[Users] unable to use spice-html5 in chrome due to certificate error
Hello, I think I have configured all ok. Fedora 19 with stable oVirt 3.3.1
From another fedora 19 system I'm trying to use chrome Version 31.0.1650.63
I get a black window when using spice html5 in console options in /var/log/messages of engine I get Dec 7 18:51:16 tekkaman ovirt-websocket-proxy.py[22356]: 5: handler exception: [Errno 336265225] _ssl.c:351: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib So I think the problem has to be the configuration part of Import CA of the engine in your browser can anyone gives instructions for dummies to do this, please? Then I'll put into the wiki when I'm able to use it... ;-) I see that in engine I have under /etc/pki/ovirt-engine lrwxrwxrwx. 1 root root 6 Feb 10 2013 apache-ca.pem -> ca.pem -rw-r--r--. 1 root root 563 Feb 10 2013 cacert.conf -rw-r--r--. 1 root root 505 Feb 10 2013 cacert.template -rw-r--r--. 1 root root 384 Nov 14 12:44 cacert.template.in -rw-r-----. 1 ovirt ovirt 4810 Feb 10 2013 ca.pem -rw-r--r--. 1 root root 557 Feb 10 2013 cert.conf drwxr-xr-x. 2 ovirt ovirt 4096 Nov 14 12:44 certs -rw-r--r--. 1 root root 557 Feb 10 2013 cert.template -rw-r--r--. 1 root root 483 Nov 14 12:44 cert.template.in -rw-r--r--. 1 ovirt ovirt 292 Feb 10 2013 database.txt -rw-r--r--. 1 ovirt ovirt 20 Feb 10 2013 database.txt.attr -rw-r--r--. 1 root root 20 Feb 10 2013 database.txt.attr.old -rw-r--r--. 1 root root 225 Feb 10 2013 database.txt.old drwxr-xr-x. 2 root root 4096 Nov 14 12:44 keys -rw-r--r--. 1 root root 548 Nov 14 12:44 openssl.conf drwxr-x---. 2 ovirt ovirt 4096 Nov 14 12:44 private drwxr-xr-x. 2 ovirt ovirt 4096 Nov 14 12:44 requests -rw-r--r--. 1 ovirt ovirt 3 Feb 10 2013 serial.txt -rw-r--r--. 1 root root 3 Feb 10 2013 serial.txt.old I've tried to import ca.pem and I'm requested a password if I try to import under certificates tab, while it seems to import if under certification authorities tab, but I continue to get that error.... Thanks in advance, Gianluca
Hello, please import certificate authority (not only the certificate) into your browser. You can find basic instructions here: http://www.ovirt.org/Console_Client_Resources under "spice-html5" bullet. After you download the CA file (https://<your engine address>/ca.crt), you can import it to chrome via "Settings->Show advanced settings->Manage certificates->Certificate authority subtab" using import button. Cheers! Frank ----- Original Message ----- From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "users" <users@ovirt.org> Sent: Saturday, December 7, 2013 6:57:56 PM Subject: [Users] unable to use spice-html5 in chrome due to certificate error Hello, I think I have configured all ok. Fedora 19 with stable oVirt 3.3.1
From another fedora 19 system I'm trying to use chrome Version 31.0.1650.63
I get a black window when using spice html5 in console options in /var/log/messages of engine I get Dec 7 18:51:16 tekkaman ovirt-websocket-proxy.py[22356]: 5: handler exception: [Errno 336265225] _ssl.c:351: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib So I think the problem has to be the configuration part of Import CA of the engine in your browser can anyone gives instructions for dummies to do this, please? Then I'll put into the wiki when I'm able to use it... ;-) I see that in engine I have under /etc/pki/ovirt-engine lrwxrwxrwx. 1 root root 6 Feb 10 2013 apache-ca.pem -> ca.pem -rw-r--r--. 1 root root 563 Feb 10 2013 cacert.conf -rw-r--r--. 1 root root 505 Feb 10 2013 cacert.template -rw-r--r--. 