VMware migration tool: we need your feedback!
-
Sounds like very old SSL libs that are not supported anymore?
-
This was my initial thought, I tried to drop the MinProtocol to TLSv1.0 in openssl.cnf and recomplile from source. But the error persisted,
Worst case I can look at manually exporting and importing the VMs.
-
Let's wait to see if @florent got an idea
-
@andyh said in VMware migration tool: we need your feedback!:
This was my initial thought, I tried to drop the MinProtocol to TLSv1.0 in openssl.cnf and recomplile from source. But the error persisted,
Worst case I can look at manually exporting and importing the VMs.
I have some work to do on the SSL ( the current implementation of the lib have some serious limit) , I will try to handle this at the same time.
-
@florent thanks for the response
-
@andyh hi
could you tests this branch : https://github.com/vatesfr/xen-orchestra/pull/6859
I rewrote the https handling, and I 'm curious of the behaviour with older host
regards
-
@florent Thanks for reaching out
Updated XO from Sources to the commit from the branch.
When I attempt the import from VMware, the process doesn't show an error in the UI and the connect process button looks to spin. However, checking the logs I see the following error (with skip SSL enabled or disabled)
write EPROTO C0F754130E7F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1987:
-
@andyh I tried to disable TLS V2, can you
pull --rebase
and retry ?if it doesn't work, could you check the tls level of your esxi host ?
https://stackoverflow.com/questions/40557031/command-prompt-to-check-tls-version-required-by-a-host
especiallycurl -Iiv --tlsv1.1 https://example.com
I have
* ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS header, Unknown (21): * TLSv1.2 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
on my esxi 6 host
-
Thanks for the quick response, the same error looks to persist.
Running the curl command gives
* Trying 192.168.xx.yy:443... * Connected to 192.168.xx.yy (192.168.xx.yy) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (OUT), TLS alert, protocol version (582): * error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol * Closing connection 0 curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Performing the same check with -tlsv1.0 gives
* Trying 192.168.xx.yy:443... * Connected to 192.168.xx.yy (192.168.xx.yy) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.0 (IN), TLS handshake, Certificate (11): * TLSv1.0 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
Not sure if this helps.
-
Hi!
I am having a similar problem to @andyh
Our VMWare is v5.5, xoa CLI throws:"result": { "message": "Client network socket disconnected before secure TLS connection was established", "name": "Error", "stack": "Error: Client network socket disconnected before secure TLS connection was established\n at Function.AxiosError.from (/opt/xo/xo-builds/xen-orchestra-202306231640/node_modules/axios/lib/core/AxiosError.js:89:14)\n at RedirectableRequest.handleRequestError (/opt/xo/xo-builds/xen-orchestra-202306231640/node_modules/axios/lib/adapters/http.js:591:25)\n at RedirectableRequest.emit (node:events:527:28)\n at RedirectableRequest.patchedEmit [as emit] (/opt/xo/xo-builds/xen-orchestra-202306231640/@xen-orchestra/log/configure.js:52:17)\n at ClientRequest.eventHandlers.<computed> (/opt/xo/xo-builds/xen-orchestra-202306231640/node_modules/follow-redirects/index.js:14:24)\n at ClientRequest.emit (node:events:527:28)\n at ClientRequest.patchedEmit [as emit] (/opt/xo/xo-builds/xen-orchestra-202306231640/@xen-orchestra/log/configure.js:52:17)\n at TLSSocket.socketErrorListener (node:_http_client:454:9)\n at TLSSocket.emit (node:events:527:28)\n at TLSSocket.patchedEmit [as emit] (/opt/xo/xo-builds/xen-orchestra-202306231640/@xen-orchestra/log/configure.js:52:17)\n at emitErrorNT (node:internal/streams/destroy:157:8)\n at emitErrorCloseNT (node:internal/streams/destroy:122:3)\n at processTicksAndRejections (node:internal/process/task_queues:83:21)",
While webUI stucks on "Connect" with no apparent logs present..
When checking tls level of my esxi host:
localhost:~ # openssl s_client -connect www.google.com:443 -tls1 CONNECTED(00000003)
Will there be a support for older versions of ESXi? Or maybe I am doing something wrong. Thanks in advance!
-
@akaylee we brole rejectUnauthorized ( handling of self signed certificate) During the upgrade of node-vpshere-soap, the fixes are coming and it should also work on 5.5
the first one have been merged and should allow you to list the VM on the host. Does it work ?
-
@florent it doesn't seem to work, still stuck on 'Connect', 20 minutes elapsed
-
@akaylee what is your current commit ?
this is the right one : 0f0c0ec -
@florent sorry, overlooked!
Yes, I was able to connect to my esxi host after updating to 0f0c0ec, testing migration right now
Thank you! -
@florent Just updated from sources, but my latest commit looks to be 0f0c0ec0d. Have I missed something ?
-
@andyh that's ok, I only pasted the start of the hash
As long as you're up to date on master, it should work (also it does not disable certifictae check for the whole process now )
-
@florent I still look to be receiving the same error, after updating to 0f0c0ec
write EPROTO C0D7ADA7B77F0000:error:0A000102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1987:
Any further thoughts?
-
Gave this is a try earlier with some changes to my openssl.cnf
Sadly still coming across the same error, is there a minimum ESXi version that the import tool will connect to ?
-
Hi!
I did try the migration from the GUI for the first time.
The job did start and create a VM on XCP-ng. But there is no snapshot on the "VMWare-side" and there is no progress on the import.The job did start and XO-tasks is now showing "importing vms, duration a few seconds, status green"
There is no "cancel" option.
On the XCP-ng-SR, there are the new disks, but they are empty.
Do you have any idea, what I did wrong and how I can proceed?
Tested on XOA on latest stable
Thank you and best wishes
-
@KPS is there anything in the log ( journalctl ) ?
we can't migrate live data. Is the VM running ?