[Users] noVNC with intermediate certificates
Alon Bar-Lev
alonbl at redhat.com
Sun Jan 12 14:01:17 EST 2014
----- Original Message -----
> From: "Markus Stockhausen" <stockhausen at collogia.de>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: "ovirt-users" <users at ovirt.org>
> Sent: Sunday, January 12, 2014 8:54:05 PM
> Subject: AW: [Users] noVNC with intermediate certificates
>
> > Von: Alon Bar-Lev [alonbl at redhat.com]
> > Gesendet: Samstag, 11. Januar 2014 19:56
> > An: Markus Stockhausen
> > Cc: ovirt-users
> > Betreff: Re: [Users] noVNC with intermediate certificates
> >
> > Hi,
> >
> > Can you please try to specify
> >
> > SSL_CERTIFICATE=xxx
> >
> > where xx contains the complete certificate chain in reverse?
> >
> > -----BEGIN CERTIFICATE-----
> > ... (certificate for your server)...
> > -----END CERTIFICATE-----
> > -----BEGIN CERTIFICATE-----
> > ... (the certificate for the CA)...
> > -----END CERTIFICATE-----
> > -----BEGIN CERTIFICATE-----
> > ... (the root certificate for the CA's issuer)...
> > -----END CERTIFICATE-----
> >
> > Of course you need matching SSL_KEY.
> >
> > Regards,
> > Alon
>
> The tests say:
>
> The intermediate certificate is not really needed. The explanation
> is quite simple. If you navigate to the admin page over https
> the apache webserver presents the intermediate certificate.
> This is temporarily stored in the (Firefox) browser. When you
> open the noVNC console it is automatically trusted.
>
> BUT! You will still get a certificate warning if you navigate directly
> to https://<server>:6100 after opening the browser.
>
> Nevertheless your hint seems to help. I just added the
> intermediate certificate to the standard file
> /etc/pki/ovirt-engine/certs/websocket-proxy.cer
> and a direct connect to https://<server>:6100 gives
> no warnings.
That's great.
Please refrain from overwriting product files, provide your own and modify configuration.
>
> Thanks.
>
> Markus
>
More information about the Users
mailing list