So, I used this for my own ca test: OWN CA AND OWN ENGINE KEY/CRT ============================= 0> CA # awk '/my-/ || $1 ~ /^[^#]*_default/' /etc/pki/tls/openssl.cnf certificate = $dir/my-ca.crt # The CA certificate crl = $dir/my-ca.crl # The current CRL private_key = $dir/private/my-ca.key # The private key countryName_default = CZ stateOrProvinceName_default = Jihomoravsky kraj localityName_default = Brno 0.organizationName_default = Shoot them in the head, s. r. o. touch /etc/pki/CA/index.txt echo 01 > /etc/pki/CA/serial cd /etc/pki/CA (umask 077 ; openssl genrsa -out private/my-ca.key -des3 2048 ) openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt 0> engine cert openssl genrsa -out my-engine.key 4096 openssl req -new -out my-engine.csr -key my-engine.key openssl ca -in my-engine.csr -out my-engine.crt # use 'mypass' for p12 bundle export !!! openssl pkcs12 -export -out my-engine.p12 -inkey my-engine.key -in my-engine.crt -chain -CAfile /etc/pki/CA/my-ca.crt 0> existing engine keys/certs/p12 replacement (follow $engine_url/ovirt-engine/docs/manual/en_US/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html) rm -f /etc/pki/ovirt-engine/apache-ca.pem cp my-engine.crt /etc/pki/ovirt-engine/apache-ca.pem cp my-engine.p12 /etc/pki/ovirt-engine/keys/apache.p12 openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/apache.key.nopass openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /etc/pki/ovirt-engine/certs/apache.cer install -o ovirt -g ovirt -m 600 /dev/null /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf # 'changeit' is default java truststore pass on EL cat > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf << EOF ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit" EOF 0> add custom CA into system truststore after backup cp /etc/pki/CA/my-ca.crt /etc/pki/ca-trust/source/anchors/CA.crt update-ca-trust 0> check if system truststore knows about custom CA openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 -noout # 'changeit' is default java truststore pass on EL keytool -list -keystore /etc/pki/java/cacerts -storepass changeit | grep "$( openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 -noout | sed -e '/SHA1/s/.*=//;' )" grep -IR "$(sed -n '2p' /etc/pki/ca-trust/source/anchors/CA.crt)" /etc/pki/ca-trust/extracted/ 0> engine-setup pki configuration check engine-setup # see if 'PKI CONFIGURATION' section passed without errors (doctext here https://bugzilla.redhat.com/show_bug.cgi?id=1336838) And this for websocket proxy: # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf PROXY_PORT=6100 SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer SSL_ONLY=True You can start manually websocket proxy: /usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-proxy.py --help Usage: ovirt-websocket-proxy.py [options] start Options: -h, --help show this help message and exit -d, --debug debug mode --pidfile=FILE pid file to use --background Go into the background --systemd=SYSTEMD Systemd type simple|notify --redirect-output Redirect output of daemon It is also handy to do: openssl s_client -connect $websocketproxy_host:6100 j. ----- Original Message ----- From: "aleksey maksimov" <aleksey.maksimov@it-kb.ru> To: "Jiri Belka" <jbelka@redhat.com> Cc: "users" <users@ovirt.org> Sent: Tuesday, August 16, 2016 9:33:54 AM Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/ Jiri, I did not hide information. Tell me what the log file should show and I will show 16.08.2016, 10:29, "Jiri Belka" <jbelka@redhat.com>:
It does have logs, filenames "hide" real data.
You should reveal logs and what each file is and which exact commands you were executing.
Vague statements won't help much. It does work for me, there much be something strange in your setup but we cannot know what without details.
j.
----- Original Message ----- From: "aleksey maksimov" <aleksey.maksimov@it-kb.ru> To: "Jiri Belka" <jbelka@redhat.com> Cc: "users" <users@ovirt.org> Sent: Monday, August 15, 2016 6:18:48 PM Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/
I tried a version of Nicolás. No success :((
1) I create full bundle cert file:
# cat /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/apache-ca.pem > /etc/pki/ovirt-engine/certs/apache-with-ca.cer # openssl verify /etc/pki/ovirt-engine/certs/apache-with-ca.cer
/etc/pki/ovirt-engine/certs/apache-with-ca.cer: OK
2) I changed config file:
# cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
PROXY_PORT=6100 SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache-with-ca.cer SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass SSL_ONLY=True FORCE_DATA_VERIFICATION=False
3) I restarted the service
# service ovirt-websocket-proxy restart
Problem still exists :( Any ideas how to trablshut problem?
14.08.2016, 08:59, "aleksey.maksimov@it-kb.ru" <aleksey.maksimov@it-kb.ru>:
Hi Jiri. But your variant does not work, too
# cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf PROXY_PORT=6100 SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer SSL_ONLY=True
Some error: WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
any ideas how to trablshut problem?
14.08.2016, 01:53, "Jiri Belka" <jbelka@redhat.com>:
I have different files for those variables, maybe this is the case?
Review again.
j.
----- Original Message ----- From: "aleksey maksimov" <aleksey.maksimov@it-kb.ru> To: "Jiri Belka" <jbelka@redhat.com> Cc: "users" <users@ovirt.org> Sent: Saturday, August 13, 2016 4:57:45 PM Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/
I changed my file /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf to:
PROXY_PORT=6100 #SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer #SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass #CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/apache-ca.pem SSL_ONLY=True
...and restart HostedEngine VM. Problem still exists.
13.08.2016, 17:52, "aleksey.maksimov@it-kb.ru" <aleksey.maksimov@it-kb.ru>:
It does not work for me. any ideas?
02.08.2016, 17:22, "Jiri Belka" <jbelka@redhat.com>:
This works for me:
# cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf PROXY_PORT=6100 SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer SSL_ONLY=True
----- Original Message ----- From: "aleksey maksimov" <aleksey.maksimov@it-kb.ru> To: "users" <users@ovirt.org> Sent: Monday, August 1, 2016 12:13:38 PM Subject: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/
Hello oVirt guru`s !
I have successfully replaced the oVirt 4 site SSL-certificate according to the instructions from "Replacing oVirt SSL Certificate" section in "oVirt Administration Guide" http://www.ovirt.org/documentation/admin-guide/administration-guide/
3 files have been replaced:
/etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/apache-ca.pem
Now the oVirt site using my certificate and everything works fine, but when I try to use SPICE HTML5 browser client in Firefox or Chrome I see a gray screen and message under the button "Toggle messages output":
WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
Before replacing certificates SPICE HTML5 browser client works. Native SPICE client works fine.
Tell me what to do with SPICE HTML5 browser client? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users