403 Permission check failed (permission denied - invalid PVEVNC ticket)

[unixpert]

Hello all forum,

I have cluster proxmox with CEPH. I am doing a NOVNC function, but have some errors.

Debug:

$response = $pve2->post("/nodes/host001/qemu/26252625/vncproxy",$parameters);

--> POST HTTP/1.1 200 OK Cache-Control: max-age=0 Connection: close Connection: Keep-Alive Date: Thu, 13 Apr 2017 07:09:17 GMT Pragma: no-cache Server: pve-api-daemon/3.0 Content-Length: 2588 Content-Type: application/json;charset=UTF-8 Expires: Thu, 13 Apr 2017 07:09:17 GMT {"data":{"ticket":"PVEVNC:58EF241D::rsuSry0AsciSoPT2lC6Y6qjagMyReADGdUBUHTvBQUeMTePRjpiJWi3F0sHlDKS4Fe+71g40AQGnJTv3ID0+jhbkwgXLJLpwt6OS1brk+ZEvBmlHGe4WjOwDNNEX2QQHxLhF+PTu1IEZ/ANr6uQBBwXuyUZcsP1caNu3Sv47BMFdJdBeBUb/qwcU49wyeTpD317s41OiVgqsiCKhO1Nj9rNEyr8+wVNjAE2MKP2dVjr2yOBygpw8jl2SFeEeblEwZo+kgZ/YgPazp+FUTW1l24kD7iRdBNlRge5jIIM27ETYH3d5P+CTc9S7nSnPaxoy6lvVDk/dkGGzNjTvEPT9Jw==","cert":"-----BEGIN CERTIFICATE-----\nMIIFvzCCA6egAwIBAgIJAMe30FITxpIrMA0GCSqGSIb3DQEBCwUAMHYxJDAiBgNV\nBAMMG1Byb3htb3ggVmlydHVhbCBFbnZpcm9ubWVudDEtMCsGA1UECwwkMjlkOWY0\nYTYtOWI2MS00MzliLWIwMDAtYWIzNDJjOTlhMmQ1MR8wHQYDVQQKDBZQVkUgQ2x1\nc3RlciBNYW5hZ2VyIENBMB4XDTE3MDMwODA2NDQwN1oXDTI3MDMwNjA2NDQwN1ow\ndjEkMCIGA1UEAwwbUHJveG1veCBWaXJ0dWFsIEVudmlyb25tZW50MS0wKwYDVQQL\nDCQyOWQ5ZjRhNi05YjYxLTQzOWItYjAwMC1hYjM0MmM5OWEyZDUxHzAdBgNVBAoM\nFlBWRSBDbHVzdGVyIE1hbmFnZXIgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw\nggIKAoICAQCrX4yqm6kCeSzIWhr2727a259QbLnowjrgVthM3zLaV/ZEr5zXCoWz\nYupiZ9LqBLmflzc6oeeqM35cCqHwQNKwnOoE6b/FjZr29395lbUXjvfMNzUUd+eN\noHrCEn97i7cjXijcg10IgcGnsmcTt0S6f1Vu1P5CFS1Ni6aUo0V7eiVTyg9jrNH/\n5fetmmoivKkpI7prd7n15I9ZhEGUAjESHOaxTdZnhupB6Fu3AWBvDo8aqysq4if8\nlcOSzFS/Rs11YjZ6iKwBw54BDqvGtiuwJrQEbNwxVuH3FphE38y9XY0hC23VaXcG\nil5onwOFJNG80xqm5Bxm+428Eq+aaWx512/YoGhCnMGmKyEij87pbdSWR/1hx6dy\nOLNAUm0DnhqpoytDn7887MspjanOGmHPnSlNisF5RJKxfx9v7EM3mWplAmlYQS7A\n5fig48GcXYpOJr1rxpmeuabtDCMPXHkzJd/FMY4H1gxn9gWJkCg8ftq/HmDT8b4c\n4No/w6MLx2gLsvuylra5icQ8sRfkcuF0+u8SN0gTcx2znHk2OWoCI7A8a2QhssBg\n85hqsTjAazdDP2nTpxNX2N4VllJOkPOYZUNOFroGjCjcX/l3bGOMlabuNto79UVm\nR9mAbgykwcbnAZjtKeUEUVxAYTkg1xoK1fcz3enj8gwA49BCcXZRkQIDAQABo1Aw\nTjAdBgNVHQ4EFgQUNViEpWi40r3h9+ibusoM6JpOc4swHwYDVR0jBBgwFoAUNViE\npWi40r3h9+ibusoM6JpOc4swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC\nAgEAUkSwSSyu7/ylKuX5EpueMxdW0wSewT5yPBXuaSq444wM6TatKlP0t4+GxI9m\nhuxPVH6Xt2/Vl//+daOp5MftZQ9C1gvo8ICTSdtPD/H2oVBnfn2MHSGiFaJC4GbA\nBME1lMwUNNZfJi/1eVlmn+4j71A5SUIypS9XuqyrlmxBAyDXN/wncw8MAKaPkzWK\nXrEkJIJa8CHZon4y3Eok27r3Wo3RsmXSo/amr0MvGRFibk9JjGfbhNKU18ASwF0Q\nDXFFwirYzMOO9bOZTsmRevieJne69jPrnmadSAGDiH3KGPI2gFN4PaZahCSwISYo\nhflpNWfVv9Dz5M5NJmB0U7GB/wfwL1SIc4ZTNlYJ85IcJFnA2Y2k63coYq2sVHBc\nm7pHHzkklqlWI6eqbc5mhFyOoyX447BlRLSuTE7keEMLMFKYfBP3890ifSF4KHAG\nDpi+dAFpCP+TD6nh0i9JSJtzTysEzuqllkzPn1sC2tukR0vAkVbNqC7jncKTm6ID\nfliSo82AJ/tdU3Cn6WgqTIorBu5YE4lgxhvuzB3HJwha0dEhUxFCYY2sakQj4+Z1\nz2zp/bgr7Di2hgpHulrJ4QY124pLITmFzlDUvNgpHzh6y16B/B16sj7eqdtYPdN+\nN+hFzh4y0mJQ4NFE6W6kiwRY4FfStl7kE989BBinPIWdb6E=\n-----END CERTIFICATE-----\n","upid":"UPID:host001:00003B5B:055A3CED:58EF241D:vncproxy:26252625:root@pam:","user":"root@pam","port":"5900"}}

