11:47 p.m.
------=_NextPartTM-000-1d072653-e875-4776-9205-da11a53cbe5b
Content-Type: multipart/alternative;
boundary="_000_12EF8D94C6F8734FB2FF37B9FBEDD173585BAE38EXCHANGEcollogi_"
--_000_12EF8D94C6F8734FB2FF37B9FBEDD173585BAE38EXCHANGEcollogi_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hello,
after configuring noVNC websocket proxy I would like to load
an offically signed certificate into it. Otherwise I would always
have to accept the self signed certificate on port 6100. See here:
http://lists.ovirt.org/pipermail/users/2013-October/017108.html
From the configuration file I know where to place the signed
certificate but our generated certificates depend on intermediate
certificates. Ah the moment I'm missing the option to load/advertise
that intermediate certificate.
# cat /ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
PROXY_PORT=3D6100
SSL_CERTIFICATE=3D/etc/pki/ovirt-engine/certs/websocket-proxy.cer
SSL_KEY=3D/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
FORCE_DATA_VERIFICATION=3DTrue
CERT_FOR_DATA_VERIFICATION=3D/etc/pki/ovirt-engine/certs/engine.cer
SSL_ONLY=3DTrue
In apache I usally go with:
SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer
SSLCertificateKeyFile /etc/pki/ovirt-engine/keys/apache.key.nopass
SSLCertificateChainFile /etc/pki/ovirt-engine/certs/server-chain.crt
Any tips?
Markus
--_000_12EF8D94C6F8734FB2FF37B9FBEDD173585BAE38EXCHANGEcollogi_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html dir=3D"ltr">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html;
charset=3Diso-8859-=
1">
<style id=3D"owaParaStyle" type=3D"text/css">P
{margin-top:0;margin-bottom:=
0;}</style>
</head>
<body ocsi=3D"0" fpstyle=3D"1">
<div style=3D"direction: ltr;font-family: Tahoma;color: #000000;font-size: =
10pt;">Hello,<br>
<br>
after configuring noVNC websocket proxy I would like to load<br>
an offically signed certificate into it. Otherwise I would always<br>
have to accept the self signed certificate on port 6100. See here:<br>
<br>
<a href=3D"http://lists.ovirt.org/pipermail/users/2013-October/017108.h...
target=3D"_blank">http://lists.ovirt.org/pipermail/users/201...
08.html</a><br>
<br>
From the configuration file I know where to place the signed<br>
certificate but our generated certificates depend on intermediate<br>
certificates. Ah the moment I'm missing the option to load/advertise <br>
that intermediate certificate.<br>
<br>
# cat /ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf<br>
PROXY_PORT=3D6100<br>
SSL_CERTIFICATE=3D/etc/pki/ovirt-engine/certs/websocket-proxy.cer<br>
SSL_KEY=3D/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass<br>
FORCE_DATA_VERIFICATION=3DTrue<br>
CERT_FOR_DATA_VERIFICATION=3D/etc/pki/ovirt-engine/certs/engine.cer<br>
SSL_ONLY=3DTrue<br>
<br>
In apache I usally go with:<br>
<br>
SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer<br>
SSLCertificateKeyFile /etc/pki/ovirt-engine/keys/apache.key.nopass<br>
SSLCertificateChainFile /etc/pki/ovirt-engine/certs/server-chain.crt <br>
<br>
Any tips?<br>
<br>
Markus<br>
</div>
</body>
</html>
--_000_12EF8D94C6F8734FB2FF37B9FBEDD173585BAE38EXCHANGEcollogi_--
------=_NextPartTM-000-1d072653-e875-4776-9205-da11a53cbe5b
Content-Type: text/plain;
name="InterScan_Disclaimer.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="InterScan_Disclaimer.txt"
****************************************************************************
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail ist nicht gestattet.
