From: "Donny Davis" <donny(a)cloudspin.me&gt; To: "Simone Tiraboschi" <stirabos(a)redhat.com&gt; Cc: users(a)ovirt.org Sent: Friday, February 20, 2015 3:53:04 PM Subject: RE: [ovirt-users] Unable to run noVNC console un recent browsers No, I made my life easy and used nginx to proxy for the websocket. I was then able to use my commercial ssl cert to avoid all of these issues. Using a proxy for a proxy has been working out quite well for cloudspin, because I don't have to mess with anything internal to the engine and noVNC works without issue.

DonnyD -----Original Message----- From: Simone Tiraboschi [mailto:stirabos@redhat.com] Sent: Friday, February 20, 2015 7:03 AM To: Donny Davis Subject: Re: [ovirt-users] Unable to run noVNC console un recent browsers ----- Original Message ----- > From: "Donny Davis" <donny(a)cloudspin.me&gt; > To: "Simone Tiraboschi" <stirabos(a)redhat.com&gt; > Sent: Friday, February 20, 2015 2:23:56 PM > Subject: RE: [ovirt-users] Unable to run noVNC console un recent > browsers > > Is your websocket proxy on the same machine as your engine. I also > get the CA error when the time it off. The proxy throws the error to > /var/log/messages Hi Donny, I'm using the proxy on the same machine where the engine runs. No error till now no my side. I also trusted oVirt internal CA to sign other certs in my browser. Did you? You can find it at https://{engine}/ca.crt You should download it and add to the list of trusted certification authorities in your browser. > -----Original Message----- > From: users-bounces(a)ovirt.org [mailto:users-bounces@ovirt.org] On > Behalf Of Simone Tiraboschi > Sent: Friday, February 20, 2015 5:57 AM > To: Stefano Danzi > Cc: users(a)ovirt.org > Subject: Re: [ovirt-users] Unable to run noVNC console un recent > browsers > > > > ----- Original Message ----- > > From: "Stefano Danzi" <s.danzi(a)hawai.it&gt; > > To: "Darrell Budic" <budic(a)onholyground.com&gt; > > Cc: users(a)ovirt.org > > Sent: Friday, February 20, 2015 9:07:51 AM > > Subject: Re: [ovirt-users] Unable to run noVNC console un recent > > browsers > > > > Hello! > > Already done but this didn't help. > > > > I downloaded a portable version of Firefox 17 and noVNC work as expected. > > > > Il 20/02/2015 5.18, Darrell Budic ha scritto: > > > > > > > > Try reimporting the ca.cert for noVNC by connecting directly to > > the webproxy address at port 6100. Do this by trying to connect to > > a console and then, once the 1006 error shows up, just strip off > > everything after :6100/ . I've found that somewhere in or after > > 3.5, restarting the webproxy causes it to generate its own new > > ca.cert even > through it shouldn't. > > > > -Darrell > > > > > > > > On Feb 19, 2015, at 4:09 PM, Stefano Danzi <s.danzi(a)hawai.it&gt; wrote: > > > > Hello, > > > > I can't make work noVNC console on recent browsers (Chrome 40, > > Firefox > > 35 and IE 11). > > > > The error that I have is already explained here: > > https://forge.univention.org/bugzilla/show_bug.cgi?id=33587 I > > tried to change websocket like suggested ( > > http://errata.univention.de/ucs/3.2/31.html ) but this not helped. > > noVNC 0.5.1 should be soon released in EPEL6/EPEL7 as for [1]. > noVNC 0.5.1 should also improve compatibility with recent browsers. > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1193454#c3 > > > > Someone know a workaround? > > _______________________________________________ > > Users mailing list Users(a)ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > _______________________________________________ > > Users mailing list > > Users(a)ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > > _______________________________________________ > Users mailing list > Users(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > >

From: "Darrell Budic" <budic(a)onholyground.com&gt; To: "Simone Tiraboschi" <stirabos(a)redhat.com&gt; Cc: "users" <users(a)ovirt.org&gt; Sent: Friday, February 20, 2015 5:57:10 PM Subject: Re: [ovirt-users] Unable to run noVNC console un recent browsers I had some trouble with self signed certs in firefox when they switch to the new pkix stuff recently, have you tried setting security.use_mozillapkix_verification to false?