$string="/nodes/host001/qemu/26252625/vncwebsocket?port=".$response["port"]."&vncticket=".$response["ticket"];
$pr = $pve2->get($string);

--> GET HTTP/1.1 403 Permission check failed (permission denied - invalid PVEVNC ticket) Cache-Control: max-age=0 Connection: close Date: Thu, 13 Apr 2017 07:09:17 GMT Pragma: no-cache Server: pve-api-daemon/3.0 Content-Length: 13 Content-Type: application/json;charset=UTF-8 Expires: Thu, 13 Apr 2017 07:09:17 GMT {"data":null}
bool(false)

Can anyone help me ?

Thanks.

 

[dcsapak]

have you verified that $response["ticket"] has the correct value?
i do not know what api client you use but this would be my first point to start

 

[unixpert]

have you verified that $response["ticket"] has the correct value?
i do not know what api client you use but this would be my first point to start

As debug, my $response["ticket"] is

PVEVNC:58EF241D::rsuSry0AsciSoPT2lC6Y6qjagMyReADGdUBUHTvBQUeMTePRjpiJWi3F0sHlDKS4Fe+71g40AQGnJTv3ID0+jhbkwgXLJLpwt6OS1brk+ZEvBmlHGe4WjOwDNNEX2QQHxLhF+PTu1IEZ/ANr6uQBBwXuyUZcsP1caNu3Sv47BMFdJdBeBUb/qwcU49wyeTpD317s41OiVgqsiCKhO1Nj9rNEyr8+wVNjAE2MKP2dVjr2yOBygpw8jl2SFeEeblEwZo+kgZ/YgPazp+FUTW1l24kD7iRdBNlRge5jIIM27ETYH3d5P+CTc9S7nSnPaxoy6lvVDk/dkGGzNjTvEPT9Jw==

i am using pve2_api.class.php.

https://github.com/CpuID/pve2-api-php-client/blob/master/pve2_api.class.php

My algorithm is as follows:

- I use vncproxy API to get Port & Ticket. (http://pve.proxmox.com/pve-docs/api-viewer/index.html)
- Transfering port & ticket via vncwebsocket

But vncwebsocket not recieved Ticket.


