[ovirt-users] Unable to run noVNC console un recent browsers

Darrell Budic budic at onholyground.com
Fri Feb 20 21:13:30 UTC 2015 

Yeah, any x.509 cert not ultimately signed by a major trust anchor was problematic. I noticed it on some internal sites signed by my freeipa ca myself.

> On Feb 20, 2015, at 11:50 AM, Simone Tiraboschi <stirabos at redhat.com> wrote:
> 
> 
> 
> ----- Original Message -----
>> From: "Darrell Budic" <budic at onholyground.com>
>> To: "Simone Tiraboschi" <stirabos at redhat.com>
>> Cc: "users" <users at ovirt.org>
>> Sent: Friday, February 20, 2015 5:57:10 PM
>> Subject: Re: [ovirt-users] Unable to run noVNC console un recent browsers
>> 
>> I had some trouble with self signed certs in firefox when they switch to the
>> new pkix stuff recently, have you tried setting
>> security.use_mozillapkix_verification to false?
> 
> The websocket proxy cert is not self-signed: it's normally signed by the internal oVirt CA. 
> 
>>> On Feb 20, 2015, at 8:56 AM, Simone Tiraboschi <stirabos at redhat.com> wrote:
>>> 
>>> 
>>> 
>>> ----- Original Message -----
>>>> From: "Donny Davis" <donny at cloudspin.me>
>>>> To: "Simone Tiraboschi" <stirabos at redhat.com>
>>>> Cc: users at ovirt.org
>>>> Sent: Friday, February 20, 2015 3:53:04 PM
>>>> Subject: RE: [ovirt-users] Unable to run noVNC console un recent browsers
>>>> 
>>>> No, I made my life easy and used nginx to proxy for the websocket. I was
>>>> then
>>>> able to use my commercial ssl cert to avoid all of these issues. Using a
>>>> proxy for a proxy has been working out quite well for cloudspin, because I
>>>> don't have to mess with anything internal to the engine and noVNC works
>>>> without issue.
>>> 
>>> Yes, using the oVirt internal CA is just the low-profile out of the box
>>> solution.
>>> 
>>>> DonnyD
>>>> 
>>>> -----Original Message-----
>>>> From: Simone Tiraboschi [mailto:stirabos at redhat.com]
>>>> Sent: Friday, February 20, 2015 7:03 AM
>>>> To: Donny Davis
>>>> Subject: Re: [ovirt-users] Unable to run noVNC console un recent browsers
>>>> 
>>>> 
>>>> 
>>>> ----- Original Message -----
>>>>> From: "Donny Davis" <donny at cloudspin.me>
>>>>> To: "Simone Tiraboschi" <stirabos at redhat.com>
>>>>> Sent: Friday, February 20, 2015 2:23:56 PM
>>>>> Subject: RE: [ovirt-users] Unable to run noVNC console un recent
>>>>> browsers
>>>>> 
>>>>> Is your websocket proxy on the same machine as your engine. I also get
>>>>> the CA error when the time it off. The proxy throws the error to
>>>>> /var/log/messages
>>>> 
>>>> Hi Donny,
>>>> I'm using the proxy on the same machine where the engine runs.
>>>> No error till now no my side.
>>>> 
>>>> I also trusted oVirt internal CA to sign other certs in my browser. Did
>>>> you?
>>>> You can find it at https://{engine}/ca.crt
>>>> 
>>>> You should download it and add to the list of trusted certification
>>>> authorities in your browser.
>>>> 
>>>>> -----Original Message-----
>>>>> From: users-bounces at ovirt.org [mailto:users-bounces at ovirt.org] On
>>>>> Behalf Of Simone Tiraboschi
>>>>> Sent: Friday, February 20, 2015 5:57 AM
>>>>> To: Stefano Danzi
>>>>> Cc: users at ovirt.org
>>>>> Subject: Re: [ovirt-users] Unable to run noVNC console un recent
>>>>> browsers
>>>>> 
>>>>> 
>>>>> 
>>>>> ----- Original Message -----
>>>>>> From: "Stefano Danzi" <s.danzi at hawai.it>
>>>>>> To: "Darrell Budic" <budic at onholyground.com>
>>>>>> Cc: users at ovirt.org
>>>>>> Sent: Friday, February 20, 2015 9:07:51 AM
>>>>>> Subject: Re: [ovirt-users] Unable to run noVNC console un recent
>>>>>> browsers
>>>>>> 
>>>>>> Hello!
>>>>>> Already done but this didn't help.
>>>>>> 
>>>>>> I downloaded a portable version of Firefox 17 and noVNC work as
>>>>>> expected.
>>>>>> 
>>>>>> Il 20/02/2015 5.18, Darrell Budic ha scritto:
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Try reimporting the ca.cert for noVNC by connecting directly to the
>>>>>> webproxy address at port 6100. Do this by trying to connect to a
>>>>>> console and then, once the 1006 error shows up, just strip off
>>>>>> everything after :6100/ . I've found that somewhere in or after 3.5,
>>>>>> restarting the webproxy causes it to generate its own new ca.cert
>>>>>> even
>>>>> through it shouldn't.
>>>>>> 
>>>>>> -Darrell
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On Feb 19, 2015, at 4:09 PM, Stefano Danzi <s.danzi at hawai.it> wrote:
>>>>>> 
>>>>>> Hello,
>>>>>> 
>>>>>> I can't make work noVNC console on recent browsers (Chrome 40,
>>>>>> Firefox
>>>>>> 35 and IE 11).
>>>>>> 
>>>>>> The error that I have is already explained here:
>>>>>> https://forge.univention.org/bugzilla/show_bug.cgi?id=33587 I tried
>>>>>> to change websocket like suggested (
>>>>>> http://errata.univention.de/ucs/3.2/31.html ) but this not helped.
>>>>> 
>>>>> noVNC 0.5.1 should be soon released in EPEL6/EPEL7 as for [1].
>>>>> noVNC 0.5.1 should also improve compatibility with recent browsers.
>>>>> 
>>>>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1193454#c3
>>>>> 
>>>>> 
>>>>>> Someone know a workaround?
>>>>>> _______________________________________________
>>>>>> Users mailing list Users at ovirt.org
>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at ovirt.org
>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>> 
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at ovirt.org
>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>> 
>>>>> 
>>>> 
>>>> 
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>> 
>>

More information about the Users mailing list