[Users] replacing self-signed certificates
Thomas Suckow
thomas.suckow at pnnl.gov
Wed Nov 20 18:00:07 UTC 2013
I don't know about the native SPICE client, but here is what I did for
apache and the websocket proxy:
In /etc/httpd/conf.d/ssl.conf it lists
SSLCertificateFile
SSLCertificateKeyFile
SSLCertificateChainFile
SSLCACertificateFile
Those are the files you need to replace for the web interface. My certs
were combined, so I actually only use SSLCertificateFile and
SSLCertificateChainFile
NOTE: If you modify ssl.conf, the path
/etc/pki/ovirt-engine/apache-ca.pem is used by ovirt-iso-uploader.
Uploads will fail unless you replace/symlink that file or specify a CA
certificate on the command line. I actually linked to my chain file and
it seems to be happy.
Websocket Proxy:
/etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf defines the
certificates.
The websocket proxy needs a combined certificate file with your cert and
the entire chain for SSL_CERTIFICATE
SSL_KEY is just the unencrypted key, and it MUST be accessible by the
ovirt user.
As for spice, I am not sure, I am guessing it is
/etc/pki/ovirt-engine/keys/engine_id_rsa and
/etc/pki/ovirt-engine/keys/certs/engine.cer
Not sure where they are referenced except by the websocket proxy.
--
Thomas
More information about the Users
mailing list