2yOBygpw8jl2SFeEeblEwZo+kgZ/YgPazp+FUTW1l24kD7iRdBNlRge5jIIM27ETYH3d5P+CTc9S7nSnPaxoy6lvVDk/dkGGzNjTvEPT9Jw==","cert":"-----BEGIN CERTIFICATE-----\nMIIFvzCCA6egAwIBAgIJAMe30FITxpIrMA0GCSqGSIb3DQEBCwUAMHYxJDAiBgNV\nBAMMG1Byb3htb3ggVmlydHVhbCBFbnZpcm9ubWVudDEtMCsGA1UECwwkMjlkOWY0\nYTYtOWI2MS00MzliLWIwMDAtYWIzNDJjOTlhMmQ1MR8wHQYDVQQKDBZQVkUgQ2x1\nc3RlciBNYW5hZ2VyIENBMB4XDTE3MDMwODA2NDQwN1oXDTI3MDMwNjA2NDQwN1ow\ndjEkMCIGA1UEAwwbUHJveG1veCBWaXJ0dWFsIEVudmlyb25tZW50MS0wKwYDVQQL\nDCQyOWQ5ZjRhNi05YjYxLTQzOWItYjAwMC1hYjM0MmM5OWEyZDUxHzAdBgNVBAoM\nFlBWRSBDbHVzdGVyIE1hbmFnZXIgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw\nggIKAoICAQCrX4yqm6kCeSzIWhr2727a259QbLnowjrgVthM3zLaV/ZEr5zXCoWz\nYupiZ9LqBLmflzc6oeeqM35cCqHwQNKwnOoE6b/FjZr29395lbUXjvfMNzUUd+eN\noHrCEn97i7cjXijcg10IgcGnsmcTt0S6f1Vu1P5CFS1Ni6aUo0V7eiVTyg9jrNH/\n5fetmmoivKkpI7prd7n15I9ZhEGUAjESHOaxTdZnhupB6Fu3AWBvDo8aqysq4if8\nlcOSzFS/Rs11YjZ6iKwBw54BDqvGtiuwJrQEbNwxVuH3FphE38y9XY0hC23VaXcG\nil5onwOFJNG80xqm5Bxm+428Eq+aaWx512/YoGhCnMGmKyEij87pbdSWR/1hx6dy\nOLNAUm0DnhqpoytDn7887MspjanOGmHPnSlNisF5RJKxfx9v7EM3mWplAmlYQS7A\n5fig48GcXYpOJr1rxpmeuabtDCMPXHkzJd/FMY4H1gxn9gWJkCg8ftq/HmDT8b4c\n4No/w6MLx2gLsvuylra5icQ8sRfkcuF0+u8SN0gTcx2znHk2OWoCI7A8a2QhssBg\n85hqsTjAazdDP2nTpxNX2N4VllJOkPOYZUNOFroGjCjcX/l3bGOMlabuNto79UVm\nR9mAbgykwcbnAZjtKeUEUVxAYTkg1xoK1fcz3enj8gwA49BCcXZRkQIDAQABo1Aw\nTjAdBgNVHQ4EFgQUNViEpWi40r3h9+ibusoM6JpOc4swHwYDVR0jBBgwFoAUNViE\npWi40r3h9+ibusoM6JpOc4swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC\nAgEAUkSwSSyu7/ylKuX5EpueMxdW0wSewT5yPBXuaSq444wM6TatKlP0t4+GxI9m\nhuxPVH6Xt2/Vl//+daOp5MftZQ9C1gvo8ICTSdtPD/H2oVBnfn2MHSGiFaJC4GbA\nBME1lMwUNNZfJi/1eVlmn+4j71A5SUIypS9XuqyrlmxBAyDXN/wncw8MAKaPkzWK\nXrEkJIJa8CHZon4y3Eok27r3Wo3RsmXSo/amr0MvGRFibk9JjGfbhNKU18ASwF0Q\nDXFFwirYzMOO9bOZTsmRevieJne69jPrnmadSAGDiH3KGPI2gFN4PaZahCSwISYo\nhflpNWfVv9Dz5M5NJmB0U7GB/wfwL1SIc4ZTNlYJ85IcJFnA2Y2k63coYq2sVHBc\nm7pHHzkklqlWI6eqbc5mhFyOoyX447BlRLSuTE7keEMLMFKYfBP3890ifSF4KHAG\nDpi+dAFpCP+TD6nh0i9JSJtzTysEzuqllkzPn1sC2tukR0vAkVbNqC7jncKTm6ID\nfliSo82AJ/tdU3Cn6WgqTIorBu5YE4lgxhvuzB3HJwha0dEhUxFCYY2sakQj4+Z1\nz2zp/bgr7Di2hgpHulrJ4QY124pLITmFzlDUvNgpHzh6y16B/B16sj7eqdtYPdN+\nN+hFzh4y0mJQ4NFE6W6kiwRY4FfStl7kE989BBinPIWdb6E=\n-----END CERTIFICATE-----\n","upid":"UPID:host001:00003B5B:055A3CED:58EF241D:vncproxy:26252625:root@pam:","user":"root@pam","port":"5900"}}

