[Users] noVNC with intermediate certificates

Alon Bar-Lev alonbl at redhat.com
Sun Jan 12 19:01:17 UTC 2014



----- Original Message -----
> From: "Markus Stockhausen" <stockhausen at collogia.de>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: "ovirt-users" <users at ovirt.org>
> Sent: Sunday, January 12, 2014 8:54:05 PM
> Subject: AW: [Users] noVNC with intermediate certificates
> 
> > Von: Alon Bar-Lev [alonbl at redhat.com]
> > Gesendet: Samstag, 11. Januar 2014 19:56
> > An: Markus Stockhausen
> > Cc: ovirt-users
> > Betreff: Re: [Users] noVNC with intermediate certificates
> > 
> > Hi,
> > 
> > Can you please try to specify
> > 
> > SSL_CERTIFICATE=xxx
> > 
> > where xx contains the complete certificate chain in reverse?
> > 
> > -----BEGIN CERTIFICATE-----
> > ... (certificate for your server)...
> > -----END CERTIFICATE-----
> > -----BEGIN CERTIFICATE-----
> > ... (the certificate for the CA)...
> > -----END CERTIFICATE-----
> > -----BEGIN CERTIFICATE-----
> > ... (the root certificate for the CA's issuer)...
> > -----END CERTIFICATE-----
> > 
> > Of course you need matching SSL_KEY.
> > 
> > Regards,
> > Alon
> 
> The tests say:
> 
> The intermediate certificate is not really needed. The explanation
> is quite simple. If you navigate to the admin page over https
> the apache webserver presents the intermediate certificate.
> This is temporarily stored in the (Firefox) browser. When you
> open the noVNC console it is automatically trusted.
> 
> BUT! You will still get a certificate warning if you navigate directly
> to https://<server>:6100 after opening the browser.
> 
> Nevertheless your hint seems to help. I just added the
> intermediate certificate to the standard file
> /etc/pki/ovirt-engine/certs/websocket-proxy.cer
> and a direct connect to https://<server>:6100 gives
> no warnings.

That's great.

Please refrain from overwriting product files, provide your own and modify configuration.

> 
> Thanks.
> 
> Markus
> 



More information about the Users mailing list