<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.E-mailStijl17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.E-mailStijl18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="NL-BE" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">It’s a clean 3.6 install, and I installed the proxy later on.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">I did run the engine-setup command again (don’t know if it creates a new CA every time?)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">And also used this command as given in the bugreport:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">engine-setup --otopi-environment="OVESETUP_CONFIG/websocketProxyConfig=bool:True"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="NL" style="mso-fareast-language:NL-BE">Van:</span></b><span lang="NL" style="mso-fareast-language:NL-BE"> Michal Skrivanek [mailto:mskrivan@redhat.com]
<br>
<b>Verzonden:</b> woensdag 23 december 2015 13:42<br>
<b>Aan:</b> Kristof VAN DEN EYNDEN<br>
<b>CC:</b> users@ovirt.org<br>
<b>Onderwerp:</b> Re: [ovirt-users] Spice SSL Certificate<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;mso-fareast-language:NL-BE"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
On 23 Dec 2015, at 13:18, Kristof VAN DEN EYNDEN <<a href="mailto:Kristof.VANDENEYNDEN@politiewestkust.be">Kristof.VANDENEYNDEN@politiewestkust.be</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span lang="EN-US">I was trying to get Spice or VNC to work on Firefox. After activating the ovirt-websocket-proxy settings (using this guide
</span><a href="https://access.redhat.com/solutions/718653"><span lang="EN-US">https://access.redhat.com/solutions/718653</span></a><span lang="EN-US">)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I kept on getting error - Server disconnected (code: 1006). This pointed me to other posts stating it was a certificate issue. After doing some research I found post:
</span><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1098574"><span lang="EN-US">https://bugzilla.redhat.com/show_bug.cgi?id=1098574</span></a><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">So I started tracing the messages: grep -i 'websocket.*trace' /var/log/messages<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,314 ovirt-websocket-proxy: INFO msg:824 Got SIGTERM, exiting<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,314 ovirt-websocket-proxy: INFO msg:824 In exit<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,514 ovirt-websocket-proxy: INFO msg:824 WebSocket server settings:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,515 ovirt-websocket-proxy: INFO msg:824 - Listen on *:6100<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,515 ovirt-websocket-proxy: INFO msg:824 - Flash security policy server<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,515 ovirt-websocket-proxy: INFO msg:824 - SSL/TLS support<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,515 ovirt-websocket-proxy: INFO msg:824 - Deny non-SSL/TLS connections<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,515 ovirt-websocket-proxy: INFO msg:824 - Recording to '/tmp/websocketproxy_trace.log.*'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,519 ovirt-websocket-proxy: INFO msg:824 - proxying from *:6100 to targets in /dummy<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Dec 23 13:47:19 ovirt36 2015-12-23 13:47:19,543 ovirt-websocket-proxy: INFO msg:824 handler exception: [Errno 1] _ssl.c:1390: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Dec 23 13:48:12 ovirt36 2015-12-23 13:48:12,328 ovirt-websocket-proxy: INFO msg:824 handler exception: [Errno 1] _ssl.c:1390: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Dec 23 13:49:49 ovirt36 2015-12-23 13:49:49,420 ovirt-websocket-proxy: INFO msg:824 handler exception: [Errno 1] _ssl.c:1390: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Dec 23 13:55:36 ovirt36 2015-12-23 13:55:36,114 ovirt-websocket-proxy: INFO msg:824 handler exception: [Errno 1] _ssl.c:1390: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Dec 23 13:56:40 ovirt36 2015-12-23 13:56:40,201 ovirt-websocket-proxy: INFO msg:824 handler exception: [Errno 1] _ssl.c:1390: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">So I added the certificate by surfing to </span>
<a href="https://(ovirt)/ca.crt"><span lang="EN-US">https://(ovirt)/ca.crt</span></a>
<span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">which gives following box in firefox :<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:NL-BE"><img border="0" width="558" height="325" id="Afbeelding_x0020_1" src="cid:image001.png@01D13D87.DAD0A080" alt="cid:image001.png@01D13D87.DAD0A080"></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">So I assume it would be OK now? Nevertheless it still doesn’t work! /var/log/messages still shows the same error? On another post I found that someone surfed to
</span><a href="https://(ovirt):6100"><span lang="EN-US">https://(ovirt):6100</span></a><span lang="EN-US"> and accepted the certificiate there. So I did the same thing which solved my problem immediately.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I don’t quite understand the issue, feels like the CA is not getting authorized or the 2 certificates do not belong to the same CA ?<o:p></o:p></span></p>
</div>
</blockquote>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:NL-BE"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:NL-BE">Indeed it looks like two different CAs. Can you please check whether they are the same or not? How did you install the websocket
proxy, together at the same time as you installed engine or later? Was it an upgrade from 3.5?<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:NL-BE">Note you need the proxy only for web-based clients, remote-viewer (or custom vnc viewer) doesn't need any <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:NL-BE"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:NL-BE">Thanks,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:NL-BE">michal<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:NL-BE"><br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I can continue like this, but I feel it should be easier to complete?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:NL-BE">_______________________________________________<br>
Users mailing list<br>
</span><a href="mailto:Users@ovirt.org"><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:NL-BE">Users@ovirt.org</span></a><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:NL-BE"><br>
</span><a href="http://lists.ovirt.org/mailman/listinfo/users"><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:NL-BE">http://lists.ovirt.org/mailman/listinfo/users</span></a><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:NL-BE"><o:p></o:p></span></p>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</body>
</html>