[Users] noVNC with intermediate certificates

[Alon Bar-Lev]

Hi,

Can you please try to specify 

SSL_CERTIFICATE=xxx

where xx contains the complete certificate chain in reverse?

-----BEGIN CERTIFICATE-----
... (certificate for your server)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the certificate for the CA)...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (the root certificate for the CA's issuer)...
-----END CERTIFICATE-----

Of course you need matching SSL_KEY.

Regards,
Alon

----- Original Message -----
> From: "Markus Stockhausen" <stockhausen at collogia.de>
> To: "ovirt-users" <users at ovirt.org>
> Sent: Friday, January 10, 2014 10:47:09 PM
> Subject: [Users] noVNC with intermediate certificates
> 
> Hello,
> 
> after configuring noVNC websocket proxy I would like to load
> an offically signed certificate into it. Otherwise I would always
> have to accept the self signed certificate on port 6100. See here:
> 
> http://lists.ovirt.org/pipermail/users/2013-October/017108.html
> 
> From the configuration file I know where to place the signed
> certificate but our generated certificates depend on intermediate
> certificates. Ah the moment I'm missing the option to load/advertise
> that intermediate certificate.
> 
> # cat /ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
> PROXY_PORT=6100
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
> SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
> FORCE_DATA_VERIFICATION=True
> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
> SSL_ONLY=True
> 
> In apache I usally go with:
> 
> SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer
> SSLCertificateKeyFile /etc/pki/ovirt-engine/keys/apache.key.nopass
> SSLCertificateChainFile /etc/pki/ovirt-engine/certs/server-chain.crt
> 
> Any tips?
> 
> Markus
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>