Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

Tuesday, 16 August 2016

So,

I used this for my own ca test:

OWN CA AND OWN ENGINE KEY/CRT
=============================

0> CA

# awk '/my-/ || $1 ~ /^[^#]*_default/' /etc/pki/tls/openssl.cnf
certificate     = $dir/my-ca.crt        # The CA certificate
crl             = $dir/my-ca.crl                # The current CRL
private_key     = $dir/private/my-ca.key # The private key
countryName_default             = CZ
stateOrProvinceName_default     = Jihomoravsky kraj
localityName_default            = Brno
0.organizationName_default      = Shoot them in the head, s. r. o.

touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial
cd /etc/pki/CA
(umask 077 ; openssl genrsa -out private/my-ca.key -des3 2048 )
openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt

0> engine cert

openssl genrsa -out my-engine.key 4096
openssl req -new -out my-engine.csr -key my-engine.key
openssl ca -in my-engine.csr -out my-engine.crt
# use 'mypass' for p12 bundle export !!!
openssl pkcs12 -export -out my-engine.p12 -inkey my-engine.key -in my-engine.crt -chain
-CAfile /etc/pki/CA/my-ca.crt

0> existing engine keys/certs/p12 replacement

(follow
$engine_url/ovirt-engine/docs/manual/en_US/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html)

rm -f /etc/pki/ovirt-engine/apache-ca.pem
cp my-engine.crt /etc/pki/ovirt-engine/apache-ca.pem
cp my-engine.p12 /etc/pki/ovirt-engine/keys/apache.p12
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes >
/etc/pki/ovirt-engine/keys/apache.key.nopass
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys >
/etc/pki/ovirt-engine/certs/apache.cer
install -o ovirt -g ovirt -m 600 /dev/null
/etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
# 'changeit' is default java truststore pass on EL
cat > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf << EOF
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit"
EOF

0> add custom CA into system truststore after backup

cp /etc/pki/CA/my-ca.crt /etc/pki/ca-trust/source/anchors/CA.crt
update-ca-trust

0> check if system truststore knows about custom CA

openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 -noout
# 'changeit' is default java truststore pass on EL
keytool -list -keystore /etc/pki/java/cacerts -storepass changeit | grep "$( openssl
x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 -noout | sed -e
'/SHA1/s/.*=//;' )"
grep -IR "$(sed -n '2p' /etc/pki/ca-trust/source/anchors/CA.crt)"
/etc/pki/ca-trust/extracted/

0> engine-setup pki configuration check

engine-setup # see if 'PKI CONFIGURATION' section passed without errors

(doctext here https://bugzilla.redhat.com/show_bug.cgi?id=1336838)

And this for websocket proxy:

# cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
PROXY_PORT=6100
SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
SSL_ONLY=True

You can start manually websocket proxy:

/usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-proxy.py --help
Usage: ovirt-websocket-proxy.py [options] start

Options:
  -h, --help         show this help message and exit
  -d, --debug        debug mode
  --pidfile=FILE     pid file to use
  --background       Go into the background
  --systemd=SYSTEMD  Systemd type simple|notify
  --redirect-output  Redirect output of daemon

It is also handy to do:

openssl s_client -connect $websocketproxy_host:6100

j.

----- Original Message -----
From: "aleksey maksimov" <aleksey.maksimov(a)it-kb.ru&gt;
To: "Jiri Belka" <jbelka(a)redhat.com&gt;
Cc: "users" <users(a)ovirt.org&gt;
Sent: Tuesday, August 16, 2016 9:33:54 AM
Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser
client -> WebSocket error: Can't connect to websocket on URL:
wss://ovirt.engine.fqdn:6100/

Jiri, I did not hide information. Tell me what the log file should show and I will show

16.08.2016, 10:29, "Jiri Belka" <jbelka(a)redhat.com&gt;:
...
 It does have logs, filenames "hide" real data.

 You should reveal logs and what each file is and
 which exact commands you were executing.

 Vague statements won't help much. It does work for me,
 there much be something strange in your setup but we
 cannot know what without details.

 j.