Über das Internet versandte E-Mails können unter fremden Namen erstellt oder
manipuliert werden. Deshalb ist diese als E-Mail verschickte Nachricht keine
rechtsverbindliche Willenserklärung.
Collogia
Unternehmensberatung AG
Ubierring 11
D-50678 Köln
Vorstand:
Kadir Akin
Dr. Michael Höhnerbach
Vorsitzender des Aufsichtsrates:
Hans Kristian Langva
Registergericht: Amtsgericht Köln
Registernummer: HRB 52 497
This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and destroy this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
e-mails sent over the internet may have been written under a wrong name or
been manipulated. That is why this message sent as an e-mail is not a
legally binding declaration of intention.
Collogia
Unternehmensberatung AG
Ubierring 11
D-50678 Köln
executive board:
Kadir Akin
Dr. Michael Höhnerbach
President of the supervisory board:
Hans Kristian Langva
Registry office: district court Cologne
Register number: HRB 52 497
****************************************************************************
------=_NextPartTM-000-1d072653-e875-4776-9205-da11a53cbe5b--
9:56 p.m.
Hi,
Can you please try to specify
SSL_CERTIFICATE=xxx
where xx contains the complete certificate chain in reverse?
-----BEGIN CERTIFICATE-----
... (certificate for your server)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the certificate for the CA)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the root certificate for the CA's issuer)...
-----END CERTIFICATE-----
Of course you need matching SSL_KEY.
Regards,
Alon
----- Original Message -----
From: "Markus Stockhausen" <stockhausen(a)collogia.de>
To: "ovirt-users" <users(a)ovirt.org>
Sent: Friday, January 10, 2014 10:47:09 PM
Subject: [Users] noVNC with intermediate certificates
Hello,
after configuring noVNC websocket proxy I would like to load
an offically signed certificate into it. Otherwise I would always
have to accept the self signed certificate on port 6100. See here:
http://lists.ovirt.org/pipermail/users/2013-October/017108.html
From the configuration file I know where to place the signed
certificate but our generated certificates depend on intermediate
certificates. Ah the moment I'm missing the option to load/advertise
that intermediate certificate.
# cat /ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
PROXY_PORT=6100
SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
FORCE_DATA_VERIFICATION=True
CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
SSL_ONLY=True
In apache I usally go with:
SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer
SSLCertificateKeyFile /etc/pki/ovirt-engine/keys/apache.key.nopass
SSLCertificateChainFile /etc/pki/ovirt-engine/certs/server-chain.crt
Any tips?
Markus
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
9:54 p.m.
This is a multi-part message in MIME format.
------=_NextPartTM-000-c9fbc65d-1b8a-45b7-96bc-aa2de25be96e
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Von: Alon Bar-Lev [alonbl(a)redhat.com]=0A=
Gesendet: Samstag, 11. Januar 2014 19:56=0A=
An: Markus Stockhausen=0A=
Cc: ovirt-users=0A=
Betreff: Re: [Users] noVNC with intermediate certificates=0A=
=0A=
Hi,=0A=
=0A=
Can you please try to specify=0A=
=0A=
SSL_CERTIFICATE=3Dxxx=0A=
=0A=
where xx contains the complete certificate chain in reverse?=0A=
=0A=
-----BEGIN CERTIFICATE-----=0A=
... (certificate for your server)...=0A=
-----END CERTIFICATE-----=0A=
-----BEGIN CERTIFICATE-----=0A=
... (the certificate for the CA)...=0A=
-----END CERTIFICATE-----=0A=
-----BEGIN CERTIFICATE-----=0A=
... (the root certificate for the CA's issuer)...=0A=
-----END CERTIFICATE-----=0A=
=0A=
Of course you need matching SSL_KEY.=0A=
=0A=
Regards,=0A=
Alon=0A=
=0A=
The tests say:=0A=
=0A=
The intermediate certificate is not really needed. The explanation=0A=
is quite simple. If you navigate to the admin page over https=0A=
the apache webserver presents the intermediate certificate. =0A=
This is temporarily stored in the (Firefox) browser. When you =0A=
open the noVNC console it is automatically trusted. =0A=
=0A=
BUT! You will still get a certificate warning if you navigate directly=0A=
to https://<server>:6100 after opening the browser.=0A=
=0A=
Nevertheless your hint seems to help. I just added the=0A=
intermediate certificate to the standard file =0A=
/etc/pki/ovirt-engine/certs/websocket-proxy.cer=0A=
and a direct connect to https://<server>:6100 gives=0A=
no warnings.=0A=
=0A=
Thanks.=0A=
=0A=
Markus=0A=
------=_NextPartTM-000-c9fbc65d-1b8a-45b7-96bc-aa2de25be96e
Content-Type: text/plain;
name="InterScan_Disclaimer.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="InterScan_Disclaimer.txt"
****************************************************************************
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail ist nicht gestattet.
