Hi Thomas,

Thanks for your response! This goes a long way, however there is still the unknown where ovirt-engine takes the SPICE certificate and CA from.

Can somebody confirm that replacing just the files referenced in the apache configuration will be sufficient?

Thanks!
iordan


On Wed, Nov 20, 2013 at 1:00 PM, Thomas Suckow <thomas.suckow@pnnl.gov> wrote:
I don't know about the native SPICE client, but here is what I did for apache and the websocket proxy:

In /etc/httpd/conf.d/ssl.conf it lists
SSLCertificateFile
SSLCertificateKeyFile
SSLCertificateChainFile
SSLCACertificateFile

Those are the files you need to replace for the web interface. My certs were combined, so I actually only use SSLCertificateFile and SSLCertificateChainFile

NOTE: If you modify ssl.conf, the path /etc/pki/ovirt-engine/apache-ca.pem is used by ovirt-iso-uploader. Uploads will fail unless you replace/symlink that file or specify a CA certificate on the command line. I actually linked to my chain file and it seems to be happy.



Websocket Proxy:

/etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf defines the certificates.

The websocket proxy needs a combined certificate file with your cert and the entire chain for SSL_CERTIFICATE
SSL_KEY is just the unencrypted key, and it MUST be accessible by the ovirt user.



As for spice, I am not sure, I am guessing it is /etc/pki/ovirt-engine/keys/engine_id_rsa  and /etc/pki/ovirt-engine/keys/certs/engine.cer
Not sure where they are referenced except by the websocket proxy.

--
Thomas
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users



--
The conscious mind has only one thread of execution.