[ovirt-users] Spice SSL Certificate

Kristof VAN DEN EYNDEN Kristof.VANDENEYNDEN at politiewestkust.be
Wed Dec 23 12:18:30 UTC 2015 

I was trying to get Spice or VNC to work on Firefox. After activating the ovirt-websocket-proxy settings (using this guide https://access.redhat.com/solutions/718653)

I kept on getting error - Server disconnected (code: 1006). This pointed me to other posts stating it was a certificate issue. After doing some research I found  post: https://bugzilla.redhat.com/show_bug.cgi?id=1098574

So I started tracing the messages: grep -i 'websocket.*trace' /var/log/messages

Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,314 ovirt-websocket-proxy: INFO msg:824 Got SIGTERM, exiting
Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,314 ovirt-websocket-proxy: INFO msg:824 In exit
Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,514 ovirt-websocket-proxy: INFO msg:824 WebSocket server settings:
Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,515 ovirt-websocket-proxy: INFO msg:824   - Listen on *:6100
Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,515 ovirt-websocket-proxy: INFO msg:824   - Flash security policy server
Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,515 ovirt-websocket-proxy: INFO msg:824   - SSL/TLS support
Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,515 ovirt-websocket-proxy: INFO msg:824   - Deny non-SSL/TLS connections
Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,515 ovirt-websocket-proxy: INFO msg:824   - Recording to '/tmp/websocketproxy_trace.log.*'
Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,519 ovirt-websocket-proxy: INFO msg:824   - proxying from *:6100 to targets in /dummy
Dec 23 13:47:19 ovirt36 2015-12-23 13:47:19,543 ovirt-websocket-proxy: INFO msg:824 handler exception: [Errno 1] _ssl.c:1390: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Dec 23 13:48:12 ovirt36 2015-12-23 13:48:12,328 ovirt-websocket-proxy: INFO msg:824 handler exception: [Errno 1] _ssl.c:1390: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Dec 23 13:49:49 ovirt36 2015-12-23 13:49:49,420 ovirt-websocket-proxy: INFO msg:824 handler exception: [Errno 1] _ssl.c:1390: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Dec 23 13:55:36 ovirt36 2015-12-23 13:55:36,114 ovirt-websocket-proxy: INFO msg:824 handler exception: [Errno 1] _ssl.c:1390: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Dec 23 13:56:40 ovirt36 2015-12-23 13:56:40,201 ovirt-websocket-proxy: INFO msg:824 handler exception: [Errno 1] _ssl.c:1390: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

So I added the certificate by surfing to https://(ovirt)/ca.crt
which gives following box in firefox :

[cid:image001.png at 01D13D83.B2200CB0]

So I assume it would be OK now? Nevertheless it still doesn't work! /var/log/messages still shows the same error? On another post I found that someone surfed to https://(ovirt):6100 and accepted the certificiate there. So I did the same thing which solved my problem immediately.

I don't quite understand the issue, feels like the CA is not getting authorized or the 2 certificates do not belong to the same CA ?

I can continue like this, but I feel it should be easier to complete?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20151223/43c532b5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 19011 bytes
Desc: image001.png
URL: <http://lists.ovirt.org/pipermail/users/attachments/20151223/43c532b5/attachment-0001.png>

More information about the Users mailing list