Ahoj,
Through websockets, you're connecting to TLS port with cert issued by
oVirt CA so you need have your browser trust oVirt CA in order to
connect successfully to spice-html5.
AFAIU you should be able to replace certs for spice (it's separate file
on host from vdsm cert although their contents are the same [1]). I
don't know however if you can configure engine to fill this
non-embedded-CA root in .vv files instead (or not to set it at all if
this CA is in your client trust stores).
[1]
# ls -l /etc/pki/vdsm/*/*pem
-rw-r--r--. 1 root kvm 1452 4. zář 2015 /etc/pki/vdsm/certs/cacert.pem
-rw-r--r--. 1 root kvm 1444 4. zář 2015 /etc/pki/vdsm/certs/vdsmcert.pem
-r--r-----. 1 vdsm kvm 1675 4. zář 2015 /etc/pki/vdsm/keys/vdsmkey.pem
-rw-r--r--. 1 root kvm 1452 4. zář 2015 /etc/pki/vdsm/libvirt-spice/ca-cert.pem
-rw-r--r--. 1 root kvm 1444 4. zář 2015 /etc/pki/vdsm/libvirt-spice/server-cert.pem
-r--r-----. 1 vdsm kvm 1675 4. zář 2015 /etc/pki/vdsm/libvirt-spice/server-key.pem
# rpm -qf /etc/pki/vdsm/libvirt-spice/ca-cert.pem
file /etc/pki/vdsm/libvirt-spice/ca-cert.pem
Regards,
David Jaša
On Pá, 2016-12-09 at 21:09 +0100, Karol Vaclavik wrote:
Hi all,
i had running ovirt. After renaming it (to the final domain it will be
assigned to), and replacing self-signed apache cert with a trustworthy
one, i am unable to connect to remote desktop of any VM (noVnc and
SPICE).
for NoVNC the problem is: Server disconnected (code: 1006)
and in the javascript i can find:
VM6119:37 WebSocket connection to
'wss://realaddressofmyengine:6100/eyJzYWx0IjoiQ01pOUNBV1YrTjA9IiwiZGF0YSI6…FsaWRGcm9tIjoiMjAxNjEyMDkyMDA2MjEiLCJ2YWxpZFRvIjoiMjAxNjEyMDkyMDA4MjEifQ=='
failed: WebSocket opening handshake was canceled
and when trying Spice the error is:
WebSocket error: Can't connect to websocket on URL:
wss://realaddressofmyengine:6100/eyJzYWx0IjoiTUJXQzVPT004UWM9IiwiZGF0YSI6IiU3QiUyMmhvc3QlMjI6JTIyMTkyLjE2OC4yMDAuMTExJTIyLCUyMnBvcnQlMjI6JTIyNTkwMCUyMiwlMjJzc2xfdGFyZ2V0JTIyOnRydWUlN0QiLCJzaWduYXR1cmUiOiJueUZEM1NIenE0WXY0UmJqYmtnbFNtUEM1QUJSRUsvM294a1VieXBqa3ZuckhsOTdLVWFFTFNsTEpHaUpTR0dJQXgrVEJFNTJna0dWR3VCRVVIZE4vdkJEY3JZbEtmcmQxK0ZqTTZMMXhtb1F3aHM4Y1VRR0t5Z1dLSENsanZvdFZFVkxNaCszU3VvU0s5d2VDczViVnRoRDdWZXFQM1ZtQkxoUnFnS0xmYjhxS1g4ZnBKTllUUG5iRmV1bGhVc2N6UTJwNE5CZ05ZalR0K3BTcFYvaGJlaFBPcnFBV01oMjRkV1ZrNVA3WEJmbTZ5a2RSVy8zNW1takY4Ym9FQlNZZzIrU1YvaWNwaldySW1SWmtQd3d5V3Y3dEhYVGNLSGFCek4vcnBQaS9xbnZoWXdyWEd4akRBSk9GVTRuRnl6ei9mNTAxU1BIMFNESEdIaEh3UXBoWFE9PSIsImRpZ2VzdCI6InNoYTEiLCJjZXJ0aWZpY2F0ZSI6Ii0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLVxuTUlJRW5UQ0NBNFdnQXdJQkFnSUNFQUV3RFFZSktvWklodmNOQVFFRkJRQXdWekVMTUFrR0ExVUVCaE1DVlZNeEhEQWFCZ05WQkFvVFxyXG5FMmwwWTI5dGJYVnVhV05oZEdsdmJuTXVjMnN4S2pBb0JnTlZCQU1USVdWdVoybHVaV0V1YVhSamIyMXRkVzVwWTJGMGFXOXVjeTV6XHJcbmF5NDFPVFl6TXpBZUZ3MHhOakV3TWpVeE5EQTBORGxhRncweU1UQTVNekF4TkRBME5EbGFNRkV4Q3pBSkJnTlZCQVlUQWxWVE1Sd3dcclxuR2dZRFZRUUtFeE5wZEdOdmJXMTFibWxqWVhScGIyNXpMbk5yTVNRd0lnWURWUVFERXh0bGJtZHBibVZoTG1sMFkyOXRiWFZ1YVdOaFxyXG5kR2x2Ym5NdWMyc3dnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEamVkZExkakJtUHk5R0ZYMzAza1owXHJcbnU5cUprSWg4TFZRVDZxWFcvSjV3V1QvWUtaMDlxdFdta25wTXRkd21WMWQ0WFBoajd6SGxuYUxjckpSeWIyZTNqTGxHcklHRDNvRmNcclxuUktETnAvMkhDU3JieHBoci9RVmhvMnNsRXpBUzRwS3d3Wno3RkU2cTVGbFI4OUZLTXRBSjlRZDVORi9LNTdUaUJuaDBzUCsvS0IycVxyXG4xSlAwZ2RGTUY1aERrREJGUG9xZklMUzhRN09GYW9vQXBveEhtdFZYaXp3Q1BlczJKMjVFM0NhRE1YWWpIOXdpREQrTi9kNkxuU1NYXHJcbld3V2c5d09ud2kwcHQ0TDhCTmxIL2ZtaW9Mb0ZpME9uUmdOY3Ryc09VN1BvR0hpb3VCZkZjNUpIWndJQm9YUWswakZja0RxMnZjYnlcclxuM2o1aEtSdWVkUVg2SUxJM0FnTUJBQUdqZ2dGM01JSUJjekFkQmdOVkhRNEVGZ1FVRlJLSEp5UmJHQmQ3RmdSOThZT29vOFlCMGRRd1xyXG5nWkVHQ0NzR0FRVUZCd0VCQklHRU1JR0JNSDhHQ0NzR0FRVUZCekFDaG5Ob2RIUndPaTh2Wlc1bmFXNWxZUzVwZEdOdmJXMTFibWxqXHJcbllYUnBiMjV6TG5Ock9qZ3dMMjkyYVhKMExXVnVaMmx1WlM5elpYSjJhV05sY3k5d2Eya3RjbVZ6YjNWeVkyVS9jbVZ6YjNWeVkyVTlcclxuWTJFdFkyVnlkR2xtYVdOaGRHVW1abTl5YldGMFBWZzFNRGt0VUVWTkxVTkJNSUdBQmdOVkhTTUVlVEIzZ0JSY2JUS2lmWWZIMXVjdFxyXG4zTUFGanptQnhUMzJqcUZicEZrd1Z6RUxNQWtHQTFVRUJoTUNWVk14SERBYUJnTlZCQW9URTJsMFkyOXRiWFZ1YVdOaGRHbHZibk11XHJcbmMyc3hLakFvQmdOVkJBTVRJV1Z1WjJsdVpXRXVhWFJqYjIxdGRXNXBZMkYwYVc5dWN5NXpheTQxT1RZek00SUNFQUF3Q1FZRFZSMFRcclxuQkFJd0FEQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0lBWURWUjBsQVFIL0JCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUEwR1xyXG5DU3FHU0liM0RRRUJCUVVBQTRJQkFRQUVmN1VMUzdldGx4NWxXZzI3TlVKSDJsRmtzQVZnY2d3QlFSd1JSSXdEWWRWSGREbWEwS0wxXHJcbjBEL0tKcTJpelFwZ1RtSWxEdXh5Z3NiZm9IUHZOMDFzOW5IR0s3TXRrOG9iaHdUMUQrQ3RIakZlT0pQWUpkUVl1ZzhkSU9HZTZoN0NcclxucGZWSXAyeTFjYkpIVm11c2ZieGhNRy9QcEljalBoc3lFYW9qVmZQbU9Bd0M5UVJGV3Uxck0yZ0czUnBRamphVDJCVFY0SDQwUzdkSFxyXG5makduOGdkckxxYVYzaHpSZlR3S2JjRXdQL0lDTmwxUDFyOEpXNDdJM1cveGRkb2kvdm5FUlJiUktTNk51TjhYM3dtOVJkeDQ1WCtxXHJcbjdhRFVqb0VtbGk1dUNieHQ2SGxXb1RSL2NCamVoZnNXeTBMMVR0amIzNHJFeFBoNHFGR1FKZFhGV1Y0WlxyXG4tLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tXG4iLCJzaWduZWRGaWVsZHMiOiJzYWx0LGRhdGEsZGlnZXN0LHZhbGlkRnJvbSx2YWxpZFRvIiwidmFsaWRGcm9tIjoiMjAxNjEyMDkyMDA5MDAiLCJ2YWxpZFRvIjoiMjAxNjEyMDkyMDExMDAifQ==
[object Event]
I have no idea how to regenerate websocket cert, that is still
pointing at the old machine name.
thanks for any help
Karol Vaclavik
IT ARCHITECT
Mlynske Nivy 49
Bratislava, 82109
01873
Slovakia
e-mail: karol.vaclavik(a)sk.ibm.com
phone: 00421 904 943 684
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.phx.ovirt.org/mailman/listinfo/users