[ovirt-users] Re: console breaks with signed SSL certs

I assume you are working on linux (for windows you will need to ssh to a linux box or even one ofthe Hosts). When you download the 'console.vv' file for Spice connection - you will have to note several stuff: - host - tls-port (not the plain 'port=' !!! ) - ca Process the CA and replace the '\n' with new lines . Then you can run: openssl s_client -connect <host>:<tls-port> -CAfile <path-to-ca-with-newlines> -showcerts Then you can inspect the certificate chain. I would then grep for the strings from openssl in the engine. In my case I find these containing the line with the 'issuer': /etc/pki/ovirt-engine/certs/websocket-proxy.cer /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/reports.cer /etc/pki/ovirt-engine/certs/imageio-proxy.cer /etc/pki/ovirt-engine/certs/ovn-ndb.cer /etc/pki/ovirt-engine/certs/ovn-sdb.cer /etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer Happy Hunting! Best Regards, Strahil Nikolov В вторник, 22 септември 2020 г., 21:52:10 Гринуич+3, Philip Brown <pbrown(a)medata.com&gt; написа: More detail on the problem. after starting remote-viewer  --debug, I get (remote-viewer.exe:18308): virt-viewer-DEBUG: 11:45:30.594: New spice channel 000000000608B240 SpiceMainChannel 0 (remote-viewer.exe:18308): virt-viewer-DEBUG: 11:45:30.594: notebook show status 0000000003479130 (remote-viewer.exe:18308): Spice-WARNING **: 11:45:30.691: ../subprojects/spice-common/common/ssl_verify.c:444:openssl_verify: Error in certificate chain verification: self signed certificate in certificate chain (num=19:depth1:/C=US/O=xxxxxxxxxx.65101) (remote-viewer.exe:18308): GSpice-WARNING **: 11:45:30.692: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1) (remote-viewer.exe:18308): virt-viewer-DEBUG: 11:45:30.693: Destroy SPICE channel SpiceMainChannel 0 So it seems like there's some additional thing that needs telling to use the official signed cert. Any clues for me please? _______________________________________________ Users mailing list -- users(a)ovirt.org To unsubscribe send an email to users-leave(a)ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/VKSX7CLJ4N7...