> On Feb 20, 2015, at 8:56 AM, Simone Tiraboschi <stirabos(a)redhat.com&gt; wrote: > > > > ----- Original Message ----- >> From: "Donny Davis" <donny(a)cloudspin.me&gt; >> To: "Simone Tiraboschi" <stirabos(a)redhat.com&gt; >> Cc: users(a)ovirt.org >> Sent: Friday, February 20, 2015 3:53:04 PM >> Subject: RE: [ovirt-users] Unable to run noVNC console un recent browsers >> >> No, I made my life easy and used nginx to proxy for the websocket. I was >> then >> able to use my commercial ssl cert to avoid all of these issues. Using a >> proxy for a proxy has been working out quite well for cloudspin, because I >> don't have to mess with anything internal to the engine and noVNC works >> without issue. > > Yes, using the oVirt internal CA is just the low-profile out of the box > solution. > >> DonnyD >> >> -----Original Message----- >> From: Simone Tiraboschi [mailto:stirabos@redhat.com] >> Sent: Friday, February 20, 2015 7:03 AM >> To: Donny Davis >> Subject: Re: [ovirt-users] Unable to run noVNC console un recent browsers >> >> >> >> ----- Original Message ----- >>> From: "Donny Davis" <donny(a)cloudspin.me&gt; >>> To: "Simone Tiraboschi" <stirabos(a)redhat.com&gt; >>> Sent: Friday, February 20, 2015 2:23:56 PM >>> Subject: RE: [ovirt-users] Unable to run noVNC console un recent >>> browsers >>> >>> Is your websocket proxy on the same machine as your engine. I also get >>> the CA error when the time it off. The proxy throws the error to >>> /var/log/messages >> >> Hi Donny, >> I'm using the proxy on the same machine where the engine runs. >> No error till now no my side. >> >> I also trusted oVirt internal CA to sign other certs in my browser. Did >> you? >> You can find it at https://{engine}/ca.crt >> >> You should download it and add to the list of trusted certification >> authorities in your browser. >> >>> -----Original Message----- >>> From: users-bounces(a)ovirt.org [mailto:users-bounces@ovirt.org] On >>> Behalf Of Simone Tiraboschi >>> Sent: Friday, February 20, 2015 5:57 AM >>> To: Stefano Danzi >>> Cc: users(a)ovirt.org >>> Subject: Re: [ovirt-users] Unable to run noVNC console un recent >>> browsers >>> >>> >>> >>> ----- Original Message ----- >>>> From: "Stefano Danzi" <s.danzi(a)hawai.it&gt; >>>> To: "Darrell Budic" <budic(a)onholyground.com&gt; >>>> Cc: users(a)ovirt.org >>>> Sent: Friday, February 20, 2015 9:07:51 AM >>>> Subject: Re: [ovirt-users] Unable to run noVNC console un recent >>>> browsers >>>> >>>> Hello! >>>> Already done but this didn't help. >>>> >>>> I downloaded a portable version of Firefox 17 and noVNC work as >>>> expected. >>>> >>>> Il 20/02/2015 5.18, Darrell Budic ha scritto: >>>> >>>> >>>> >>>> Try reimporting the ca.cert for noVNC by connecting directly to the >>>> webproxy address at port 6100. Do this by trying to connect to a >>>> console and then, once the 1006 error shows up, just strip off >>>> everything after :6100/ . I've found that somewhere in or after 3.5, >>>> restarting the webproxy causes it to generate its own new ca.cert >>>> even >>> through it shouldn't. >>>> >>>> -Darrell >>>> >>>> >>>> >>>> On Feb 19, 2015, at 4:09 PM, Stefano Danzi <s.danzi(a)hawai.it&gt; wrote: >>>> >>>> Hello, >>>> >>>> I can't make work noVNC console on recent browsers (Chrome 40, >>>> Firefox >>>> 35 and IE 11). >>>> >>>> The error that I have is already explained here: >>>> https://forge.univention.org/bugzilla/show_bug.cgi?id=33587 I tried >>>> to change websocket like suggested ( >>>> http://errata.univention.de/ucs/3.2/31.html ) but this not helped. >>> >>> noVNC 0.5.1 should be soon released in EPEL6/EPEL7 as for [1]. >>> noVNC 0.5.1 should also improve compatibility with recent browsers. >>> >>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1193454#c3 >>> >>> >>>> Someone know a workaround? >>>> _______________________________________________ >>>> Users mailing list Users(a)ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> >>>> >>>> _______________________________________________ >>>> Users mailing list >>>> Users(a)ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> >>> _______________________________________________ >>> Users mailing list >>> Users(a)ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users >>> >>> >> >> > _______________________________________________ > Users mailing list > Users(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/users

