Unable to connect to VMs via noVnc or Spice after engine-rename and replacing apache cert
Hi all, i had running ovirt. After renaming it (to the final domain it will be assigned to), and replacing self-signed apache cert with a trustworthy one, i am unable to connect to remote desktop of any VM (noVnc and SPICE). for NoVNC the problem is: Server disconnected (code: 1006) and in the javascript i can find: VM6119:37 WebSocket connection to 'wss://realaddressofmyengine:6100/eyJzYWx0IjoiQ01pOUNBV1YrTjA9IiwiZGF0YSI6?FsaWRGcm9tIjoiMjAxNjEyMDkyMDA2MjEiLCJ2YWxpZFRvIjoiMjAxNjEyMDkyMDA4MjEifQ==' failed: WebSocket opening handshake was canceled and when trying Spice the error is: WebSocket error: Can't connect to websocket on URL: wss://realaddressofmyengine:6100/eyJzYWx0IjoiTUJXQzVPT004UWM9IiwiZGF0YSI6IiU3QiUyMmhvc3QlMjI6JTIyMTkyLjE2OC4yMDAuMTExJTIyLCUyMnBvcnQlMjI6JTIyNTkwMCUyMiwlMjJzc2xfdGFyZ2V0JTIyOnRydWUlN0QiLCJzaWduYXR1cmUiOiJueUZEM1NIenE0WXY0UmJqYmtnbFNtUEM1QUJSRUsvM294a1VieXBqa3ZuckhsOTdLVWFFTFNsTEpHaUpTR0dJQXgrVEJFNTJna0dWR3VCRVVIZE4vdkJEY3JZbEtmcmQxK0ZqTTZMMXhtb1F3aHM4Y1VRR0t5Z1dLSENsanZvdFZFVkxNaCszU3VvU0s5d2VDczViVnRoRDdWZXFQM1ZtQkxoUnFnS0xmYjhxS1g4ZnBKTllUUG5iRmV1bGhVc2N6UTJwNE5CZ05ZalR0K3BTcFYvaGJlaFBPcnFBV01oMjRkV1ZrNVA3WEJmbTZ5a2RSVy8zNW1takY4Ym9FQlNZZzIrU1YvaWNwaldySW1SWmtQd3d5V3Y3dEhYVGNLSGFCek4vcnBQaS9xbnZoWXdyWEd4akRBSk9GVTRuRnl6ei9mNTAxU1BIMFNESEdIaEh3UXBoWFE9PSIsImRpZ2VzdCI6InNoYTEiLCJjZXJ0aWZpY2F0ZSI6Ii0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLVxuTUlJRW5UQ0NBNFdnQXdJQkFnSUNFQUV3RFFZSktvWklodmNOQVFFRkJRQXdWekVMTUFrR0ExVUVCaE1DVlZNeEhEQWFCZ05WQkFvVFxyXG5FMmwwWTI5dGJYVnVhV05oZEdsdmJuTXVjMnN4S2pBb0JnTlZCQU1USVdWdVoybHVaV0V1YVhSamIyMXRkVzVwWTJGMGFXOXVjeTV6XHJcbmF5NDFPVFl6TXpBZUZ3MHhOakV3TWpVeE5EQTBORGxhRncweU1UQTVNekF4TkRBME5EbGFNRkV4Q3pBSkJnTlZCQVlUQWxWVE1Sd3dcclxuR2dZRFZRUUtFeE5wZEdOdmJXMTFibWxqWVhScGIyNXpMbk5yTVNRd0lnWURWUVFERXh0bGJtZHBibVZoTG1sMFkyOXRiWFZ1YVdOaFxyXG5kR2x2Ym5NdWMyc3dnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEamVkZExkakJtUHk5R0ZYMzAza1owXHJcbnU5cUprSWg4TFZRVDZxWFcvSjV3V1QvWUtaMDlxdFdta25wTXRkd21WMWQ0WFBoajd6SGxuYUxjckpSeWIyZTNqTGxHcklHRDNvRmNcclxuUktETnAvMkhDU3JieHBoci9RVmhvMnNsRXpBUzRwS3d3Wno3RkU2cTVGbFI4OUZLTXRBSjlRZDVORi9LNTdUaUJuaDBzUCsvS0IycVxyXG4xSlAwZ2RGTUY1aERrREJGUG9xZklMUzhRN09GYW9vQXBveEhtdFZYaXp3Q1BlczJKMjVFM0NhRE1YWWpIOXdpREQrTi9kNkxuU1NYXHJcbld3V2c5d09ud2kwcHQ0TDhCTmxIL2ZtaW9Mb0ZpME9uUmdOY3Ryc09VN1BvR0hpb3VCZkZjNUpIWndJQm9YUWswakZja0RxMnZjYnlcclxuM2o1aEtSdWVkUVg2SUxJM0FnTUJBQUdqZ2dGM01JSUJjekFkQmdOVkhRNEVGZ1FVRlJLSEp5UmJHQmQ3RmdSOThZT29vOFlCMGRRd1xyXG5nWkVHQ0NzR0FRVUZCd0VCQklHRU1JR0JNSDhHQ0NzR0FRVUZCekFDaG5Ob2RIUndPaTh2Wlc1bmFXNWxZUzVwZEdOdmJXMTFibWxqXHJcbllYUnBiMjV6TG5Ock9qZ3dMMjkyYVhKMExXVnVaMmx1WlM5elpYSjJhV05sY3k5d2Eya3RjbVZ6YjNWeVkyVS9jbVZ6YjNWeVkyVTlcclxuWTJFdFkyVnlkR2xtYVdOaGRHVW1abTl