It appears I spoke too soon, even though I can now get into the ovirt portal, I can't connect with the spice console. Even after recopying the cert and key over and restarting the service.

This had nothing to do with LDAP or anything, just trying to change the cert to a 3rd party signed one. Until I did those two steps I was unable to sign into the portal, as I just had a java error every time, it had nothing to do with LDAP. For me, that SSL document is really confusing because it's not clear how some parts of the certs require full chain, some parts are just the actual 3rd party cert, and some parts it seems like it says "CA" cert, does it mean the root cert? or does it just mean the 3rd party cert you're installing? does it require a p12 file? the article says "we suggest storing .p12 here" but it doesn't say "you must put your .p12 here". Right now it works, sort of. I'm able to sign into portal, but i'm unable to connect to any of the VM consoles. I don't know where to go from here, the article says nothing about SPICE, is spice also supposed to work after the cert change? or is that part of another article that we can't see? Is a cert placed wrong? When I try to connect to a console, it errors out with "could not connect to server". The log on the VM host says: (process:31241): Spice-WARNING **: 14:04:43.782: reds-stream.c:469:reds_stream_ssl_accept: SSL_accept failed, error=1 139940713029056:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1493:SSL alert number 48 in the engine server.log: 2019-05-04 20:09:55,479-04 INFO [org.apache.commons.httpclient.HttpMethodBase] (EE-ManagedThreadFactory-engine-Thread-14097) Response content length is not known and the .vv file from ovirt looks like this, it has a private cert, for the host, but the 3rd part for the host? Is this right? What about a proxy? does that come into play? Did i miss a cert? [virt-viewer] type=spice host=172.16.x.x port=5901 password=zYhIyn7/zVju # Password is valid for 120 seconds. delete-this-file=1 fullscreen=0 title=ADFSTwo:%d toggle-fullscreen=shift+f11 release-cursor=shift+f12 secure-attention=ctrl+alt+end tls-port=5902 enable-smartcard=0 enable-usb-autoshare=1 usb-filter=-1,-1,-1,-1,0 tls-ciphers=DEFAULT host-subject=<private cert CA name> ca=-----BEGIN CERTIFICATE-----\nMIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx\nGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds\nb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV\nBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD\nVQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa\nDuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc\nTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb\nKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVtbNV4FpWi6cgKOOvyJBNP\nc1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrX\ngzT/LCrBbBlDSgeF59N89iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\nHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUF\nAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOzyj1hTdNGCbM+w6Dj\nY1Ub8rrvrTnhQ7k4o+YviiY776BQVv nGCv04zcQLcFGUl5gE38NflNUVyRRBnMRddWQVDf9VMOyG\nj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymPAbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhH\nhm4qxFYxldBniYUr+WymXUadDKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveC\nX4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==\n-----END CERTIFICATE-----\n secure-channels=main;inputs;cursor;playback;record;display;smartcard;usbredir versions=rhev-win64:2.0-160;rhev-win32:2.0-160;rhel7:2.0-6;rhel6:99.0-1 newer-version-url=http://www.ovirt.org/documentation/admin-guide/virt/console-client-resources [ovirt] host=ovirt.wanderingmad.com:443 vm-guid=8779c8b7-18e8-49ef-aff4-d84609a519a3 sso-token=fjTGwB266hsU57uyOffllkPYG2m2wnaZnQJlUswKL3bYg9YM7rOfJ3QH-aBMibqbQsCEiV7AzPn39AWz40p_SA admin=1 should I replace certs on the host?