1 root root 384 Nov 14 12:44 cacert.template.in -rw-r-----. 1 ovirt ovirt 4810 Feb 10 2013 ca.pem -rw-r--r--. 1 root root 557 Feb 10 2013 cert.conf drwxr-xr-x. 2 ovirt ovirt 4096 Nov 14 12:44 certs -rw-r--r--. 1 root root 557 Feb 10 2013 cert.template -rw-r--r--. 1 root root 483 Nov 14 12:44 cert.template.in -rw-r--r--. 1 ovirt ovirt 292 Feb 10 2013 database.txt -rw-r--r--. 1 ovirt ovirt 20 Feb 10 2013 database.txt.attr -rw-r--r--. 1 root root 20 Feb 10 2013 database.txt.attr.old -rw-r--r--. 1 root root 225 Feb 10 2013 database.txt.old drwxr-xr-x. 2 root root 4096 Nov 14 12:44 keys -rw-r--r--. 1 root root 548 Nov 14 12:44 openssl.conf drwxr-x---. 2 ovirt ovirt 4096 Nov 14 12:44 private drwxr-xr-x. 2 ovirt ovirt 4096 Nov 14 12:44 requests -rw-r--r--. 1 ovirt ovirt 3 Feb 10 2013 serial.txt -rw-r--r--. 1 root root 3 Feb 10 2013 serial.txt.old I've tried to import ca.pem and I'm requested a password if I try to import under certificates tab, while it seems to import if under certification authorities tab, but I continue to get that error.... Thanks in advance, Gianluca _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Mon, Dec 9, 2013 at 11:05 AM, Frantisek Kobzik wrote:
Hello,
please import certificate authority (not only the certificate) into your browser. You can find basic instructions here: http://www.ovirt.org/Console_Client_Resources under "spice-html5" bullet. After you download the CA file (https://<your engine address>/ca.crt), you can import it to chrome via "Settings->Show advanced settings->Manage certificates->Certificate authority subtab" using import button.
Cheers! Frank
Thanks, done. This is now what I get when I then select console options, spice html5 browser client and try to open console: https://drive.google.com/file/d/0BwoPbcrMv8mvRnRjZWdGbzlWWFE/edit?usp=sharin... Gianluca
On Mon, Dec 9, 2013 at 10:11 PM, Gianluca Cecchi wrote:
On Mon, Dec 9, 2013 at 11:05 AM, Frantisek Kobzik wrote:
Hello,
please import certificate authority (not only the certificate) into your browser. You can find basic instructions here: http://www.ovirt.org/Console_Client_Resources under "spice-html5" bullet. After you download the CA file (https://<your engine address>/ca.crt), you can import it to chrome via "Settings->Show advanced settings->Manage certificates->Certificate authority subtab" using import button.
Cheers! Frank
Thanks, done. This is now what I get when I then select console options, spice html5 browser client and try to open console: https://drive.google.com/file/d/0BwoPbcrMv8mvRnRjZWdGbzlWWFE/edit?usp=sharin...
Gianluca
If I use tekkaman.localdomain.local name to connect to webadmin (so as the certificate)I now get correct ssl icon in page, but same black screen when using spice html5 browser I notice that inside the opened console window I still get this link: https://tekkaman.localdomain.local//ovirt-engine-spicehtml5-main.html?host=192.168.1.101&port=6100 What determines the 192.168.1.101 part here? BTW: even if I open a new tab putting https://tekkaman.localdomain.local//ovirt-engine-spicehtml5-main.html?host=tekkaman.localdomain.local&port=6100 I still get black window so I don't know it it is the crucial part.... note that this is AIO so engine and host are the same one.... Gianluca
On Mon, Dec 9, 2013 at 10:18 PM, Gianluca Cecchi wrote:
I notice that inside the opened console window I still get this link: https://tekkaman.localdomain.local//ovirt-engine-spicehtml5-main.html?host=192.168.1.101&port=6100
What determines the 192.168.1.101 part here?