 ----- Original Message -----
 From: "aleksey maksimov" <aleksey.maksimov(a)it-kb.ru&gt;
 To: "Jiri Belka" <jbelka(a)redhat.com&gt;
 Cc: "users" <users(a)ovirt.org&gt;
 Sent: Monday, August 15, 2016 6:18:48 PM
 Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser
client -> WebSocket error: Can't connect to websocket on URL:
wss://ovirt.engine.fqdn:6100/

 I tried a version of Nicolás.
 No success :((

 1) I create full bundle cert file:

 # cat /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/apache-ca.pem >
/etc/pki/ovirt-engine/certs/apache-with-ca.cer
 # openssl verify /etc/pki/ovirt-engine/certs/apache-with-ca.cer

 /etc/pki/ovirt-engine/certs/apache-with-ca.cer: OK

 2) I changed config file:

 # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf

 PROXY_PORT=6100
 SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache-with-ca.cer
 SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
 SSL_ONLY=True
 FORCE_DATA_VERIFICATION=False

 3) I restarted the service

 # service ovirt-websocket-proxy restart

 Problem still exists :(
 Any ideas how to trablshut problem?

 14.08.2016, 08:59, &quot;aleksey.maksimov(a)it-kb.ru&quot;
<aleksey.maksimov(a)it-kb.ru&gt;:
>  Hi Jiri.
>  But your variant does not work, too
>
>  # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>  PROXY_PORT=6100
>  SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
>  SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>  CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>  SSL_ONLY=True
>
>  Some error:
>  WebSocket error: Can't connect to websocket on URL:
wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
>
>  any ideas how to trablshut problem?
>
>  14.08.2016, 01:53, "Jiri Belka" <jbelka(a)redhat.com&gt;:
>>   I have different files for those variables, maybe this is the case?
>>
>>   Review again.
>>
>>   j.
>>
>>   ----- Original Message -----
>>   From: "aleksey maksimov" <aleksey.maksimov(a)it-kb.ru&gt;
>>   To: "Jiri Belka" <jbelka(a)redhat.com&gt;
>>   Cc: "users" <users(a)ovirt.org&gt;
>>   Sent: Saturday, August 13, 2016 4:57:45 PM
>>   Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5
browser client -> WebSocket error: Can't connect to websocket on URL:
wss://ovirt.engine.fqdn:6100/
>>
>>   I changed my file /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
to:
>>
>>   PROXY_PORT=6100
>>   #SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
>>   #SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
>>   #CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>   SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
>>   SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>   CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/apache-ca.pem
>>   SSL_ONLY=True
>>
>>   ...and restart HostedEngine VM.
>>   Problem still exists.
>>
>>   13.08.2016, 17:52, &quot;aleksey.maksimov(a)it-kb.ru&quot;
<aleksey.maksimov(a)it-kb.ru&gt;:
>>>    It does not work for me. any ideas?
>>>
>>>    02.08.2016, 17:22, "Jiri Belka" <jbelka(a)redhat.com&gt;:
>>>>     This works for me:
>>>>
>>>>     # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>>>>     PROXY_PORT=6100
>>>>     SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
>>>>     SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>>>     CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>>>     SSL_ONLY=True
>>>>
>>>>     ----- Original Message -----
>>>>     From: "aleksey maksimov" <aleksey.maksimov(a)it-kb.ru&gt;
>>>>     To: "users" <users(a)ovirt.org&gt;
>>>>     Sent: Monday, August 1, 2016 12:13:38 PM
>>>>     Subject: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE
HTML5 browser client -> WebSocket error: Can't connect to websocket on URL:
wss://ovirt.engine.fqdn:6100/
>>>>
>>>>     Hello oVirt guru`s !
>>>>
>>>>     I have successfully replaced the oVirt 4 site SSL-certificate
according to the instructions from "Replacing oVirt SSL Certificate"
>>>>     section in "oVirt Administration Guide"
>>>>     http://www.ovirt.org/documentation/admin-guide/administration-guide/
>>>>
>>>>     3 files have been replaced:
>>>>
>>>>     /etc/pki/ovirt-engine/certs/apache.cer
>>>>     /etc/pki/ovirt-engine/keys/apache.key.nopass
>>>>     /etc/pki/ovirt-engine/apache-ca.pem
>>>>
>>>>     Now the oVirt site using my certificate and everything works fine,
but when I try to use SPICE HTML5 browser client in Firefox or Chrome I see a gray screen
and message under the button "Toggle messages output":
>>>>
>>>>     WebSocket error: Can't connect to websocket on URL:
wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
>>>>
>>>>     Before replacing certificates SPICE HTML5 browser client works.
>>>>     Native SPICE client works fine.
>>>>
>>>>     Tell me what to do with SPICE HTML5 browser client?
>>>>     _______________________________________________
>>>>     Users mailing list
>>>>     Users(a)ovirt.org
>>>>     http://lists.ovirt.org/mailman/listinfo/users 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/