[ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

aleksey.maksimov at it-kb.ru aleksey.maksimov at it-kb.ru
Tue Aug 16 13:25:01 UTC 2016


Oh yeah :)
I mistakenly used a root certificate from a local CA for /etc/pki/ovirt-engine/apache-ca.pem.
Now I understood, and it works. 
Thanks again.

16.08.2016, 16:15, "Jiri Belka" <jbelka at redhat.com>:
> IMO you "owe" explanation what was wrong, so other users
> could learn from your mistakes and this mailing-list archive
> would thus be beneficial for them when searching for help ;)
>
> Anyway, that's great news!
>
> j.
>
> ----- Original Message -----
> From: "aleksey maksimov" <aleksey.maksimov at it-kb.ru>
> To: "Jiri Belka" <jbelka at redhat.com>
> Cc: "users" <users at ovirt.org>
> Sent: Tuesday, August 16, 2016 2:59:21 PM
> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/
>
> Thank you, Jiri !
> I did everything step by step and SPICE HTML5 browser client now works.
>
> 16.08.2016, 10:46, "Jiri Belka" <jbelka at redhat.com>:
>>  So,
>>
>>  I used this for my own ca test:
>>
>>  OWN CA AND OWN ENGINE KEY/CRT
>>  =============================
>>
>>  0> CA
>>
>>  # awk '/my-/ || $1 ~ /^[^#]*_default/' /etc/pki/tls/openssl.cnf
>>  certificate = $dir/my-ca.crt # The CA certificate
>>  crl = $dir/my-ca.crl # The current CRL
>>  private_key = $dir/private/my-ca.key # The private key
>>  countryName_default = CZ
>>  stateOrProvinceName_default = Jihomoravsky kraj
>>  localityName_default = Brno
>>  0.organizationName_default = Shoot them in the head, s. r. o.
>>
>>  touch /etc/pki/CA/index.txt
>>  echo 01 > /etc/pki/CA/serial
>>  cd /etc/pki/CA
>>  (umask 077 ; openssl genrsa -out private/my-ca.key -des3 2048 )
>>  openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt
>>
>>  0> engine cert
>>
>>  openssl genrsa -out my-engine.key 4096
>>  openssl req -new -out my-engine.csr -key my-engine.key
>>  openssl ca -in my-engine.csr -out my-engine.crt
>>  # use 'mypass' for p12 bundle export !!!
>>  openssl pkcs12 -export -out my-engine.p12 -inkey my-engine.key -in my-engine.crt -chain -CAfile /etc/pki/CA/my-ca.crt
>>
>>  0> existing engine keys/certs/p12 replacement
>>
>>  (follow $engine_url/ovirt-engine/docs/manual/en_US/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html)
>>
>>  rm -f /etc/pki/ovirt-engine/apache-ca.pem
>>  cp my-engine.crt /etc/pki/ovirt-engine/apache-ca.pem
>>  cp my-engine.p12 /etc/pki/ovirt-engine/keys/apache.p12
>>  openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/apache.key.nopass
>>  openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /etc/pki/ovirt-engine/certs/apache.cer
>>  install -o ovirt -g ovirt -m 600 /dev/null /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
>>  # 'changeit' is default java truststore pass on EL
>>  cat > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf << EOF
>>  ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
>>  ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit"
>>  EOF
>>
>>  0> add custom CA into system truststore after backup
>>
>>  cp /etc/pki/CA/my-ca.crt /etc/pki/ca-trust/source/anchors/CA.crt
>>  update-ca-trust
>>
>>  0> check if system truststore knows about custom CA
>>
>>  openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 -noout
>>  # 'changeit' is default java truststore pass on EL
>>  keytool -list -keystore /etc/pki/java/cacerts -storepass changeit | grep "$( openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 -noout | sed -e '/SHA1/s/.*=//;' )"
>>  grep -IR "$(sed -n '2p' /etc/pki/ca-trust/source/anchors/CA.crt)" /etc/pki/ca-trust/extracted/
>>
>>  0> engine-setup pki configuration check
>>
>>  engine-setup # see if 'PKI CONFIGURATION' section passed without errors
>>
>>  (doctext here https://bugzilla.redhat.com/show_bug.cgi?id=1336838)
>>
>>  And this for websocket proxy:
>>
>>  # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>>  PROXY_PORT=6100
>>  SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
>>  SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>  CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>  SSL_ONLY=True
>>
>>  You can start manually websocket proxy:
>>
>>  /usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-proxy.py --help
>>  Usage: ovirt-websocket-proxy.py [options] start
>>
>>  Options:
>>    -h, --help show this help message and exit
>>    -d, --debug debug mode
>>    --pidfile=FILE pid file to use
>>    --background Go into the background
>>    --systemd=SYSTEMD Systemd type simple|notify
>>    --redirect-output Redirect output of daemon
>>
>>  It is also handy to do:
>>
>>  openssl s_client -connect $websocketproxy_host:6100
>>
>>  j.
>>
>>  ----- Original Message -----
>>  From: "aleksey maksimov" <aleksey.maksimov at it-kb.ru>
