VMware migration tool: we need your feedback!
-
-
@michmoor0725 XO 5.82.1 has just been released in the
latestchannel with a few bug fixes, please let me know if that helps. -
@julien-f well well well....lol...
You are correct. There is an update and im able to import from VMware. No error messages so far.
Taking about 40 minutes or so but i dont know if thats good or not. I selected a NFS storage thats running on mechanical disks so i suspect thats the bottleneck.I will keep everyone here up to date if i run into any issues.
Job well done you guys/gals. Job well done -
@julien-f VM has been imported but the problem now is networking.
The VM cannot pick up an IP regardless of what network i place it in. The eth0 interface is down. I bring it up no IP. VM is set for DHCP.
I know the vlans work as thats how ive been building test VMs which are configured with a dhcp scope.For example, ive built a DMZ Host from XO. No issue.
Ive imported a VM from ESXi and placed it in the DMZ vlan. No IPI took a pcap from the firewall and sure enough I dont see any DHCP Discover packets at all.
-
disregard. I rebooted the VM a few times but the solution was to force a dhcp renew
$sudo dhclient -
Good news then
-
@olivierlambert Very very good news. Great job on the import tool.
-
I have a legacy host running VMWare 5.1.0, when attempting to execute
xo-cli --register --allowUnauthorized <host> <user>I receive the following error
✖ Error: write EPROTO C057D8B5357F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1987: at WriteWrap.onWriteComplete [as oncomplete] (node:internal/stream_base_commons:94:16) { code: 'EPROTO', errno: -71, syscall: 'write' }Would VMWare 5.1.0 be too old to transfer via Import from ?
-
Hi,
I'm not sure to understand why are you using XO CLI in the first place? Have you tried from the UI directly?
-
When I try the import from the UI directly I receive the following in the logs:
write EPROTO C0A77278D27F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1987:I am using Xen Orchestra from sources (commit 6fe79)
xo-server 5.116.3
xo-web 5.119.1 -
Sounds like very old SSL libs that are not supported anymore?
-
This was my initial thought, I tried to drop the MinProtocol to TLSv1.0 in openssl.cnf and recomplile from source. But the error persisted,
Worst case I can look at manually exporting and importing the VMs.
-
Let's wait to see if @florent got an idea
-
@andyh said in VMware migration tool: we need your feedback!:
This was my initial thought, I tried to drop the MinProtocol to TLSv1.0 in openssl.cnf and recomplile from source. But the error persisted,
Worst case I can look at manually exporting and importing the VMs.
I have some work to do on the SSL ( the current implementation of the lib have some serious limit) , I will try to handle this at the same time.
-
@florent thanks for the response
-
@andyh hi
could you tests this branch : https://github.com/vatesfr/xen-orchestra/pull/6859
I rewrote the https handling, and I 'm curious of the behaviour with older host
regards
closed feat(node-vsphere-soap): security improvements #6859
-
@florent Thanks for reaching out
Updated XO from Sources to the commit from the branch.
When I attempt the import from VMware, the process doesn't show an error in the UI and the connect process button looks to spin. However, checking the logs I see the following error (with skip SSL enabled or disabled)
write EPROTO C0F754130E7F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1987: -
@andyh I tried to disable TLS V2, can you
pull --rebaseand retry ?if it doesn't work, could you check the tls level of your esxi host ?
https://stackoverflow.com/questions/40557031/command-prompt-to-check-tls-version-required-by-a-host
especiallycurl -Iiv --tlsv1.1 https://example.comI have
* ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS header, Unknown (21): * TLSv1.2 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.on my esxi 6 host
-
Thanks for the quick response, the same error looks to persist.
Running the curl command gives
* Trying 192.168.xx.yy:443... * Connected to 192.168.xx.yy (192.168.xx.yy) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (OUT), TLS alert, protocol version (582): * error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol * Closing connection 0 curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocolPerforming the same check with -tlsv1.0 gives
* Trying 192.168.xx.yy:443... * Connected to 192.168.xx.yy (192.168.xx.yy) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.0 (IN), TLS handshake, Certificate (11): * TLSv1.0 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.Not sure if this helps.
-
Hi!
I am having a similar problem to @andyh
Our VMWare is v5.5, xoa CLI throws:"result": { "message": "Client network socket disconnected before secure TLS connection was established", "name": "Error", "stack": "Error: Client network socket disconnected before secure TLS connection was established\n at Function.AxiosError.from (/opt/xo/xo-builds/xen-orchestra-202306231640/node_modules/axios/lib/core/AxiosError.js:89:14)\n at RedirectableRequest.handleRequestError (/opt/xo/xo-builds/xen-orchestra-202306231640/node_modules/axios/lib/adapters/http.js:591:25)\n at RedirectableRequest.emit (node:events:527:28)\n at RedirectableRequest.patchedEmit [as emit] (/opt/xo/xo-builds/xen-orchestra-202306231640/@xen-orchestra/log/configure.js:52:17)\n at ClientRequest.eventHandlers.<computed> (/opt/xo/xo-builds/xen-orchestra-202306231640/node_modules/follow-redirects/index.js:14:24)\n at ClientRequest.emit (node:events:527:28)\n at ClientRequest.patchedEmit [as emit] (/opt/xo/xo-builds/xen-orchestra-202306231640/@xen-orchestra/log/configure.js:52:17)\n at TLSSocket.socketErrorListener (node:_http_client:454:9)\n at TLSSocket.emit (node:events:527:28)\n at TLSSocket.patchedEmit [as emit] (/opt/xo/xo-builds/xen-orchestra-202306231640/@xen-orchestra/log/configure.js:52:17)\n at emitErrorNT (node:internal/streams/destroy:157:8)\n at emitErrorCloseNT (node:internal/streams/destroy:122:3)\n at processTicksAndRejections (node:internal/process/task_queues:83:21)",While webUI stucks on "Connect" with no apparent logs present..
When checking tls level of my esxi host:
localhost:~ # openssl s_client -connect www.google.com:443 -tls1 CONNECTED(00000003)Will there be a support for older versions of ESXi? Or maybe I am doing something wrong. Thanks in advance!