5YldGMFBWZzFNRGt0VUVWTkxVTkJNSUdBQmdOVkhTTUVlVEIzZ0JSY2JUS2lmWWZIMXVjdFxyXG4zTUFGanptQnhUMzJqcUZicEZrd1Z6RUxNQWtHQTFVRUJoTUNWVk14SERBYUJnTlZCQW9URTJsMFkyOXRiWFZ1YVdOaGRHbHZibk11XHJcbmMyc3hLakFvQmdOVkJBTVRJV1Z1WjJsdVpXRXVhWFJqYjIxdGRXNXBZMkYwYVc5dWN5NXpheTQxT1RZek00SUNFQUF3Q1FZRFZSMFRcclxuQkFJd0FEQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0lBWURWUjBsQVFIL0JCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUEwR1xyXG5DU3FHU0liM0RRRUJCUVVBQTRJQkFRQUVmN1VMUzdldGx4NWxXZzI3TlVKSDJsRmtzQVZnY2d3QlFSd1JSSXdEWWRWSGREbWEwS0wxXHJcbjBEL0tKcTJpelFwZ1RtSWxEdXh5Z3NiZm9IUHZOMDFzOW5IR0s3TXRrOG9iaHdUMUQrQ3RIakZlT0pQWUpkUVl1ZzhkSU9HZTZoN0NcclxucGZWSXAyeTFjYkpIVm11c2ZieGhNRy9QcEljalBoc3lFYW9qVmZQbU9Bd0M5UVJGV3Uxck0yZ0czUnBRamphVDJCVFY0SDQwUzdkSFxyXG5makduOGdkckxxYVYzaHpSZlR3S2JjRXdQL0lDTmwxUDFyOEpXNDdJM1cveGRkb2kvdm5FUlJiUktTNk51TjhYM3dtOVJkeDQ1WCtxXHJcbjdhRFVqb0VtbGk1dUNieHQ2SGxXb1RSL2NCamVoZnNXeTBMMVR0amIzNHJFeFBoNHFGR1FKZFhGV1Y0WlxyXG4tLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tXG4iLCJzaWduZWRGaWVsZHMiOiJzYWx0LGRhdGEsZGlnZXN0LHZhbGlkRnJvbSx2YWxpZFRvIiwidmFsaWRGcm9tIjoiMjAxNjEyMDkyMDA5MDAiLCJ2YWxpZFRvIjoiMjAxNjEyMDkyMDExMDAifQ== [object Event] I have no idea how to regenerate websocket cert, that is still pointing at the old machine name. thanks for any help Karol Vaclavik IT ARCHITECT Mlynske Nivy 49 Bratislava, 82109 01873 Slovakia e-mail: karol.vaclavik@sk.ibm.com phone: 00421 904 943 684
Ahoj, Through websockets, you're connecting to TLS port with cert issued by oVirt CA so you need have your browser trust oVirt CA in order to connect successfully to spice-html5. AFAIU you should be able to replace certs for spice (it's separate file on host from vdsm cert although their contents are the same [1]). I don't know however if you can configure engine to fill this non-embedded-CA root in .vv files instead (or not to set it at all if this CA is in your client trust stores). [1] # ls -l /etc/pki/vdsm/*/*pem -rw-r--r--. 1 root kvm 1452 4. zář 2015 /etc/pki/vdsm/certs/cacert.pem -rw-r--r--. 1 root kvm 1444 4. zář 2015 /etc/pki/vdsm/certs/vdsmcert.pem -r--r-----. 1 vdsm kvm 1675 4. zář 2015 /etc/pki/vdsm/keys/vdsmkey.pem -rw-r--r--. 1 root kvm 1452 4. zář 2015 /etc/pki/vdsm/libvirt-spice/ca-cert.pem -rw-r--r--. 1 root kvm 1444 4. zář 2015 /etc/pki/vdsm/libvirt-spice/server-cert.pem -r--r-----. 1 vdsm kvm 1675 4. zář 2015 /etc/pki/vdsm/libvirt-spice/server-key.pem # rpm -qf /etc/pki/vdsm/libvirt-spice/ca-cert.pem file /etc/pki/vdsm/libvirt-spice/ca-cert.pem Regards, David Jaša On Pá, 2016-12-09 at 21:09 +0100, Karol Vaclavik wrote:
Hi all,
i had running ovirt. After renaming it (to the final domain it will be assigned to), and replacing self-signed apache cert with a trustworthy one, i am unable to connect to remote desktop of any VM (noVnc and SPICE).