Can you show me my errors ?

Thanks.

 

[dcsapak]

what exactly is the point of this? i dont think the vncwebsocket call is suited for getting it in this way since this should be called as a secure websocket, not as a http get request

 

[unixpert]

what exactly is the point of this? i dont think the vncwebsocket call is suited for getting it in this way since this should be called as a secure websocket, not as a http get request

Sorry, my English is not good.

I would please explain again as below:

I am trying to connect to VNC via noVNC using proxmox API (locally, not using console in proxmox web panel) .
I made POST request to /api2/json/nodes/{node}/qemu/{vmid}/vncproxy to get vncticket and port. Then, i passed vncticket and given port to GET /api2/json/nodes/{node}/qemu/{vmid}/vncwebsocketbut instead of websocket, it always returns null.{"data":null}

How can i get websocket port so that i can connect to my VNC from anywhere using noVNC (and not by logging into Proxmox web-based panel)

Thanks so much.

 

[Michal_cz]

Hello,

I am trying to achieve the same thing as you do - I downloaded noVNC on my local computer. I use API calls vncproxy and vncwebsocket, which are successful - I get the port and ticket values. In the VNC (on my PC) screen I use the following settings:

Encrypt: checked
Host: my.server.eu
Port: 8006
Path: api2/json/nodes/s02/qemu/105/vncwebsocket?port=5904&vncticket=PVEVNC:58F1D2D6:FP....

What I get is an error message: Failed when connecting: Failed to connect to server ( (code: 1006))
and if I try the same values a bit later, I get: [HTTP/1.1 500 permission denied - invalid vnc ticket 32ms]

In the Console I see that the PVEAuthCookie is set in the request.

could someone advise how to achieve a remote noVNC connection?

 

[mir]

Is this port=5904 blocked in a firewall somewhere along the line?

 

[Michal_cz]

The port itself is reachable:

[root@localhost ~]# telnet x.x.x.x 5904
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
RFB 003.008

In the noVNC settings I am using port 8006 though - is that correct?

I see this in the Firefox Console:

