8:41 p.m.
El 15/08/16 a las 17:18, aleksey.maksimov(a)it-kb.ru escribió:
I tried a version of Nicolás.
No success :((
1) I create full bundle cert file:
# cat /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/apache-ca.pem >
/etc/pki/ovirt-engine/certs/apache-with-ca.cer
# openssl verify /etc/pki/ovirt-engine/certs/apache-with-ca.cer
/etc/pki/ovirt-engine/certs/apache-with-ca.cer: OK
In our case, the private certificate is stored in /etc/ssl/private and
have 640 permissions for root:ssl-cert. If this is where your private
key is stored or you have it in a permission-restricted directory, you
should take this in consideration: The cert will be read by the 'ovirt'
user, so you need to make sure the ovirt user has the secondary ssl-cert
group assigned. You can check that running:
groups ovirt
If ssl-cert is not listed there, you might run:
usermod -aG ssl-cert ovirt
That will append the ssl-cert group to ovirt user. If you had to run it,
you'll need to restart both ovirt-websocket-proxy and ovirt-engine daemons.
Regards.
2) I changed config file:
# cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
PROXY_PORT=6100
SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache-with-ca.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
SSL_ONLY=True
FORCE_DATA_VERIFICATION=False
3) I restarted the service
# service ovirt-websocket-proxy restart
Problem still exists :(
Any ideas how to trablshut problem?
14.08.2016, 08:59, "aleksey.maksimov(a)it-kb.ru"
<aleksey.maksimov(a)it-kb.ru>:
> Hi Jiri.
> But your variant does not work, too
>
> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
> PROXY_PORT=6100
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
> SSL_ONLY=True
>
> Some error:
> WebSocket error: Can't connect to websocket on URL:
wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
>
> any ideas how to trablshut problem?
>
> 14.08.2016, 01:53, "Jiri Belka" <jbelka(a)redhat.com>:
>> I have different files for those variables, maybe this is the case?
>>
>> Review again.
>>
>> j.
>>
>> ----- Original Message -----
>> From: "aleksey maksimov" <aleksey.maksimov(a)it-kb.ru>
>> To: "Jiri Belka" <jbelka(a)redhat.com>
>> Cc: "users" <users(a)ovirt.org>
>> Sent: Saturday, August 13, 2016 4:57:45 PM
>> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5
browser client -> WebSocket error: Can't connect to websocket on URL:
wss://ovirt.engine.fqdn:6100/
>>
>> I changed my file /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
to:
>>
>> PROXY_PORT=6100
>> #SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
>> #SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
>> #CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/apache-ca.pem
>> SSL_ONLY=True
>>
>> ...and restart HostedEngine VM.
>> Problem still exists.
>>
>> 13.08.2016, 17:52, "aleksey.maksimov(a)it-kb.ru"
<aleksey.maksimov(a)it-kb.ru>:
>>> It does not work for me. any ideas?
>>>
>>> 02.08.2016, 17:22, "Jiri Belka" <jbelka(a)redhat.com>:
>>>> This works for me:
>>>>
>>>> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>>>> PROXY_PORT=6100
>>>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
>>>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>>> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>>> SSL_ONLY=True
>>>>
>>>> ----- Original Message -----
>>>> From: "aleksey maksimov" <aleksey.maksimov(a)it-kb.ru>
>>>> To: "users" <users(a)ovirt.org>
>>>> Sent: Monday, August 1, 2016 12:13:38 PM
>>>> Subject: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE
HTML5 browser client -> WebSocket error: Can't connect to websocket on URL:
wss://ovirt.engine.fqdn:6100/
>>>>
>>>> Hello oVirt guru`s !
>>>>
>>>> I have successfully replaced the oVirt 4 site SSL-certificate
according to the instructions from "Replacing oVirt SSL Certificate"
>>>> section in "oVirt Administration Guide"
>>>> http://www.ovirt.org/documentation/admin-guide/administration-guide/
>>>>
>>>> 3 files have been replaced:
>>>>
>>>> /etc/pki/ovirt-engine/certs/apache.cer
>>>> /etc/pki/ovirt-engine/keys/apache.key.nopass
>>>> /etc/pki/ovirt-engine/apache-ca.pem
>>>>
>>>> Now the oVirt site using my certificate and everything works fine,
but when I try to use SPICE HTML5 browser client in Firefox or Chrome I see a gray screen
and message under the button "Toggle messages output":
>>>>
>>>> WebSocket error: Can't connect to websocket on URL:
wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
>>>>
>>>> Before replacing certificates SPICE HTML5 browser client works.
>>>> Native SPICE client works fine.
>>>>
>>>> Tell me what to do with SPICE HTML5 browser client?
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users(a)ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users