I assume you are working on linux (for windows you will need to ssh to a linux box or even one ofthe Hosts). When you download the 'console.vv' file for Spice connection - you will have to note several stuff: - host - tls-port (not the plain 'port=' !!! ) - ca Process the CA and replace the '\n' with new lines . Then you can run: openssl s_client -connect <host>:<tls-port> -CAfile <path-to-ca-with-newlines> -showcerts Then you can inspect the certificate chain. I would then grep for the strings from openssl in the engine. In my case I find these containing the line with the 'issuer': /etc/pki/ovirt-engine/certs/websocket-proxy.cer /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/reports.cer /etc/pki/ovirt-engine/certs/imageio-proxy.cer /etc/pki/ovirt-engine/certs/ovn-ndb.cer /etc/pki/ovirt-engine/certs/ovn-sdb.cer /etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer Happy Hunting! Best Regards, Strahil Nikolov В вторник, 22 септември 2020 г., 21:52:10 Гринуич+3, Philip Brown <pbrown(a)medata.com&gt; написа: More detail on the problem. after starting remote-viewer  --debug, I get (remote-viewer.exe:18308): virt-viewer-DEBUG: 11:45:30.594: New spice channel 000000000608B240 SpiceMainChannel 0 (remote-viewer.exe:18308): virt-viewer-DEBUG: 11:45:30.594: notebook show status 0000000003479130 (remote-viewer.exe:18308): Spice-WARNING **: 11:45:30.691: ../subprojects/spice-common/common/ssl_verify.c:444:openssl_verify: Error in certificate chain verification: self signed certificate in certificate chain (num=19:depth1:/C=US/O=xxxxxxxxxx.65101) (remote-viewer.exe:18308): GSpice-WARNING **: 11:45:30.692: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1) (remote-viewer.exe:18308): virt-viewer-DEBUG: 11:45:30.693: Destroy SPICE channel SpiceMainChannel 0 So it seems like there's some additional thing that needs telling to use the official signed cert. Any clues for me please? _______________________________________________ Users mailing list -- users(a)ovirt.org To unsubscribe send an email to users-leave(a)ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/VKSX7CLJ4N7...

Most probably there is an option to tell it (I mean oVIrt) the exact keys to be used. Yet, give the engine a gentle push and reboot it - just to be sure you are not chasing a ghost. I'm using self-signed certs and I can't help much in this case. Best Regards, Strahil Nikolov В вторник, 22 септември 2020 г., 22:54:28 Гринуич+3, Philip Brown <pbrown(a)medata.com&gt; написа: Thanks for the initial start, Strahil, my desktop is windows. but I took apart the console.vv file, and these are my findings: in the console.vv file, there is a valid CA cert, which is for the signing CA for our valid wildcard SSL cert. However, when I connected to the target host, on the tls-port, i noted that it is still using the original self-signed CA, generated by ovirt-engine for the host. Digging with lsof says that the process is qemu-kvm Looking at command line, that has   x509-dir=/etc/pki/vdsm/libvirt-spice So... I guess I need to update server.key server.cert and ca-cert in there? except there's a whoole lot of '*key.pem' files under  the /etc/pki directory tree. Suggestions on which is best to update? For example, there is also /etc/pki/vdsm/keys/vdsmkey.pem ----- Original Message ----- From: "Strahil Nikolov" <hunter86_bg(a)yahoo.com&gt; To: "users" <users(a)ovirt.org&gt;, "Philip Brown" <pbrown(a)medata.com&gt; Sent: Tuesday, September 22, 2020 12:09:55 PM Subject: Re: [ovirt-users] Re: console breaks with signed SSL certs I assume you are working on linux (for windows you will need to ssh to a linux box or even one ofthe Hosts). When you download the 'console.vv' file for Spice connection - you will have to note several stuff: - host - tls-port (not the plain 'port=' !!! ) - ca Process the CA and replace the '\n' with new lines . Then you can run: openssl s_client -connect <host>:<tls-port> -CAfile <path-to-ca-with-newlines> -showcerts Then you can inspect the certificate chain. I would then grep for the strings from openssl in the engine. In my case I find these containing the line with the 'issuer': /etc/pki/ovirt-engine/certs/websocket-proxy.cer /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/reports.cer /etc/pki/ovirt-engine/certs/imageio-proxy.cer /etc/pki/ovirt-engine/certs/ovn-ndb.cer /etc/pki/ovirt-engine/certs/ovn-sdb.cer /etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer Happy Hunting! Best Regards, Strahil Nikolov В вторник, 22 септември 2020 г., 21:52:10 Гринуич+3, Philip Brown <pbrown(a)medata.com&gt; написа: More detail on the problem. after starting remote-viewer  --debug, I get (remote-viewer.exe:18308): virt-viewer-DEBUG: 11:45:30.594: New spice channel 000000000608B240 SpiceMainChannel 0 (remote-viewer.exe:18308): virt-viewer-DEBUG: 11:45:30.594: notebook show status 0000000003479130 (remote-viewer.exe:18308): Spice-WARNING **: 11:45:30.691: ../subprojects/spice-common/common/ssl_verify.c:444:openssl_verify: Error in certificate chain verification: self signed certificate in certificate chain (num=19:depth1:/C=US/O=xxxxxxxxxx.65101) (remote-viewer.exe:18308): GSpice-WARNING **: 11:45:30.692: main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1) (remote-viewer.exe:18308): virt-viewer-DEBUG: 11:45:30.693: Destroy SPICE channel SpiceMainChannel 0 So it seems like there's some additional thing that needs telling to use the official signed cert. Any clues for me please? _______________________________________________ Users mailing list -- users(a)ovirt.org To unsubscribe send an email to users-leave(a)ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/VKSX7CLJ4N7... _______________________________________________ Users mailing list -- users(a)ovirt.org To unsubscribe send an email to users-leave(a)ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/545XR3UZJ3U...

On Tue, Sep 22, 2020 at 6:46 PM Philip Brown <pbrown(a)medata.com&gt; wrote: Going to http://187.1.81.65/ovirt-engine/ shows that this is RHEV 3.6.6, and the above document is from the documentation included for it. Is this the machine you work with? Or you simply found it at random and use as doc? Anyway, 3.6.6 is very old and log unsupported. If it's indeed your setup, I recommend to upgrade. Even if it's not, I recommend to check latest (4.4) docs, and compare to yours - and try to guess what also applies in 3.6.6 (I think almost everything does, didn't check). If you are going to continue debugging it yourself, you should also check relevant logs on the engine and the host. Also, assuming you did follow latest docs (as applicable): Please check the cert included inside console.vv. Is it (check "Issuer") the engine-internal CA (/etc/pki/ovirt-engine/ca.pem), or your other CA? It should be the engine's, and (at least for me) remote-viewer accepts it - I do not see with --debug the error you got about self-signed cert. If it's the "other" CA cert, then it's a bug somewhere - either in the software or the doc. I am not sure remote-viewer of any version has a problem with this. If you want a client that strictly uses only CAs you explicitly accepted (not the one inside console.vv), you can use the novnc one - this one connects to websocket-proxy, which (with an up-to-date procedure) uses your other CA. Sorry, I didn't notice it. Best regards, -- Didi