----- Original Message -----
From: "Markus Stockhausen" <stockhausen@collogia.de> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "ovirt-users" <users@ovirt.org> Sent: Sunday, January 12, 2014 8:54:05 PM Subject: AW: [Users] noVNC with intermediate certificates
Von: Alon Bar-Lev [alonbl@redhat.com] Gesendet: Samstag, 11. Januar 2014 19:56 An: Markus Stockhausen Cc: ovirt-users Betreff: Re: [Users] noVNC with intermediate certificates
Hi,
Can you please try to specify
SSL_CERTIFICATE=xxx
where xx contains the complete certificate chain in reverse?
-----BEGIN CERTIFICATE----- ... (certificate for your server)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the certificate for the CA)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the root certificate for the CA's issuer)... -----END CERTIFICATE-----
Of course you need matching SSL_KEY.
Regards, Alon
The tests say:
The intermediate certificate is not really needed. The explanation is quite simple. If you navigate to the admin page over https the apache webserver presents the intermediate certificate. This is temporarily stored in the (Firefox) browser. When you open the noVNC console it is automatically trusted.
BUT! You will still get a certificate warning if you navigate directly to https://<server>:6100 after opening the browser.
Nevertheless your hint seems to help. I just added the intermediate certificate to the standard file /etc/pki/ovirt-engine/certs/websocket-proxy.cer and a direct connect to https://<server>:6100 gives no warnings.
That's great. Please refrain from overwriting product files, provide your own and modify configuration.
Thanks.
Markus