Hi, Can you please try to specify SSL_CERTIFICATE=xxx where xx contains the complete certificate chain in reverse? -----BEGIN CERTIFICATE----- ... (certificate for your server)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the certificate for the CA)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the root certificate for the CA's issuer)... -----END CERTIFICATE----- Of course you need matching SSL_KEY. Regards, Alon ----- Original Message -----
From: "Markus Stockhausen" <stockhausen@collogia.de> To: "ovirt-users" <users@ovirt.org> Sent: Friday, January 10, 2014 10:47:09 PM Subject: [Users] noVNC with intermediate certificates
Hello,
after configuring noVNC websocket proxy I would like to load an offically signed certificate into it. Otherwise I would always have to accept the self signed certificate on port 6100. See here:
http://lists.ovirt.org/pipermail/users/2013-October/017108.html
From the configuration file I know where to place the signed certificate but our generated certificates depend on intermediate certificates. Ah the moment I'm missing the option to load/advertise that intermediate certificate.
# cat /ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf PROXY_PORT=6100 SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass FORCE_DATA_VERIFICATION=True CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer SSL_ONLY=True
In apache I usally go with:
SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer SSLCertificateKeyFile /etc/pki/ovirt-engine/keys/apache.key.nopass SSLCertificateChainFile /etc/pki/ovirt-engine/certs/server-chain.crt
Any tips?
Markus
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users