[ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/
Jiri Belka
jbelka at redhat.com
Tue Aug 16 07:46:12 UTC 2016
So,
I used this for my own ca test:
OWN CA AND OWN ENGINE KEY/CRT
=============================
0> CA
# awk '/my-/ || $1 ~ /^[^#]*_default/' /etc/pki/tls/openssl.cnf
certificate = $dir/my-ca.crt # The CA certificate
crl = $dir/my-ca.crl # The current CRL
private_key = $dir/private/my-ca.key # The private key
countryName_default = CZ
stateOrProvinceName_default = Jihomoravsky kraj
localityName_default = Brno
0.organizationName_default = Shoot them in the head, s. r. o.
touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial
cd /etc/pki/CA
(umask 077 ; openssl genrsa -out private/my-ca.key -des3 2048 )
openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt
0> engine cert
openssl genrsa -out my-engine.key 4096
openssl req -new -out my-engine.csr -key my-engine.key
openssl ca -in my-engine.csr -out my-engine.crt
# use 'mypass' for p12 bundle export !!!
openssl pkcs12 -export -out my-engine.p12 -inkey my-engine.key -in my-engine.crt -chain -CAfile /etc/pki/CA/my-ca.crt
0> existing engine keys/certs/p12 replacement
(follow $engine_url/ovirt-engine/docs/manual/en_US/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html)
rm -f /etc/pki/ovirt-engine/apache-ca.pem
cp my-engine.crt /etc/pki/ovirt-engine/apache-ca.pem
cp my-engine.p12 /etc/pki/ovirt-engine/keys/apache.p12
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/apache.key.nopass
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /etc/pki/ovirt-engine/certs/apache.cer
install -o ovirt -g ovirt -m 600 /dev/null /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
# 'changeit' is default java truststore pass on EL
cat > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf << EOF
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit"
EOF
0> add custom CA into system truststore after backup
cp /etc/pki/CA/my-ca.crt /etc/pki/ca-trust/source/anchors/CA.crt
update-ca-trust
0> check if system truststore knows about custom CA
openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 -noout
# 'changeit' is default java truststore pass on EL
keytool -list -keystore /etc/pki/java/cacerts -storepass changeit | grep "$( openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 -noout | sed -e '/SHA1/s/.*=//;' )"
grep -IR "$(sed -n '2p' /etc/pki/ca-trust/source/anchors/CA.crt)" /etc/pki/ca-trust/extracted/
0> engine-setup pki configuration check
engine-setup # see if 'PKI CONFIGURATION' section passed without errors
(doctext here https://bugzilla.redhat.com/show_bug.cgi?id=1336838)
And this for websocket proxy:
# cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
PROXY_PORT=6100
SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
SSL_ONLY=True
You can start manually websocket proxy:
/usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-proxy.py --help
Usage: ovirt-websocket-proxy.py [options] start
Options:
-h, --help show this help message and exit
-d, --debug debug mode
--pidfile=FILE pid file to use
--background Go into the background
--systemd=SYSTEMD Systemd type simple|notify
--redirect-output Redirect output of daemon
It is also handy to do:
openssl s_client -connect $websocketproxy_host:6100
j.
----- Original Message -----
From: "aleksey maksimov" <aleksey.maksimov at it-kb.ru>
To: "Jiri Belka" <jbelka at redhat.com>
Cc: "users" <users at ovirt.org>
Sent: Tuesday, August 16, 2016 9:33:54 AM
Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/
Jiri, I did not hide information. Tell me what the log file should show and I will show
16.08.2016, 10:29, "Jiri Belka" <jbelka at redhat.com>:
> It does have logs, filenames "hide" real data.
>
> You should reveal logs and what each file is and
> which exact commands you were executing.
>
> Vague statements won't help much. It does work for me,
> there much be something strange in your setup but we
> cannot know what without details.
>
> j.
>
> ----- Original Message -----
> From: "aleksey maksimov" <aleksey.maksimov at it-kb.ru>
> To: "Jiri Belka" <jbelka at redhat.com>
> Cc: "users" <users at ovirt.org>
> Sent: Monday, August 15, 2016 6:18:48 PM
> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/
>
> I tried a version of Nicolás.