for NoVNC the problem is: Server disconnected (code: 1006) and in the javascript i can find:
VM6119:37 WebSocket connection to 'wss://realaddressofmyengine:6100/eyJzYWx0IjoiQ01pOUNBV1YrTjA9IiwiZGF0YSI6…FsaWRGcm9tIjoiMjAxNjEyMDkyMDA2MjEiLCJ2YWxpZFRvIjoiMjAxNjEyMDkyMDA4MjEifQ==' failed: WebSocket opening handshake was canceled
and when trying Spice the error is:
WebSocket error: Can't connect to websocket on URL: wss://realaddressofmyengine:6100/eyJzYWx0IjoiTUJXQzVPT004UWM9IiwiZGF0YSI6IiU3QiUyMmhvc3QlMjI6JTIyMTkyLjE2OC4yMDAuMTExJTIyLCUyMnBvcnQlMjI6JTIyNTkwMCUyMiwlMjJzc2xfdGFyZ2V0JTIyOnRydWUlN0QiLCJzaWduYXR1cmUiOiJueUZEM1NIenE0WXY0UmJqYmtnbFNtUEM1QUJSRUsvM294a1VieXBqa3ZuckhsOTdLVWFFTFNsTEpHaUpTR0dJQXgrVEJFNTJna0dWR3VCRVVIZE4vdkJEY3JZbEtmcmQxK0ZqTTZMMXhtb1F3aHM4Y1VRR0t5Z1dLSENsanZvdFZFVkxNaCszU3VvU0s5d2VDczViVnRoRDdWZXFQM1ZtQkxoUnFnS0xmYjhxS1g4ZnBKTllUUG5iRmV1bGhVc2N6UTJwNE5CZ05ZalR0K3BTcFYvaGJlaFBPcnFBV01oMjRkV1ZrNVA3WEJmbTZ5a2RSVy8zNW1takY4Ym9FQlNZZzIrU1YvaWNwaldySW1SWmtQd3d5V3Y3dEhYVGNLSGFCek4vcnBQaS9xbnZoWXdyWEd4akRBSk9GVTRuRnl6ei9mNTAxU1BIMFNESEdIaEh3UXBoWFE9PSIsImRpZ2VzdCI6InNoYTEiLCJjZXJ0aWZpY2F0ZSI6Ii0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLVxuTUlJRW5UQ0NBNFdnQXdJQkFnSUNFQUV3RFFZSktvWklodmNOQVFFRkJRQXdWekVMTUFrR0ExVUVCaE1DVlZNeEhEQWFCZ05WQkFvVFxyXG5FMmwwWTI5dGJYVnVhV05oZEdsdmJuTXVjMnN4S2pBb0JnTlZCQU1USVdWdVoybHVaV0V1YVhSamIyMXRkVzVwWTJGMGFXOXVjeTV6XHJcbmF5NDFPVFl6TXpBZUZ3MHhOakV3TWpVeE5EQTBORGxhRncweU1UQTVNekF4TkRBME5EbGFNRkV4Q3pBSkJnTlZCQVlUQWxWVE1Sd3dcclxuR2dZRFZRUUtFeE5wZEdOdmJXMTFibWxqWVhScGIyNXpMbk5yTVNRd0lnWURWUVFERXh0bGJtZHBibVZoTG1sMFkyOXRiWFZ1YVdOaFxyXG5kR2x2Ym5NdWMyc3dnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEamVkZExkakJtUHk5R0ZYMzAza1owXHJcbnU5cUprSWg4TFZRVDZxWFcvSjV3V1QvWUtaMDlxdFdta25wTXRkd21WMWQ0WFBoajd6SGxuYUxjckpSeWIyZTNqTGxHcklHRDNvRmNcclxuUktETnAvMkhDU3JieHBoci9RVmhvMnNsRXpBUzRwS3d3Wno3RkU2cTVGbFI4OUZLTXRBSjlRZDVORi9LNTdUaUJuaDBzUCsvS0IycVxyXG4xSlAwZ2RGTUY1aERrREJGUG9xZklMUzhRN09GYW9vQXBveEhtdFZYaXp3Q1BlczJKMjVFM0NhRE1YWWpIOXdpREQrTi9kNkxuU1NYXHJcbld3V2c5d09ud2kwcHQ0TDhCTmxIL2ZtaW9Mb0ZpME9uUmdOY3Ryc09VN1BvR0hpb3VCZkZjNUpIWndJQm9YUWswakZja0RxMnZjYnlcclxuM2o1aEtSdWVkUVg2SUxJM0FnTUJBQUdqZ2dGM01JSUJjekFkQmdOVkhRNEVGZ1FVRlJLSEp5UmJHQmQ3RmdSOThZT29vOFlCMGRRd1xyXG5nWkVHQ0NzR0FRVUZCd0VCQklHRU1JR0JNSDhHQ0NzR0FRVUZCekFDaG5Ob2RIUndPaTh2Wlc1bmFXNWxZUzVwZEdOdmJXMTFibWxqXHJcbllYUnBiMjV6TG5Ock9qZ3dMMjkyYVhKMExXVnVaMmx1WlM5elpYSjJhV05sY3k5d2Eya3RjbVZ6YjNWeVkyVS9jbVZ6YjNWeVkyVTlcclxuWTJFdFkyVnlkR2xtYVdOaGRHVW1abTl5YldGMFBWZzFNRGt0VUVWTkxVTkJNSUdBQmdOVkhTTUVlVEIzZ0JSY2JUS2lmWWZIMXVjdFxyXG4zTUFGanptQnhUMzJqcUZicEZrd1Z6RUxNQWtHQTFVRUJoTUNWVk14SERBYUJnTlZCQW9URTJsMFkyOXRiWFZ1YVdOaGRHbHZibk11XHJcbmMyc3hLakFvQmdOVkJBTVRJV1Z1WjJsdVpXRXVhWFJqYjIxdGRXNXBZMkYwYVc5dWN5NXpheTQxT1RZek00SUNFQUF3Q1FZRFZSMFRcclxuQkFJd0FEQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0lBWURWUjBsQVFIL0JCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUEwR1xyXG5DU3FHU0liM0RRRUJCUVVBQTRJQkFRQUVmN1VMUzdldGx4NWxXZzI3TlVKSDJsRmtzQVZnY2d3QlFSd1JSSXdEWWRWSGREbWEwS0wxXHJcbjBEL0tKcTJpelFwZ1RtSWxEdXh5Z3NiZm9IUHZOMDFzOW5IR0s3TXRrOG9iaHdUMUQrQ3RIakZlT0pQWUpkUVl1ZzhkSU9HZTZoN0NcclxucGZWSXAyeTFjYkpIVm11c2ZieGhNRy9QcEljalBoc3lFYW9qVmZQbU9Bd0M5UVJGV3Uxck0yZ0czUnBRamphVDJCVFY0SDQwUzdkSFxyXG5makduOGdkckxxYVYzaHpSZlR3S2JjRXdQL0lDTmwxUDFyOEpXNDdJM1cveGRkb2kvdm5FUlJiUktTNk51TjhYM3dtOVJkeDQ1WCtxXHJcbjdhRFVqb0VtbGk1dUNieHQ2SGxXb1RSL2NCamVoZnNXeTBMMVR0amIzNHJFeFBoNHFGR1FKZFhGV1Y0WlxyXG4tLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tXG4iLCJzaWduZWRGaWVsZHMiOiJzYWx0LGRhdGEsZGlnZXN0LHZhbGlkRnJvbSx2YWxpZFRvIiwidmFsaWRGcm9tIjoiMjAxNjEyMDkyMDA5MDAiLCJ2YWxpZFRvIjoiMjAxNjEyMDkyMDExMDAifQ== [object Event]
I have no idea how to regenerate websocket cert, that is still pointing at the old machine name.
thanks for any help
Karol Vaclavik IT ARCHITECT
Mlynske Nivy 49 Bratislava, 82109 01873 Slovakia
e-mail: karol.vaclavik@sk.ibm.com phone: 00421 904 943 684
_______________________________________________ Users mailing list Users@ovirt.org http://lists.phx.ovirt.org/mailman/listinfo/users
participants (2)
-
David Jaša -
Karol Vaclavik