----- Original Message -----
From: "Markus Stockhausen" <stockhausen(a)collogia.de>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>
Cc: "ovirt-users" <users(a)ovirt.org>
Sent: Sunday, January 12, 2014 8:54:05 PM
Subject: AW: [Users] noVNC with intermediate certificates
> Von: Alon Bar-Lev [alonbl(a)redhat.com]
> Gesendet: Samstag, 11. Januar 2014 19:56
> An: Markus Stockhausen
> Cc: ovirt-users
> Betreff: Re: [Users] noVNC with intermediate certificates
>
> Hi,
>
> Can you please try to specify
>
> SSL_CERTIFICATE=xxx
>
> where xx contains the complete certificate chain in reverse?
>
> -----BEGIN CERTIFICATE-----
> ... (certificate for your server)...
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> ... (the certificate for the CA)...
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> ... (the root certificate for the CA's issuer)...
> -----END CERTIFICATE-----
>
> Of course you need matching SSL_KEY.
>
> Regards,
> Alon
The tests say:
The intermediate certificate is not really needed. The explanation
is quite simple. If you navigate to the admin page over https
the apache webserver presents the intermediate certificate.
This is temporarily stored in the (Firefox) browser. When you
open the noVNC console it is automatically trusted.
BUT! You will still get a certificate warning if you navigate directly
to https://<server>:6100 after opening the browser.
Nevertheless your hint seems to help. I just added the
intermediate certificate to the standard file
/etc/pki/ovirt-engine/certs/websocket-proxy.cer
and a direct connect to https://<server>:6100 gives
no warnings.
That's great.
Please refrain from overwriting product files, provide your own and modify configuration.
Thanks.
Markus