[SOLVED] VNC Error 1006 , SSL connection but '/self.pem' not found

Hi there,

I just configured my SSL HTTP Proxy using NGINX

NGINX

map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

upstream sunstone {
    server 127.0.0.1:9869;
}

upstream websocketproxy {
    server 127.0.0.1:29876;
}

server {
    listen *:80;
    server_name example.com;
    rewrite ^(.*)$ https://example.com$1 permanent;
}

server {
    listen 443 ssl http2 deferred;
    ssl on;
    ssl_session_timeout 24h;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    access_log  /var/log/nginx/opennebula-sunstone-access.log;
    error_log  /var/log/nginx/opennebula-sunstone-error.log;

    client_max_body_size 10G;

    location / {
        proxy_pass http://sunstone;
        proxy_redirect     off;
        log_not_found      off;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   Host $http_host;
        proxy_set_header   X-Forwarded-FOR $proxy_add_x_forwarded_for;
    }

    location /websockify {
        proxy_pass http://websocketproxy;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        add_header Access-Control-Allow-Origin *;
    }
}

Sunstone Config

:host: 127.0.0.1
:port: 9869

:vnc_proxy_port: 29876
:vnc_proxy_support_wss: only
:vnc_proxy_cert: /etc/letsencrypt/live/example.com/fullchain.pem
:vnc_proxy_key: /etc/letsencrypt/live/example.com/privkey.pem
:vnc_proxy_ipv6: false
:vnc_request_password: false

No matter what, I canā€™t get VNC in Sunstone GUI to work
I checked every topic about this error and tried every solution :confused:
My firewall is disabled , I used x509 certificated , letsencrypt , different ciphers, so many configs
My front-end works fine but VNC, no luck,

I keep getting this error Server disconnected (code: 1006)
and in novnc.log : SSL connection but '/self.pem' not found

I know there is so many topics , but believe me i checked every last one of them for past 6 hours

Does that location /websockify thingy work at all?

Beside of that. Are you sure oneadmin can read /etc/letsencrypt/ ?

1 Like

I have a similar problem. When I try to activate websocketproxy.py I find the error ā€œSSL connection but ā€˜/self.pemā€™ not foundā€ in novnc.log

Iā€™m using Opennebula 5.2.1, and my copy of websocketproxy.py is running with too few options. It doesnā€™t look to me that it uses --cert or --key at all, and /self.pem is the default key file for /usr/share/one/websockify/websocketproxy.py.

# ss -ntap | grep 29876 LISTEN 0 100 *:29876 *:* users:(("python2",pid=32614,fd=0)) # ps -ef | grep 32614|grep -v grep oneadmin 32614 1 0 Jun16 ? 00:00:48 python2 /usr/share/one/websockify/websocketproxy.py --target-config=/var/lib/one/sunstone_vnc_tokens 29876

I would expect it should have been something similar to

/usr/share/one/websockify/websocketproxy.py --cert=/etc/letsencrypt/live/example.com/fullchain.pem --key=/etc/letsencrypt/live/example.com/privkey.pem --target-config=/var/lib/one/sunstone_vnc_tokens 29876

if the paths is the same as in OPs configuration file.

1 Like

Hey, man did you managed to solve your problem, Iā€™m still unable to solve it, I donā€™t know where that websocketproxy.py gets called so I could pass that parameter to test

EDIT: I found the fine at /usr/lib/one/ruby/OpenNebulaVNC.rb
and here is Github Link

Finally SOLVED God Damn :smiley:

@Thomas_Stein Thanks for mentioning permission problem ( that was part of issue )

@jhl I managed to solve it by noticing python process id was same after restarting opennebula-sunstone service, so finally found out that opennebula-novnc service calling that ruby file and loading the sunstone-server.conf, so restarting opennebula-novnc is the right call, but you should stop opennebula-sunstone first ( since it depend on novnc )

Here are my configs for any one who needs :slight_smile:

Nginx Config:

map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

upstream sunstone {
    server 127.0.0.1:9869;
}

upstream websocketproxy {
    server 127.0.0.1:29876;
}

server {
    listen *:80;
    server_name example.com;
    rewrite ^(.*)$ https://example.com$1 permanent;
}

server {
    listen 443 ssl http2 deferred;
    ssl on;
    ssl_session_timeout 24h;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    access_log  /var/log/nginx/opennebula-sunstone-access.log;
    error_log  /var/log/nginx/opennebula-sunstone-error.log;
    
    client_max_body_size 10G;

    location / {
        proxy_pass http://sunstone;
        proxy_redirect     off;
        log_not_found      off;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   Host $http_host;
        proxy_set_header   X-Forwarded-FOR $proxy_add_x_forwarded_for;
    }

    location /websockify {
        proxy_pass http://websocketproxy;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        add_header Access-Control-Allow-Origin *;
    }
**}**

Sunstone Config /etc/one/sunstone-server.conf

# Server Configuration
#
:host: 127.0.0.1
:port: 9869

:vnc_proxy_port: 29876
:vnc_proxy_support_wss: "only"
:vnc_proxy_cert: /etc/letsencrypt/live/example.com/fullchain.pem
:vnc_proxy_key: /etc/letsencrypt/live/example.com/privkey.pem
:vnc_proxy_ipv6: false
:vnc_request_password: false

Tips:

  1. Make sure your cert folder is accessible for oneadmin user, in my case :
    chown -R oneadmin:oneadmin /etc/letsencrypt
  2. After changing sunstone-server.conf stop opennebula-sunstone service then restart opennebula-novnc and start opennebula-sunstone again
3 Likes

I had the same problem. Thx for info.

I actually used another way how to add the cert.

Install ssl-cert package. Then chown -R root:ssl-cert /etc/letsencrypt

Now just add oneadmin to ssl-cert group! usermod -a -G ssl-cert oneadmin

The preferred way how to use certs is ssl-cert imo.

For example I also have symlinks of active certs from /etc/letsencrypt under /etc/ssl/certs and under /etc/ssl/private for keys.