Oh yeah :)
I mistakenly used a root certificate from a local CA for
/etc/pki/ovirt-engine/apache-ca.pem.
Now I understood, and it works.
Thanks again.
16.08.2016, 16:15, "Jiri Belka" <jbelka(a)redhat.com>:
IMO you "owe" explanation what was wrong, so other users
could learn from your mistakes and this mailing-list archive
would thus be beneficial for them when searching for help ;)
Anyway, that's great news!
j.
----- Original Message -----
From: "aleksey maksimov" <aleksey.maksimov(a)it-kb.ru>
To: "Jiri Belka" <jbelka(a)redhat.com>
Cc: "users" <users(a)ovirt.org>
Sent: Tuesday, August 16, 2016 2:59:21 PM
Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser
client -> WebSocket error: Can't connect to websocket on URL:
wss://ovirt.engine.fqdn:6100/
Thank you, Jiri !
I did everything step by step and SPICE HTML5 browser client now works.
16.08.2016, 10:46, "Jiri Belka" <jbelka(a)redhat.com>:
> So,
>
> I used this for my own ca test:
>
> OWN CA AND OWN ENGINE KEY/CRT
> =============================
>
> 0> CA
>
> # awk '/my-/ || $1 ~ /^[^#]*_default/' /etc/pki/tls/openssl.cnf
> certificate = $dir/my-ca.crt # The CA certificate
> crl = $dir/my-ca.crl # The current CRL
> private_key = $dir/private/my-ca.key # The private key
> countryName_default = CZ
> stateOrProvinceName_default = Jihomoravsky kraj
> localityName_default = Brno
> 0.organizationName_default = Shoot them in the head, s. r. o.
>
> touch /etc/pki/CA/index.txt
> echo 01 > /etc/pki/CA/serial
> cd /etc/pki/CA
> (umask 077 ; openssl genrsa -out private/my-ca.key -des3 2048 )
> openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt
>
> 0> engine cert
>
> openssl genrsa -out my-engine.key 4096
> openssl req -new -out my-engine.csr -key my-engine.key
> openssl ca -in my-engine.csr -out my-engine.crt
> # use 'mypass' for p12 bundle export !!!
> openssl pkcs12 -export -out my-engine.p12 -inkey my-engine.key -in my-engine.crt
-chain -CAfile /etc/pki/CA/my-ca.crt
>
> 0> existing engine keys/certs/p12 replacement
>
> (follow
$engine_url/ovirt-engine/docs/manual/en_US/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html)
>
> rm -f /etc/pki/ovirt-engine/apache-ca.pem
> cp my-engine.crt /etc/pki/ovirt-engine/apache-ca.pem
> cp my-engine.p12 /etc/pki/ovirt-engine/keys/apache.p12
> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes >
/etc/pki/ovirt-engine/keys/apache.key.nopass
> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys >
/etc/pki/ovirt-engine/certs/apache.cer
> install -o ovirt -g ovirt -m 600 /dev/null
/etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
> # 'changeit' is default java truststore pass on EL
> cat > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf << EOF
> ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit"
> EOF
>
> 0> add custom CA into system truststore after backup
>
> cp /etc/pki/CA/my-ca.crt /etc/pki/ca-trust/source/anchors/CA.crt
> update-ca-trust
>
> 0> check if system truststore knows about custom CA
>
> openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 -noout
> # 'changeit' is default java truststore pass on EL
> keytool -list -keystore /etc/pki/java/cacerts -storepass changeit | grep "$(
openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 -noout | sed
-e '/SHA1/s/.*=//;' )"
> grep -IR "$(sed -n '2p' /etc/pki/ca-trust/source/anchors/CA.crt)"
/etc/pki/ca-trust/extracted/
>
> 0> engine-setup pki configuration check
>
> engine-setup # see if 'PKI CONFIGURATION' section passed without errors
>
> (doctext here
https://bugzilla.redhat.com/show_bug.cgi?id=1336838)
>
> And this for websocket proxy:
>
> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
> PROXY_PORT=6100
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
> SSL_ONLY=True
>
> You can start manually websocket proxy:
>
> /usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-proxy.py
--help
> Usage: ovirt-websocket-proxy.py [options] start
>
> Options:
> -h, --help show this help message and exit
> -d, --debug debug mode
> --pidfile=FILE pid file to use
> --background Go into the background
> --systemd=SYSTEMD Systemd type simple|notify
> --redirect-output Redirect output of daemon
>
> It is also handy to do:
>
> openssl s_client -connect $websocketproxy_host:6100
>
> j.
>
> ----- Original Message -----
> From: "aleksey maksimov" <aleksey.maksimov(a)it-kb.ru>
> To: "Jiri Belka" <jbelka(a)redhat.com>
> Cc: "users" <users(a)ovirt.org>
> Sent: Tuesday, August 16, 2016 9:33:54 AM
> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5
browser client -> WebSocket error: Can't connect to websocket on URL:
wss://ovirt.engine.fqdn:6100/
>
> Jiri, I did not hide information. Tell me what the log file should show and I will
show
>
> 16.08.2016, 10:29, "Jiri Belka" <jbelka(a)redhat.com>:
>> It does have logs, filenames "hide" real data.
>>
>> You should reveal logs and what each file is and
>> which exact commands you were executing.
