[Users] replacing self-signed certificates

i iordanov iiordanov at gmail.com
Wed Nov 20 18:43:29 UTC 2013


Hi Thomas,

Thanks for your response! This goes a long way, however there is still the
unknown where ovirt-engine takes the SPICE certificate and CA from.

Can somebody confirm that replacing just the files referenced in the apache
configuration will be sufficient?

Thanks!
iordan


On Wed, Nov 20, 2013 at 1:00 PM, Thomas Suckow <thomas.suckow at pnnl.gov>wrote:

> I don't know about the native SPICE client, but here is what I did for
> apache and the websocket proxy:
>
> In /etc/httpd/conf.d/ssl.conf it lists
> SSLCertificateFile
> SSLCertificateKeyFile
> SSLCertificateChainFile
> SSLCACertificateFile
>
> Those are the files you need to replace for the web interface. My certs
> were combined, so I actually only use SSLCertificateFile and
> SSLCertificateChainFile
>
> NOTE: If you modify ssl.conf, the path /etc/pki/ovirt-engine/apache-ca.pem
> is used by ovirt-iso-uploader. Uploads will fail unless you replace/symlink
> that file or specify a CA certificate on the command line. I actually
> linked to my chain file and it seems to be happy.
>
>
>
> Websocket Proxy:
>
> /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf defines the
> certificates.
>
> The websocket proxy needs a combined certificate file with your cert and
> the entire chain for SSL_CERTIFICATE
> SSL_KEY is just the unencrypted key, and it MUST be accessible by the
> ovirt user.
>
>
>
> As for spice, I am not sure, I am guessing it is
> /etc/pki/ovirt-engine/keys/engine_id_rsa  and /etc/pki/ovirt-engine/keys/
> certs/engine.cer
> Not sure where they are referenced except by the websocket proxy.
>
> --
> Thomas
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>



-- 
The conscious mind has only one thread of execution.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20131120/572da2de/attachment-0001.html>


More information about the Users mailing list