Re: [Users] noVNC with intermediate certificates
Hi,
Can you please try to specify
SSL_CERTIFICATE=xxx
where xx contains the complete certificate chain in reverse?
-----BEGIN CERTIFICATE-----
... (certificate for your server)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the certificate for the CA)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the root certificate for the CA's issuer)...
-----END CERTIFICATE-----
Of course you need matching SSL_KEY.
Regards,
Alon
----- Original Message -----
From: "Markus Stockhausen" <stockhausen(a)collogia.de>
To: "ovirt-users" <users(a)ovirt.org>
Sent: Friday, January 10, 2014 10:47:09 PM
Subject: [Users] noVNC with intermediate certificates
Hello,
after configuring noVNC websocket proxy I would like to load
an offically signed certificate into it. Otherwise I would always
have to accept the self signed certificate on port 6100. See here:
http://lists.ovirt.org/pipermail/users/2013-October/017108.html
From the configuration file I know where to place the signed
certificate but our generated certificates depend on intermediate
certificates. Ah the moment I'm missing the option to load/advertise
that intermediate certificate.
# cat /ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
PROXY_PORT=6100
SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
FORCE_DATA_VERIFICATION=True
CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
SSL_ONLY=True
In apache I usally go with:
SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer
SSLCertificateKeyFile /etc/pki/ovirt-engine/keys/apache.key.nopass
SSLCertificateChainFile /etc/pki/ovirt-engine/certs/server-chain.crt
Any tips?
Markus
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users