unreachable code after return statement babel-worker.js:13014
unreachable code after return statement babel-worker.js:13026
Data URI scheme cursor supported browsers.js!transpiled:112:29
unreachable code after return statement babel-worker.js:43349:1
>> RFB.constructor rfb.js!transpiled:143:9
>> Display.constructor display.js!transpiled:31:9
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 display.js!transpiled:59:9
Browser: gecko 19 display.js!transpiled:61:13
Setting viewport to full display region display.js!transpiled:178:25
<< Display.constructor display.js!transpiled:92:9
>> Keyboard.allKeysUp devices.js!transpiled:108:21
<< Keyboard.allKeysUp devices.js!transpiled:110:21
Using native WebSockets, render mode: canvas rendering rfb.js!transpiled:224:9
<< RFB.constructor rfb.js!transpiled:226:9
New state 'connecting', was ''. rfb.js!transpiled:535:21
>> RFB.connect rfb.js!transpiled:384:21
connecting to wss://XXX:8006/api2/json/nodes/s02/qemu/105/vncwebsocket?port=5904&vncticket=PVEVNC:58F212D2::GHLWad5TtREIt..... rfb.js!transpiled:395:21
<< RFB.connect rfb.js!transpiled:408:21
Firefox can’t establish a connection to the server at wss://XXX:8006/api2/json/nodes/s02/qemu/105/vncwebsocket?port=5904&vncticket=PVEVNC:58F212D2::GHLWad5TtREIt.... browser-es-module-loader.js%20line%201412%20%3E%20eval:231:38
>> WebSock.onerror: [object Event] websock.js!transpiled:250:25
WebSocket on-error event rfb.js!transpiled:217:13
<< WebSock.onerror: [object Event] websock.js!transpiled:252:25
>> WebSock.onclose websock.js!transpiled:245:25
WebSocket on-close event rfb.js!transpiled:186:13
Failed when connecting: Failed to connect to server ( (code: 1006)) rfb.js!transpiled:591:29
New state 'disconnecting', was 'connecting'. rfb.js!transpiled:535:21
>> RFB.disconnect rfb.js!transpiled:412:21
>> Keyboard.allKeysUp devices.js!transpiled:108:21
<< Keyboard.allKeysUp devices.js!transpiled:110:21
Encoding stats for this connection: rfb.js!transpiled:442:21
Encoding stats since page load: rfb.js!transpiled:451:21
COPYRECT: 0 rects rfb.js!transpiled:454:25
TIGHT: 0 rects rfb.js!transpiled:454:25
TIGHT_PNG: 0 rects rfb.js!transpiled:454:25
HEXTILE: 0 rects rfb.js!transpiled:454:25
RRE: 0 rects rfb.js!transpiled:454:25
RAW: 0 rects rfb.js!transpiled:454:25
JPEG_quality_med: 0 rects rfb.js!transpiled:454:25
compress_hi: 0 rects rfb.js!transpiled:454:25
DesktopSize: 0 rects rfb.js!transpiled:454:25
last_rect: 0 rects rfb.js!transpiled:454:25
Cursor: 0 rects rfb.js!transpiled:454:25
QEMUExtendedKeyEvent: 0 rects rfb.js!transpiled:454:25
ExtendedDesktopSize: 0 rects rfb.js!transpiled:454:25
xvp: 0 rects rfb.js!transpiled:454:25
Fence: 0 rects rfb.js!transpiled:454:25
ContinuousUpdates: 0 rects rfb.js!transpiled:454:25
<< RFB.disconnect rfb.js!transpiled:416:21
New state 'disconnected', was 'disconnecting'. rfb.js!transpiled:535:21
Clearing disconnect timer rfb.js!transpiled:538:25
<< WebSock.onclose

 

[unixpert]

I have just re-install a new proxmox on local disk (not ceph). No firewall enabled on server. The result is still not change.

HTTP/1.1 403 Permission check failed (permission denied - invalid PVEVNC ticket) Cache-Control: max-age=0 Connection: close Date: Sat, 15 Apr 2017 18:12:36 GMT Pragma: no-cache Server: pve-api-daemon/3.0 Content-Length: 13 Content-Type: application/json;charset=UTF-8 Expires: Sat, 15 Apr 2017 18:12:36 GMT {"data":null}

pveversion -v
proxmox-ve: 4.4-86 (running kernel: 4.4.49-1-pve)
pve-manager: 4.4-13 (running version: 4.4-13/7ea56165)
pve-kernel-4.4.49-1-pve: 4.4.49-86
lvm2: 2.02.116-pve3
corosync-pve: 2.4.2-2~pve4+1
libqb0: 1.0.1-1
pve-cluster: 4.0-49
qemu-server: 4.0-110
pve-firmware: 1.1-11
libpve-common-perl: 4.0-94
libpve-access-control: 4.0-23
libpve-storage-perl: 4.0-76
pve-libspice-server1: 0.12.8-2
vncterm: 1.3-2
pve-docs: 4.4-4
pve-qemu-kvm: 2.7.1-4
pve-container: 1.0-97
pve-firewall: 2.0-33
pve-ha-manager: 1.0-40
ksm-control-daemon: 1.2-1
glusterfs-client: 3.5.2-2+deb8u3
lxc-pve: 2.0.7-4
lxcfs: 2.0.6-pve1
criu: 1.6.0-1
novnc-pve: 0.5-9
smartmontools: 6.5+svn4324-1~pve80

 

[dcsapak]

Encrypt: checked
Host: my.server.eu
Port: 8006
Path: api2/json/nodes/s02/qemu/105/vncwebsocket?port=5904&vncticket=PVEVNC:58F1D2D6:FP....

this is the way to go, no clue as why this does not work, do you see anything in the novnc or server logs?