$string="/nodes/host001/qemu/26252625/vncwebsocket?port=".$response["port"]."&vncticket=".$response["ticket"];
$pr = $pve2->get($string);

--> GET HTTP/1.1 403 Permission check failed (permission denied - invalid PVEVNC ticket) Cache-Control: max-age=0 Connection: close Date: Thu, 13 Apr 2017 07:09:17 GMT Pragma: no-cache Server: pve-api-daemon/3.0 Content-Length: 13 Content-Type: application/json;charset=UTF-8 Expires: Thu, 13 Apr 2017 07:09:17 GMT {"data":null}
bool(false)

Can anyone help me ?

Thanks.
 
have you verified that $response["ticket"] has the correct value?
i do not know what api client you use but this would be my first point to start
 
  • Like
Reactions: unixpert
dcsapak said:
have you verified that $response["ticket"] has the correct value?
i do not know what api client you use but this would be my first point to start
Click to expand...

As debug, my $response["ticket"] is

PVEVNC:58EF241D::rsuSry0AsciSoPT2lC6Y6qjagMyReADGdUBUHTvBQUeMTePRjpiJWi3F0sHlDKS4Fe+71g40AQGnJTv3ID0+jhbkwgXLJLpwt6OS1brk+ZEvBmlHGe4WjOwDNNEX2QQHxLhF+PTu1IEZ/ANr6uQBBwXuyUZcsP1caNu3Sv47BMFdJdBeBUb/qwcU49wyeTpD317s41OiVgqsiCKhO1Nj9rNEyr8+wVNjAE2MKP2dVjr2yOBygpw8jl2SFeEeblEwZo+kgZ/YgPazp+FUTW1l24kD7iRdBNlRge5jIIM27ETYH3d5P+CTc9S7nSnPaxoy6lvVDk/dkGGzNjTvEPT9Jw==

i am using pve2_api.class.php.

https://github.com/CpuID/pve2-api-php-client/blob/master/pve2_api.class.php

My algorithm is as follows:

- I use vncproxy API to get Port & Ticket. (http://pve.proxmox.com/pve-docs/api-viewer/index.html)
- Transfering port & ticket via vncwebsocket

But vncwebsocket not recieved Ticket.


Can you show me my errors ?

Thanks.
 
Last edited:
what exactly is the point of this? i dont think the vncwebsocket call is suited for getting it in this way since this should be called as a secure websocket, not as a http get request
 
dcsapak said:
what exactly is the point of this? i dont think the vncwebsocket call is suited for getting it in this way since this should be called as a secure websocket, not as a http get request
Click to expand...

Sorry, my English is not good.

I would please explain again as below:

I am trying to connect to VNC via noVNC using proxmox API (locally, not using console in proxmox web panel) .
I made POST request to /api2/json/nodes/{node}/qemu/{vmid}/vncproxy to get vncticket and port. Then, i passed vncticket and given port to GET /api2/json/nodes/{node}/qemu/{vmid}/vncwebsocketbut instead of websocket, it always returns null.{"data":null}

How can i get websocket port so that i can connect to my VNC from anywhere using noVNC (and not by logging into Proxmox web-based panel)

Thanks so much.
 
Hello,

I am trying to achieve the same thing as you do - I downloaded noVNC on my local computer. I use API calls vncproxy and vncwebsocket, which are successful - I get the port and ticket values. In the VNC (on my PC) screen I use the following settings:

Encrypt: checked
Host: my.server.eu
Port: 8006
Path: api2/json/nodes/s02/qemu/105/vncwebsocket?port=5904&vncticket=PVEVNC:58F1D2D6::oFP....

What I get is an error message: Failed when connecting: Failed to connect to server ( (code: 1006))
and if I try the same values a bit later, I get: [HTTP/1.1 500 permission denied - invalid vnc ticket 32ms]

In the Console I see that the PVEAuthCookie is set in the request.

could someone advise how to achieve a remote noVNC connection?
 
The port itself is reachable:

[root@localhost ~]# telnet x.x.x.x 5904
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
RFB 003.008

In the noVNC settings I am using port 8006 though - is that correct?