I had WebSocketProxy enigne variable set to the ip... and this is what determines url composition... So now after engine-config -s WebSocketProxy=tekkaman.localdomain.local:6100 and restart of whole AIO server, on it I have [root@tekkaman ~]# netstat -an|grep 6100 tcp 0 0 0.0.0.0:6100 0.0.0.0:* LISTEN [root@tekkaman ~]# iptables -L -n | grep 6100 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:6100 from client [g.cecchi@ope46 ~]$ telnet tekkaman.localdomain.local 6100 Trying 192.168.1.101... Connected to tekkaman.localdomain.local. Escape character is '^]'. still from my client, both using firefox and chrome as a test I get only black window Inside firefox debugger for this window I see [22:53:17.949] Firefox can't establish a connection to the server at wss://tekkaman.localdomain.local:6100/eyJ2YWxpZFRvIjoiMjAxMzEyMDkyMTU1MTciLCJkYXRhIjoiJTdCJTIyaG9zdCUyMjolMjJ0ZWtrYW1hbi5sb2NhbGRvbWFpbi5sb2NhbCUyMiwlMjJwb3J0JTIyOiUyMjU5MDAlMjIsJTIyc3NsX3RhcmdldCUyMjp0cnVlJTdEIiwidmFsaWRGcm9tIjoiMjAxMzEyMDkyMTUzMTciLCJzaWduZWRGaWVsZHMiOiJ2YWxpZFRvLGRhdGEsdmFsaWRGcm9tLHNhbHQiLCJzaWduYXR1cmUiOiJZMXU2QVZWb1lmVXhQenE5d3k1dHBHVEcrajRiNlNIenpxNy9XaGQrUFFmUFBPVnZnVEUvQW1zS2VPaTZqN0NUa1VHS3VxSHZ6cncwZk1aSFJvK21uSUdKc3B0QThzZEFzam1WWVBxRllHa2RkTTZhbkNwTkxsTzdvdVFhTGttT09DalpKUExkb21tMlJPa1VkRGNVK0VJcGh6dWZLZGtiSUMzTGIxMzdhMXcrQjU2Y3Q2YWcxKzFRRzFacXRFNkVONHlSNTJBblVJM3ozejcxQ29GRk5VR2tzRSt5T0VDaCt3bmRick12a3hlL0FMRWlqR2JuSUp3NGwvd3F0L1ZpTXRuSUxzMW8vN3FQTHNRTCtVWmpaNlhwNzlIZyszTGhjemlFamVidERxc2Z6OENIaGVZbE1rUkRjYnZTT0x3R0RFc1R0aUxRR1U3YTdtUVRaUDk1YVE9PSIsInNhbHQiOiJva01jYWFFeHpKWT0ifQ==. @ https://tekkaman.localdomain.local//ovirt-engine-files/spice-html5/spiceconn... [22:53:17.950] "ERROR: >> WebSockets.onerror[object Event]" [22:53:17.951] "ERROR: [object Event]" [22:53:17.951] ">> disconnect" [22:53:17.952] "<< disconnect" How to further debug to solve?
Strange. Just a question: are you totally sure you imported the certificate authority (not the certificate only)? (the websocket proxy uses different key/cert pair than the engine, but they have common CA that issues them). Btw - could you please try noVNC client as well? I wonder if it prints the same thing. Thank you, Frank. ----- Original Message ----- From: "Gianluca Cecchi" <gianluca.cecchi@gmail.com> To: "Frantisek Kobzik" <fkobzik@redhat.com> Cc: "users" <users@ovirt.org> Sent: Monday, December 9, 2013 11:03:09 PM Subject: Re: [Users] unable to use spice-html5 in chrome due to certificate error On Mon, Dec 9, 2013 at 10:18 PM, Gianluca Cecchi wrote:
I notice that inside the opened console window I still get this link: https://tekkaman.localdomain.local//ovirt-engine-spicehtml5-main.html?host=192.168.1.101&port=6100
What determines the 192.168.1.101 part here?
