[ovirt-users] Re: console breaks with signed SSL certs

Thanks for the initial start, Strahil, my desktop is windows. but I took apart the console.vv file, and these are my findings: in the console.vv file, there is a valid CA cert, which is for the signing CA for our valid wildcard SSL cert. However, when I connected to the target host, on the tls-port, i noted that it is still using the original self-signed CA, generated by ovirt-engine for the host. Digging with lsof says that the process is qemu-kvm Looking at command line, that has x509-dir=/etc/pki/vdsm/libvirt-spice So... I guess I need to update server.key server.cert and ca-cert in there? except there's a whoole lot of '*key.pem' files under the /etc/pki directory tree. Suggestions on which is best to update? For example, there is also /etc/pki/vdsm/keys/vdsmkey.pem ----- Original Message ----- From: "Strahil Nikolov" <hunter86_bg(a)yahoo.com&gt; To: "users" <users(a)ovirt.org&gt;, "Philip Brown" <pbrown(a)medata.com&gt; Sent: Tuesday, September 22, 2020 12:09:55 PM Subject: Re: [ovirt-users] Re: console breaks with signed SSL certs I assume you are working on linux (for windows you will need to ssh to a linux box or even one ofthe Hosts). When you download the 'console.vv' file for Spice connection - you will have to note several stuff: - host - tls-port (not the plain 'port=' !!! ) - ca Process the CA and replace the '\n' with new lines . Then you can run: openssl s_client -connect <host>:<tls-port> -CAfile <path-to-ca-with-newlines> -showcerts Then you can inspect the certificate chain. I would then grep for the strings from openssl in the engine. In my case I find these containing the line with the 'issuer': /etc/pki/ovirt-engine/certs/websocket-proxy.cer /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/reports.cer /etc/pki/ovirt-engine/certs/imageio-proxy.cer /etc/pki/ovirt-engine/certs/ovn-ndb.cer /etc/pki/ovirt-engine/certs/ovn-sdb.cer /etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer Happy Hunting! Best Regards, Strahil Nikolov В вторник, 22 септември 2020 г., 21:52:10 Гринуич+3, Philip Brown <pbrown(a)medata.com&gt; написа: More detail on the problem. after starting remote-viewer  --debug, I get (remote-viewer.exe:18308): virt-viewer-DEBUG: 11:45:30.594: New spice channel 000000000608B240 SpiceMainChannel 0 (remote-viewer.exe:18308): virt-viewer-DEBUG: 11:45:30.594: notebook show status 0000000003479130 (remote-viewer.exe:18308): Spice-WARNING **: 11:45:30.691: ../subprojects/spice-common/common/ssl_verify.c:444:openssl_verify: Error in certificate chain verification: self signed certificate in certificate chain (num=19:depth1:/C=US/O=xxxxxxxxxx.65101) (remote-viewer.exe:18308): GSpice-WARNING **: 11:45:30.692: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1) (remote-viewer.exe:18308): virt-viewer-DEBUG: 11:45:30.693: Destroy SPICE channel SpiceMainChannel 0 So it seems like there's some additional thing that needs telling to use the official signed cert. Any clues for me please? _______________________________________________ Users mailing list -- users(a)ovirt.org To unsubscribe send an email to users-leave(a)ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/VKSX7CLJ4N7...