I see this in the Firefox Console:

unreachable code after return statement babel-worker.js:13014
unreachable code after return statement babel-worker.js:13026
Data URI scheme cursor supported browsers.js!transpiled:112:29
unreachable code after return statement babel-worker.js:43349:1
>> RFB.constructor rfb.js!transpiled:143:9
>> Display.constructor display.js!transpiled:31:9
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 display.js!transpiled:59:9
Browser: gecko 19 display.js!transpiled:61:13
Setting viewport to full display region display.js!transpiled:178:25
<< Display.constructor display.js!transpiled:92:9
>> Keyboard.allKeysUp devices.js!transpiled:108:21
<< Keyboard.allKeysUp devices.js!transpiled:110:21
Using native WebSockets, render mode: canvas rendering rfb.js!transpiled:224:9
<< RFB.constructor rfb.js!transpiled:226:9
New state 'connecting', was ''. rfb.js!transpiled:535:21
>> RFB.connect rfb.js!transpiled:384:21
connecting to wss://XXX:8006/api2/json/nodes/s02/qemu/105/vncwebsocket?port=5904&vncticket=PVEVNC:58F212D2::GHLWad5TtREIt..... rfb.js!transpiled:395:21
<< RFB.connect rfb.js!transpiled:408:21
Firefox can’t establish a connection to the server at wss://XXX:8006/api2/json/nodes/s02/qemu/105/vncwebsocket?port=5904&vncticket=PVEVNC:58F212D2::GHLWad5TtREIt.... browser-es-module-loader.js%20line%201412%20%3E%20eval:231:38
>> WebSock.onerror: [object Event] websock.js!transpiled:250:25
WebSocket on-error event rfb.js!transpiled:217:13
<< WebSock.onerror: [object Event] websock.js!transpiled:252:25
>> WebSock.onclose websock.js!transpiled:245:25
WebSocket on-close event rfb.js!transpiled:186:13
Failed when connecting: Failed to connect to server ( (code: 1006)) rfb.js!transpiled:591:29
New state 'disconnecting', was 'connecting'. rfb.js!transpiled:535:21
>> RFB.disconnect rfb.js!transpiled:412:21
>> Keyboard.allKeysUp devices.js!transpiled:108:21
<< Keyboard.allKeysUp devices.js!transpiled:110:21
Encoding stats for this connection: rfb.js!transpiled:442:21
Encoding stats since page load: rfb.js!transpiled:451:21
COPYRECT: 0 rects rfb.js!transpiled:454:25
TIGHT: 0 rects rfb.js!transpiled:454:25
TIGHT_PNG: 0 rects rfb.js!transpiled:454:25
HEXTILE: 0 rects rfb.js!transpiled:454:25
RRE: 0 rects rfb.js!transpiled:454:25
RAW: 0 rects rfb.js!transpiled:454:25
JPEG_quality_med: 0 rects rfb.js!transpiled:454:25
compress_hi: 0 rects rfb.js!transpiled:454:25
DesktopSize: 0 rects rfb.js!transpiled:454:25
last_rect: 0 rects rfb.js!transpiled:454:25
Cursor: 0 rects rfb.js!transpiled:454:25
QEMUExtendedKeyEvent: 0 rects rfb.js!transpiled:454:25
ExtendedDesktopSize: 0 rects rfb.js!transpiled:454:25
xvp: 0 rects rfb.js!transpiled:454:25
Fence: 0 rects rfb.js!transpiled:454:25
ContinuousUpdates: 0 rects rfb.js!transpiled:454:25
<< RFB.disconnect rfb.js!transpiled:416:21
New state 'disconnected', was 'disconnecting'. rfb.js!transpiled:535:21
Clearing disconnect timer rfb.js!transpiled:538:25
<< WebSock.onclose
 
I have just re-install a new proxmox on local disk (not ceph). No firewall enabled on server. The result is still not change.

HTTP/1.1 403 Permission check failed (permission denied - invalid PVEVNC ticket) Cache-Control: max-age=0 Connection: close Date: Sat, 15 Apr 2017 18:12:36 GMT Pragma: no-cache Server: pve-api-daemon/3.0 Content-Length: 13 Content-Type: application/json;charset=UTF-8 Expires: Sat, 15 Apr 2017 18:12:36 GMT {"data":null}

pveversion -v
proxmox-ve: 4.4-86 (running kernel: 4.4.49-1-pve)
pve-manager: 4.4-13 (running version: 4.4-13/7ea56165)
pve-kernel-4.4.49-1-pve: 4.4.49-86
lvm2: 2.02.116-pve3
corosync-pve: 2.4.2-2~pve4+1
libqb0: 1.0.1-1
pve-cluster: 4.0-49
qemu-server: 4.0-110
pve-firmware: 1.1-11
libpve-common-perl: 4.0-94
libpve-access-control: 4.0-23
libpve-storage-perl: 4.0-76
pve-libspice-server1: 0.12.8-2
vncterm: 1.3-2
pve-docs: 4.4-4
pve-qemu-kvm: 2.7.1-4
pve-container: 1.0-97
pve-firewall: 2.0-33
pve-ha-manager: 1.0-40
ksm-control-daemon: 1.2-1
glusterfs-client: 3.5.2-2+deb8u3
lxc-pve: 2.0.7-4
lxcfs: 2.0.6-pve1
criu: 1.6.0-1
novnc-pve: 0.5-9
smartmontools: 6.5+svn4324-1~pve80
 
