<div dir="ltr"><div><div>Hi Thomas,<br><br></div>Thanks for your response! This goes a long way, however there is still the unknown where ovirt-engine takes the SPICE certificate and CA from.<br><br></div><div>Can somebody confirm that replacing just the files referenced in the apache configuration will be sufficient?<br>
<br>Thanks!<br></div><div>iordan<br>
</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Nov 20, 2013 at 1:00 PM, Thomas Suckow <span dir="ltr"><<a href="mailto:thomas.suckow@pnnl.gov" target="_blank">thomas.suckow@pnnl.gov</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I don't know about the native SPICE client, but here is what I did for apache and the websocket proxy:<br>
<br>
In /etc/httpd/conf.d/ssl.conf it lists<br>
SSLCertificateFile<br>
SSLCertificateKeyFile<br>
SSLCertificateChainFile<br>
SSLCACertificateFile<br>
<br>
Those are the files you need to replace for the web interface. My certs were combined, so I actually only use SSLCertificateFile and SSLCertificateChainFile<br>
<br>
NOTE: If you modify ssl.conf, the path /etc/pki/ovirt-engine/apache-<u></u>ca.pem is used by ovirt-iso-uploader. Uploads will fail unless you replace/symlink that file or specify a CA certificate on the command line. I actually linked to my chain file and it seems to be happy.<br>
<br>
<br>
<br>
Websocket Proxy:<br>
<br>
/etc/ovirt-engine/ovirt-<u></u>websocket-proxy.conf.d/10-<u></u>setup.conf defines the certificates.<br>
<br>
The websocket proxy needs a combined certificate file with your cert and the entire chain for SSL_CERTIFICATE<br>
SSL_KEY is just the unencrypted key, and it MUST be accessible by the ovirt user.<br>
<br>
<br>
<br>
As for spice, I am not sure, I am guessing it is /etc/pki/ovirt-engine/keys/<u></u>engine_id_rsa and /etc/pki/ovirt-engine/keys/<u></u>certs/engine.cer<br>
Not sure where they are referenced except by the websocket proxy.<br>
<br>
--<br>
Thomas<br>
______________________________<u></u>_________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/<u></u>mailman/listinfo/users</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>The conscious mind has only one thread of execution.
</div>