I had WebSocketProxy enigne variable set to the ip... and this is what determines url composition... So now after engine-config -s WebSocketProxy=tekkaman.localdomain.local:6100 and restart of whole AIO server, on it I have [root@tekkaman ~]# netstat -an|grep 6100 tcp 0 0 0.0.0.0:6100 0.0.0.0:* LISTEN [root@tekkaman ~]# iptables -L -n | grep 6100 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:6100 from client [g.cecchi@ope46 ~]$ telnet tekkaman.localdomain.local 6100 Trying 192.168.1.101... Connected to tekkaman.localdomain.local. Escape character is '^]'. still from my client, both using firefox and chrome as a test I get only black window Inside firefox debugger for this window I see [22:53:17.949] Firefox can't establish a connection to the server at wss://tekkaman.localdomain.local:6100/eyJ2YWxpZFRvIjoiMjAxMzEyMDkyMTU1MTciLCJkYXRhIjoiJTdCJTIyaG9zdCUyMjolMjJ0ZWtrYW1hbi5sb2NhbGRvbWFpbi5sb2NhbCUyMiwlMjJwb3J0JTIyOiUyMjU5MDAlMjIsJTIyc3NsX3RhcmdldCUyMjp0cnVlJTdEIiwidmFsaWRGcm9tIjoiMjAxMzEyMDkyMTUzMTciLCJzaWduZWRGaWVsZHMiOiJ2YWxpZFRvLGRhdGEsdmFsaWRGcm9tLHNhbHQiLCJzaWduYXR1cmUiOiJZMXU2QVZWb1lmVXhQenE5d3k1dHBHVEcrajRiNlNIenpxNy9XaGQrUFFmUFBPVnZnVEUvQW1zS2VPaTZqN0NUa1VHS3VxSHZ6cncwZk1aSFJvK21uSUdKc3B0QThzZEFzam1WWVBxRllHa2RkTTZhbkNwTkxsTzdvdVFhTGttT09DalpKUExkb21tMlJPa1VkRGNVK0VJcGh6dWZLZGtiSUMzTGIxMzdhMXcrQjU2Y3Q2YWcxKzFRRzFacXRFNkVONHlSNTJBblVJM3ozejcxQ29GRk5VR2tzRSt5T0VDaCt3bmRick12a3hlL0FMRWlqR2JuSUp3NGwvd3F0L1ZpTXRuSUxzMW8vN3FQTHNRTCtVWmpaNlhwNzlIZyszTGhjemlFamVidERxc2Z6OENIaGVZbE1rUkRjYnZTT0x3R0RFc1R0aUxRR1U3YTdtUVRaUDk1YVE9PSIsInNhbHQiOiJva01jYWFFeHpKWT0ifQ==. @ https://tekkaman.localdomain.local//ovirt-engine-files/spice-html5/spiceconn... [22:53:17.950] "ERROR: >> WebSockets.onerror[object Event]" [22:53:17.951] "ERROR: [object Event]" [22:53:17.951] ">> disconnect" [22:53:17.952] "<< disconnect" How to further debug to solve?
On Tue, Dec 10, 2013 at 9:31 AM, Frantisek Kobzik wrote:
Strange.
Just a question: are you totally sure you imported the certificate authority (not the certificate only)? (the websocket proxy uses different key/cert pair than the engine, but they have common CA that issues them).
Btw - could you please try noVNC client as well? I wonder if it prints the same thing.
Thank you, Frank.
I imported the .crt file as indaicated. See "tekka" under authorities in firefox, but the sae with chrome https://drive.google.com/file/d/0BwoPbcrMv8mvV2wxRkhWeFM3YlU/edit?usp=sharin... The novnc for a f19 vm gives same black window and I see in the top part the message: Server disconnected (code: 1006) Gianluca
participants (2)
-
Frantisek Kobzik -
Gianluca Cecchi