Über das Internet versandte E-Mails können unter fremden Namen erstellt oder
manipuliert werden. Deshalb ist diese als E-Mail verschickte Nachricht keine
rechtsverbindliche Willenserklärung.
Collogia
Unternehmensberatung AG
Ubierring 11
D-50678 Köln
Vorstand:
Kadir Akin
Dr. Michael Höhnerbach
Vorsitzender des Aufsichtsrates:
Hans Kristian Langva
Registergericht: Amtsgericht Köln
Registernummer: HRB 52 497
This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and destroy this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
e-mails sent over the internet may have been written under a wrong name or
been manipulated. That is why this message sent as an e-mail is not a
legally binding declaration of intention.
Collogia
Unternehmensberatung AG
Ubierring 11
D-50678 Köln
executive board:
Kadir Akin
Dr. Michael Höhnerbach
President of the supervisory board:
Hans Kristian Langva
Registry office: district court Cologne
Register number: HRB 52 497
****************************************************************************
------=_NextPartTM-000-c9fbc65d-1b8a-45b7-96bc-aa2de25be96e--
10:01 p.m.
----- Original Message -----
From: "Markus Stockhausen" <stockhausen(a)collogia.de>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>
Cc: "ovirt-users" <users(a)ovirt.org>
Sent: Sunday, January 12, 2014 8:54:05 PM
Subject: AW: [Users] noVNC with intermediate certificates
> Von: Alon Bar-Lev [alonbl(a)redhat.com]
> Gesendet: Samstag, 11. Januar 2014 19:56
> An: Markus Stockhausen
> Cc: ovirt-users
> Betreff: Re: [Users] noVNC with intermediate certificates
>
> Hi,
>
> Can you please try to specify
>
> SSL_CERTIFICATE=xxx
>
> where xx contains the complete certificate chain in reverse?
>
> -----BEGIN CERTIFICATE-----
> ... (certificate for your server)...
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> ... (the certificate for the CA)...
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> ... (the root certificate for the CA's issuer)...
> -----END CERTIFICATE-----
>
> Of course you need matching SSL_KEY.
>
> Regards,
> Alon
The tests say:
The intermediate certificate is not really needed. The explanation
is quite simple. If you navigate to the admin page over https
the apache webserver presents the intermediate certificate.
This is temporarily stored in the (Firefox) browser. When you
open the noVNC console it is automatically trusted.
BUT! You will still get a certificate warning if you navigate directly
to https://<server>:6100 after opening the browser.
Nevertheless your hint seems to help. I just added the
intermediate certificate to the standard file
/etc/pki/ovirt-engine/certs/websocket-proxy.cer
and a direct connect to https://<server>:6100 gives
no warnings.
That's great.
Please refrain from overwriting product files, provide your own and modify configuration.
Thanks.
Markus
3968
days inactive
3970
days old
3 comments
2 participants
participants (2)
-
Alon Bar-Lev -
Markus Stockhausen