> No success :((
>
> 1) I create full bundle cert file:
>
> # cat /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/apache-ca.pem > /etc/pki/ovirt-engine/certs/apache-with-ca.cer
> # openssl verify /etc/pki/ovirt-engine/certs/apache-with-ca.cer
>
> /etc/pki/ovirt-engine/certs/apache-with-ca.cer: OK
>
> 2) I changed config file:
>
> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>
> PROXY_PORT=6100
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache-with-ca.cer
> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
> SSL_ONLY=True
> FORCE_DATA_VERIFICATION=False
>
> 3) I restarted the service
>
> # service ovirt-websocket-proxy restart
>
> Problem still exists :(
> Any ideas how to trablshut problem?
>
> 14.08.2016, 08:59, "aleksey.maksimov at it-kb.ru" <aleksey.maksimov at it-kb.ru>:
>> Hi Jiri.
>> But your variant does not work, too
>>
>> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>> PROXY_PORT=6100
>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>> SSL_ONLY=True
>>
>> Some error:
>> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
>>
>> any ideas how to trablshut problem?
>>
>> 14.08.2016, 01:53, "Jiri Belka" <jbelka at redhat.com>:
>>> I have different files for those variables, maybe this is the case?
>>>
>>> Review again.
>>>
>>> j.
>>>
>>> ----- Original Message -----
>>> From: "aleksey maksimov" <aleksey.maksimov at it-kb.ru>
>>> To: "Jiri Belka" <jbelka at redhat.com>
>>> Cc: "users" <users at ovirt.org>
>>> Sent: Saturday, August 13, 2016 4:57:45 PM
>>> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/
>>>
>>> I changed my file /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf to:
>>>
>>> PROXY_PORT=6100
>>> #SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
>>> #SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
>>> #CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
>>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/apache-ca.pem
>>> SSL_ONLY=True
>>>
>>> ...and restart HostedEngine VM.
>>> Problem still exists.
>>>
>>> 13.08.2016, 17:52, "aleksey.maksimov at it-kb.ru" <aleksey.maksimov at it-kb.ru>:
>>>> It does not work for me. any ideas?
>>>>
>>>> 02.08.2016, 17:22, "Jiri Belka" <jbelka at redhat.com>:
>>>>> This works for me:
>>>>>
>>>>> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>>>>> PROXY_PORT=6100
>>>>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
>>>>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>>>> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>>>> SSL_ONLY=True
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "aleksey maksimov" <aleksey.maksimov at it-kb.ru>
>>>>> To: "users" <users at ovirt.org>
>>>>> Sent: Monday, August 1, 2016 12:13:38 PM
>>>>> Subject: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/
>>>>>
>>>>> Hello oVirt guru`s !
>>>>>
>>>>> I have successfully replaced the oVirt 4 site SSL-certificate according to the instructions from "Replacing oVirt SSL Certificate"
>>>>> section in "oVirt Administration Guide"
>>>>> http://www.ovirt.org/documentation/admin-guide/administration-guide/
>>>>>
>>>>> 3 files have been replaced:
>>>>>
>>>>> /etc/pki/ovirt-engine/certs/apache.cer
>>>>> /etc/pki/ovirt-engine/keys/apache.key.nopass
>>>>> /etc/pki/ovirt-engine/apache-ca.pem
>>>>>
>>>>> Now the oVirt site using my certificate and everything works fine, but when I try to use SPICE HTML5 browser client in Firefox or Chrome I see a gray screen and message under the button "Toggle messages output":
>>>>>
>>>>> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
>>>>>
>>>>> Before replacing certificates SPICE HTML5 browser client works.
>>>>> Native SPICE client works fine.
>>>>>
>>>>> Tell me what to do with SPICE HTML5 browser client?
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at ovirt.org
>>>>> http://lists.ovirt.org/mailman/listinfo/users
More information about the Users
mailing list