On Tue, Sep 22, 2020 at 6:46 PM Philip Brown <pbrown@medata.com> wrote:
Chrome didnt want to talk AT ALL to ovirt with self-signed certs (Because HSTS is enabled)
So I installed signed wildcard certs to the engine, and the nodes, following
http://187.1.81.65/ovirt-engine/docs/manual/en-US/html/Administration_Guide/...
Going to http://187.1.81.65/ovirt-engine/ shows that this is RHEV 3.6.6, and the above document is from the documentation included for it. Is this the machine you work with? Or you simply found it at random and use as doc? Anyway, 3.6.6 is very old and log unsupported. If it's indeed your setup, I recommend to upgrade. Even if it's not, I recommend to check latest (4.4) docs, and compare to yours - and try to guess what also applies in 3.6.6 (I think almost everything does, didn't check).
and https://cockpit-project.org/guide/172/https.html
and chrome is happy now... except that suddenly, consoles refuse to work. and there are no useful errors that I see, other than
"Unable to connect to the graphic server"
from the remote viewer app.
If you are going to continue debugging it yourself, you should also check relevant logs on the engine and the host. Also, assuming you did follow latest docs (as applicable): Please check the cert included inside console.vv. Is it (check "Issuer") the engine-internal CA (/etc/pki/ovirt-engine/ca.pem), or your other CA? It should be the engine's, and (at least for me) remote-viewer accepts it - I do not see with --debug the error you got about self-signed cert. If it's the "other" CA cert, then it's a bug somewhere - either in the software or the doc. I am not sure remote-viewer of any version has a problem with this. If you want a client that strictly uses only CAs you explicitly accepted (not the one inside console.vv), you can use the novnc one - this one connects to websocket-proxy, which (with an up-to-date procedure) uses your other CA.
I see someone not too long ago had the exact same problem, in https://www.mail-archive.com/users@ovirt.org/msg58814.html
Sorry, I didn't notice it. Best regards,
but.. no answer was given to him?
Help please
-- Philip Brown| Sr. Linux System Administrator | Medata, Inc. 5 Peters Canyon Rd Suite 250 Irvine CA 92606 Office 714.918.1310| Fax 714.918.1325 pbrown@medata.com| www.medata.com _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/KNJGW2Z6XPK4CD...
-- Didi