>>
>> Vague statements won't help much. It does work for me,
>> there much be something strange in your setup but we
>> cannot know what without details.
>>
>> j.
>>
>> ----- Original Message -----
>> From: "aleksey maksimov" <aleksey.maksimov(a)it-kb.ru>
>> To: "Jiri Belka" <jbelka(a)redhat.com>
>> Cc: "users" <users(a)ovirt.org>
>> Sent: Monday, August 15, 2016 6:18:48 PM
>> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5
browser client -> WebSocket error: Can't connect to websocket on URL:
wss://ovirt.engine.fqdn:6100/
>>
>> I tried a version of Nicolás.
>> No success :((
>>
>> 1) I create full bundle cert file:
>>
>> # cat /etc/pki/ovirt-engine/certs/apache.cer
/etc/pki/ovirt-engine/apache-ca.pem > /etc/pki/ovirt-engine/certs/apache-with-ca.cer
>> # openssl verify /etc/pki/ovirt-engine/certs/apache-with-ca.cer
>>
>> /etc/pki/ovirt-engine/certs/apache-with-ca.cer: OK
>>
>> 2) I changed config file:
>>
>> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>>
>> PROXY_PORT=6100
>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache-with-ca.cer
>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>> SSL_ONLY=True
>> FORCE_DATA_VERIFICATION=False
>>
>> 3) I restarted the service
>>
>> # service ovirt-websocket-proxy restart
>>
>> Problem still exists :(
>> Any ideas how to trablshut problem?
>>
>> 14.08.2016, 08:59, "aleksey.maksimov(a)it-kb.ru"
<aleksey.maksimov(a)it-kb.ru>:
>>> Hi Jiri.
>>> But your variant does not work, too
>>>
>>> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>>> PROXY_PORT=6100
>>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
>>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>> SSL_ONLY=True
>>>
>>> Some error:
>>> WebSocket error: Can't connect to websocket on URL:
wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
>>>
>>> any ideas how to trablshut problem?
>>>
>>> 14.08.2016, 01:53, "Jiri Belka" <jbelka(a)redhat.com>:
>>>> I have different files for those variables, maybe this is the case?
>>>>
>>>> Review again.
>>>>
>>>> j.
>>>>
>>>> ----- Original Message -----
>>>> From: "aleksey maksimov" <aleksey.maksimov(a)it-kb.ru>
>>>> To: "Jiri Belka" <jbelka(a)redhat.com>
>>>> Cc: "users" <users(a)ovirt.org>
>>>> Sent: Saturday, August 13, 2016 4:57:45 PM
>>>> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and
SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL:
wss://ovirt.engine.fqdn:6100/
>>>>
>>>> I changed my file
/etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf to:
>>>>
>>>> PROXY_PORT=6100
>>>> #SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
>>>> #SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
>>>> #CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
>>>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>>> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/apache-ca.pem
>>>> SSL_ONLY=True
>>>>
>>>> ...and restart HostedEngine VM.
>>>> Problem still exists.
>>>>
>>>> 13.08.2016, 17:52, "aleksey.maksimov(a)it-kb.ru"
<aleksey.maksimov(a)it-kb.ru>:
>>>>> It does not work for me. any ideas?
>>>>>
>>>>> 02.08.2016, 17:22, "Jiri Belka"
<jbelka(a)redhat.com>:
>>>>>> This works for me:
>>>>>>
>>>>>> # cat
/etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>>>>>> PROXY_PORT=6100
>>>>>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
>>>>>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>>>>>
CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>>>>> SSL_ONLY=True
>>>>>>
>>>>>> ----- Original Message -----
>>>>>> From: "aleksey maksimov"
<aleksey.maksimov(a)it-kb.ru>
>>>>>> To: "users" <users(a)ovirt.org>
>>>>>> Sent: Monday, August 1, 2016 12:13:38 PM
>>>>>> Subject: [ovirt-users] oVirt 4 with custom SSL-certificate
and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on
URL: wss://ovirt.engine.fqdn:6100/
>>>>>>
>>>>>> Hello oVirt guru`s !
>>>>>>
>>>>>> I have successfully replaced the oVirt 4 site
SSL-certificate according to the instructions from "Replacing oVirt SSL
Certificate"
>>>>>> section in "oVirt Administration Guide"
>>>>>>
http://www.ovirt.org/documentation/admin-guide/administration-guide/
>>>>>>
>>>>>> 3 files have been replaced:
>>>>>>
>>>>>> /etc/pki/ovirt-engine/certs/apache.cer
>>>>>> /etc/pki/ovirt-engine/keys/apache.key.nopass
>>>>>> /etc/pki/ovirt-engine/apache-ca.pem
>>>>>>
>>>>>> Now the oVirt site using my certificate and everything
works fine, but when I try to use SPICE HTML5 browser client in Firefox or Chrome I see a
gray screen and message under the button "Toggle messages output":
>>>>>>
>>>>>> WebSocket error: Can't connect to websocket on URL:
wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
>>>>>>
>>>>>> Before replacing certificates SPICE HTML5 browser client
works.
>>>>>> Native SPICE client works fine.
>>>>>>
>>>>>> Tell me what to do with SPICE HTML5 browser client?
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users(a)ovirt.org
>>>>>> http://lists.ovirt.org/mailman/listinfo/users