@unixpert you cannot open the vncwebsocket url with a simple http GET request, this is special websocket url according to the websocket protocol

using the results from the vncproxy call in novnc like @Michal_cz did should work... we do not do anything else in our novnc client

 

[woodstock]

What I get is an error message: Failed when connecting: Failed to connect to server ( (code: 1006))
and if I try the same values a bit later, I get: [HTTP/1.1 500 permission denied - invalid vnc ticket 32ms]

In the Console I see that the PVEAuthCookie is set in the request.

could someone advise how to achieve a remote noVNC connection?

This is exactly where I am stuck too.
It looks like the server only waits 10 seconds for a connection.


If I start a telnet session within 10 seconds I get a connection:

# telnet a.b.c.d 5900
Trying a.b.c.d...
Connected to a.b.c.d.
Escape character is '^]'.
RFB 003.008

If I click connect in the noVNC window within 10 seconds error in firefox console is:

Firefox can’t establish a connection to the server at wss://XXX:8006/api2/json/nodes/node1/qemu/100/vncwebsocket?port=5900&vncticket=PVEVNC:5915B5...

If I wait more than 10 seconds error in firefox console is:

HTTP/1.1 403 Permission check failed (permission denied - invalid PVEVNC ticket)

Syslog always shows only 5 lines:

May 12 15:01:06 node1 pvedaemon[20732]: <root@pam> successful auth for user 'root@pam'
May 12 15:01:06 node1 pvedaemon[12519]: starting vnc proxy UPID:node1:000030E7:007E6365:5915B212:vncproxy:100:root@pam:
May 12 15:01:06 node1 pvedaemon[20732]: <root@pam> starting task UPID:node1:000030E7:007E6365:5915B212:vncproxy:100:root@pam:
May 12 15:01:16 node1 pvedaemon[12519]: connection timed out
May 12 15:01:16 node1 pvedaemon[20732]: <root@pam> end task UPID:node1:000030E7:007E6365:5915B212:vncproxy:100:root@pam: connection timed out

Did you ever find a solution?

 

[woodstock]

Solution (at least for me):
https://forum.proxmox.com/threads/novnc-from-remote.34634/#post-169844

 

[Michal_cz]

So after a day of debugging I solved my remote VNC problem.

PVE version: pve-manager/4.2-2/725d76f0 (running kernel: 4.4.6-1-pve)

So, what I do through API:

1) POST /api2/json/nodes/s02/qemu/105/vncproxy
- this should work fine. Received values are [port, cert, upid, user, ticket]

2) GET api2/json/nodes/s02/qemu/105/vncwebsocket
- this shouldn't be called from your script, it is called directly by novnc

I used http://novnc.com to eliminate possible problems on a local noVNC installation

$server = 'server02.domain.eu';
$host = 's02';
$vmID = 105;

// in my script this call is done on a local class, you will need to update it to call the API directly
// returns $proxyData['ticket'] and $proxyData['port'] among other values
$proxyData = $this->post("/api2/json/nodes/$host/qemu/$vmID/vncproxy", ['websocket'=>true]);

$port = $proxyData['port'];
$ticket = $proxyData['ticket'];

// to build the link
$link = "http://novnc.com/noVNC/vnc.html?autoconnect=true&host=$server&port=$port&password=$ticket&encrypt=1&path=".urlencode("api2/json/nodes/$host/qemu/".$vmID."/vncwebsocket?port=".$port."&vncticket=".urlencode($ticket));

Yes, you have to run urlencode twice - 1st on vncticket variable and then on the whole path variable.


During my testing I received an error
Unsupported security types: 19

I checked what does telnet to given port returns from localhost:

root@s02:/usr/share# telnet localhost 5905
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
RFB 003.008

I don't know how to solve this, I used a workaround with "websocket true" in the API call.

Everything works fine now!

* update 13/06/2017 18:56
You have to be logged in the Proxmox web interface, other wise you will receive "No ticket" error. I'll have to see how to solve that...