On Feb 20, 2015, at 11:50 AM, Simone Tiraboschi <stirabos(a)redhat.com&gt; wrote: ----- Original Message ----- > From: "Darrell Budic" <budic(a)onholyground.com&gt; > To: "Simone Tiraboschi" <stirabos(a)redhat.com&gt; > Cc: "users" <users(a)ovirt.org&gt; > Sent: Friday, February 20, 2015 5:57:10 PM > Subject: Re: [ovirt-users] Unable to run noVNC console un recent browsers > > I had some trouble with self signed certs in firefox when they switch to the > new pkix stuff recently, have you tried setting > security.use_mozillapkix_verification to false? The websocket proxy cert is not self-signed: it's normally signed by the internal oVirt CA. >> On Feb 20, 2015, at 8:56 AM, Simone Tiraboschi <stirabos(a)redhat.com&gt; wrote: >> >> >> >> ----- Original Message ----- >>> From: "Donny Davis" <donny(a)cloudspin.me&gt; >>> To: "Simone Tiraboschi" <stirabos(a)redhat.com&gt; >>> Cc: users(a)ovirt.org >>> Sent: Friday, February 20, 2015 3:53:04 PM >>> Subject: RE: [ovirt-users] Unable to run noVNC console un recent browsers >>> >>> No, I made my life easy and used nginx to proxy for the websocket. I was >>> then >>> able to use my commercial ssl cert to avoid all of these issues. Using a >>> proxy for a proxy has been working out quite well for cloudspin, because I >>> don't have to mess with anything internal to the engine and noVNC works >>> without issue. >> >> Yes, using the oVirt internal CA is just the low-profile out of the box >> solution. >> >>> DonnyD >>> >>> -----Original Message----- >>> From: Simone Tiraboschi [mailto:stirabos@redhat.com] >>> Sent: Friday, February 20, 2015 7:03 AM >>> To: Donny Davis >>> Subject: Re: [ovirt-users] Unable to run noVNC console un recent browsers >>> >>> >>> >>> ----- Original Message ----- >>>> From: "Donny Davis" <donny(a)cloudspin.me&gt; >>>> To: "Simone Tiraboschi" <stirabos(a)redhat.com&gt; >>>> Sent: Friday, February 20, 2015 2:23:56 PM >>>> Subject: RE: [ovirt-users] Unable to run noVNC console un recent >>>> browsers >>>> >>>> Is your websocket proxy on the same machine as your engine. I also get >>>> the CA error when the time it off. The proxy throws the error to >>>> /var/log/messages >>> >>> Hi Donny, >>> I'm using the proxy on the same machine where the engine runs. >>> No error till now no my side. >>> >>> I also trusted oVirt internal CA to sign other certs in my browser. Did >>> you? >>> You can find it at https://{engine}/ca.crt >>> >>> You should download it and add to the list of trusted certification >>> authorities in your browser. >>> >>>> -----Original Message----- >>>> From: users-bounces(a)ovirt.org [mailto:users-bounces@ovirt.org] On >>>> Behalf Of Simone Tiraboschi >>>> Sent: Friday, February 20, 2015 5:57 AM >>>> To: Stefano Danzi >>>> Cc: users(a)ovirt.org >>>> Subject: Re: [ovirt-users] Unable to run noVNC console un recent >>>> browsers >>>> >>>> >>>> >>>> ----- Original Message ----- >>>>> From: "Stefano Danzi" <s.danzi(a)hawai.it&gt; >>>>> To: "Darrell Budic" <budic(a)onholyground.com&gt; >>>>> Cc: users(a)ovirt.org >>>>> Sent: Friday, February 20, 2015 9:07:51 AM >>>>> Subject: Re: [ovirt-users] Unable to run noVNC console un recent >>>>> browsers >>>>> >>>>> Hello! >>>>> Already done but this didn't help. >>>>> >>>>> I downloaded a portable version of Firefox 17 and noVNC work as >>>>> expected. >>>>> >>>>> Il 20/02/2015 5.18, Darrell Budic ha scritto: >>>>> >>>>> >>>>> >>>>> Try reimporting the ca.cert for noVNC by connecting directly to the >>>>> webproxy address at port 6100. Do this by trying to connect to a >>>>> console and then, once the 1006 error shows up, just strip off >>>>> everything after :6100/ . I've found that somewhere in or after 3.5, >>>>> restarting the webproxy causes it to generate its own new ca.cert >>>>> even >>>> through it shouldn't. >>>>> >>>>> -Darrell >>>>> >>>>> >>>>> >>>>> On Feb 19, 2015, at 4:09 PM, Stefano Danzi <s.danzi(a)hawai.it&gt; wrote: >>>>> >>>>> Hello, >>>>> >>>>> I can't make work noVNC console on recent browsers (Chrome 40, >>>>> Firefox >>>>> 35 and IE 11). >>>>> >>>>> The error that I have is already explained here: >>>>> https://forge.univention.org/bugzilla/show_bug.cgi?id=33587 I tried >>>>> to change websocket like suggested ( >>>>> http://errata.univention.de/ucs/3.2/31.html ) but this not helped. >>>> >>>> noVNC 0.5.1 should be soon released in EPEL6/EPEL7 as for [1]. >>>> noVNC 0.5.1 should also improve compatibility with recent browsers. >>>> >>>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1193454#c3 >>>> >>>> >>>>> Someone know a workaround? >>>>> _______________________________________________ >>>>> Users mailing list Users(a)ovirt.org >>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>> >>>>> >>>>> _______________________________________________ >>>>> Users mailing list >>>>> Users(a)ovirt.org >>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>> >>>> _______________________________________________ >>>> Users mailing list >>>> Users(a)ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> >>>> >>> >>> >> _______________________________________________ >> Users mailing list >> Users(a)ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users > >