Michal_cz said:
Encrypt: checked
Host: my.server.eu
Port: 8006
Path: api2/json/nodes/s02/qemu/105/vncwebsocket?port=5904&vncticket=PVEVNC:58F1D2D6::eek:FP....
Click to expand...

this is the way to go, no clue as why this does not work, do you see anything in the novnc or server logs?

@unixpert you cannot open the vncwebsocket url with a simple http GET request, this is special websocket url according to the websocket protocol

using the results from the vncproxy call in novnc like @Michal_cz did should work... we do not do anything else in our novnc client
 
Michal_cz said:
What I get is an error message: Failed when connecting: Failed to connect to server ( (code: 1006))
and if I try the same values a bit later, I get: [HTTP/1.1 500 permission denied - invalid vnc ticket 32ms]

In the Console I see that the PVEAuthCookie is set in the request.

could someone advise how to achieve a remote noVNC connection?
Click to expand...


This is exactly where I am stuck too.
It looks like the server only waits 10 seconds for a connection.


If I start a telnet session within 10 seconds I get a connection:
Code: 
# telnet a.b.c.d 5900
Trying a.b.c.d...
Connected to a.b.c.d.
Escape character is '^]'.
RFB 003.008


If I click connect in the noVNC window within 10 seconds error in firefox console is:
Code: 
Firefox can’t establish a connection to the server at wss://XXX:8006/api2/json/nodes/node1/qemu/100/vncwebsocket?port=5900&vncticket=PVEVNC:5915B5...


If I wait more than 10 seconds error in firefox console is:
Code: 
HTTP/1.1 403 Permission check failed (permission denied - invalid PVEVNC ticket)


Syslog always shows only 5 lines:
Code: 
May 12 15:01:06 node1 pvedaemon[20732]: <root@pam> successful auth for user 'root@pam'
May 12 15:01:06 node1 pvedaemon[12519]: starting vnc proxy UPID:node1:000030E7:007E6365:5915B212:vncproxy:100:root@pam:
May 12 15:01:06 node1 pvedaemon[20732]: <root@pam> starting task UPID:node1:000030E7:007E6365:5915B212:vncproxy:100:root@pam:
May 12 15:01:16 node1 pvedaemon[12519]: connection timed out
May 12 15:01:16 node1 pvedaemon[20732]: <root@pam> end task UPID:node1:000030E7:007E6365:5915B212:vncproxy:100:root@pam: connection timed out


Did you ever find a solution?
 
So after a day of debugging I solved my remote VNC problem.

PVE version: pve-manager/4.2-2/725d76f0 (running kernel: 4.4.6-1-pve)

So, what I do through API:

1) POST /api2/json/nodes/s02/qemu/105/vncproxy
- this should work fine. Received values are [port, cert, upid, user, ticket]

2) GET api2/json/nodes/s02/qemu/105/vncwebsocket
- this shouldn't be called from your script, it is called directly by novnc

I used http://novnc.com to eliminate possible problems on a local noVNC installation

Code: 
$server = 'server02.domain.eu';
$host = 's02';
$vmID = 105;

// in my script this call is done on a local class, you will need to update it to call the API directly
// returns $proxyData['ticket'] and $proxyData['port'] among other values
$proxyData = $this->post("/api2/json/nodes/$host/qemu/$vmID/vncproxy", ['websocket'=>true]);

$port = $proxyData['port'];
$ticket = $proxyData['ticket'];

// to build the link
$link = "http://novnc.com/noVNC/vnc.html?autoconnect=true&host=$server&port=$port&password=$ticket&encrypt=1&path=".urlencode("api2/json/nodes/$host/qemu/".$vmID."/vncwebsocket?port=".$port."&vncticket=".urlencode($ticket));

Yes, you have to run urlencode twice - 1st on vncticket variable and then on the whole path variable.


During my testing I received an error
Unsupported security types: 19

I checked what does telnet to given port returns from localhost:

root@s02:/usr/share# telnet localhost 5905
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
RFB 003.008

I don't know how to solve this, I used a workaround with "websocket true" in the API call.

Everything works fine now! :)

* update 13/06/2017 18:56
You have to be logged in the Proxmox web interface, other wise you will receive "No ticket" error. I'll have to see how to solve that...
 
You must log in or register to reply here.
Top Bottom