>>  To: "Jiri Belka" <jbelka at redhat.com>
>>  Cc: "users" <users at ovirt.org>
>>  Sent: Tuesday, August 16, 2016 9:33:54 AM
>>  Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/
>>
>>  Jiri, I did not hide information. Tell me what the log file should show and I will show
>>
>>  16.08.2016, 10:29, "Jiri Belka" <jbelka at redhat.com>:
>>>   It does have logs, filenames "hide" real data.
>>>
>>>   You should reveal logs and what each file is and
>>>   which exact commands you were executing.
>>>
>>>   Vague statements won't help much. It does work for me,
>>>   there much be something strange in your setup but we
>>>   cannot know what without details.
>>>
>>>   j.
>>>
>>>   ----- Original Message -----
>>>   From: "aleksey maksimov" <aleksey.maksimov at it-kb.ru>
>>>   To: "Jiri Belka" <jbelka at redhat.com>
>>>   Cc: "users" <users at ovirt.org>
>>>   Sent: Monday, August 15, 2016 6:18:48 PM
>>>   Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/
>>>
>>>   I tried a version of Nicolás.
>>>   No success :((
>>>
>>>   1) I create full bundle cert file:
>>>
>>>   # cat /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/apache-ca.pem > /etc/pki/ovirt-engine/certs/apache-with-ca.cer
>>>   # openssl verify /etc/pki/ovirt-engine/certs/apache-with-ca.cer
>>>
>>>   /etc/pki/ovirt-engine/certs/apache-with-ca.cer: OK
>>>
>>>   2) I changed config file:
>>>
>>>   # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>>>
>>>   PROXY_PORT=6100
>>>   SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache-with-ca.cer
>>>   SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>>   SSL_ONLY=True
>>>   FORCE_DATA_VERIFICATION=False
>>>
>>>   3) I restarted the service
>>>
>>>   # service ovirt-websocket-proxy restart
>>>
>>>   Problem still exists :(
>>>   Any ideas how to trablshut problem?
>>>
>>>   14.08.2016, 08:59, "aleksey.maksimov at it-kb.ru" <aleksey.maksimov at it-kb.ru>:
>>>>    Hi Jiri.
>>>>    But your variant does not work, too
>>>>
>>>>    # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>>>>    PROXY_PORT=6100
>>>>    SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
>>>>    SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>>>    CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>>>    SSL_ONLY=True
>>>>
>>>>    Some error:
>>>>    WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
>>>>
>>>>    any ideas how to trablshut problem?
>>>>
>>>>    14.08.2016, 01:53, "Jiri Belka" <jbelka at redhat.com>:
>>>>>     I have different files for those variables, maybe this is the case?
>>>>>
>>>>>     Review again.
>>>>>
>>>>>     j.
>>>>>
>>>>>     ----- Original Message -----
>>>>>     From: "aleksey maksimov" <aleksey.maksimov at it-kb.ru>
>>>>>     To: "Jiri Belka" <jbelka at redhat.com>
>>>>>     Cc: "users" <users at ovirt.org>
>>>>>     Sent: Saturday, August 13, 2016 4:57:45 PM
>>>>>     Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/
>>>>>
>>>>>     I changed my file /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf to:
>>>>>
>>>>>     PROXY_PORT=6100
>>>>>     #SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
>>>>>     #SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
>>>>>     #CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>>>>     SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
>>>>>     SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>>>>     CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/apache-ca.pem
>>>>>     SSL_ONLY=True
>>>>>
>>>>>     ...and restart HostedEngine VM.
>>>>>     Problem still exists.
>>>>>
>>>>>     13.08.2016, 17:52, "aleksey.maksimov at it-kb.ru" <aleksey.maksimov at it-kb.ru>:
>>>>>>      It does not work for me. any ideas?
>>>>>>
>>>>>>      02.08.2016, 17:22, "Jiri Belka" <jbelka at redhat.com>:
>>>>>>>       This works for me:
>>>>>>>
>>>>>>>       # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>>>>>>>       PROXY_PORT=6100
>>>>>>>       SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
>>>>>>>       SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>>>>>>       CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>>>>>>       SSL_ONLY=True
>>>>>>>
>>>>>>>       ----- Original Message -----
>>>>>>>       From: "aleksey maksimov" <aleksey.maksimov at it-kb.ru>
>>>>>>>       To: "users" <users at ovirt.org>
>>>>>>>       Sent: Monday, August 1, 2016 12:13:38 PM
>>>>>>>       Subject: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/
>>>>>>>
>>>>>>>       Hello oVirt guru`s !
>>>>>>>
>>>>>>>       I have successfully replaced the oVirt 4 site SSL-certificate according to the instructions from "Replacing oVirt SSL Certificate"
>>>>>>>       section in "oVirt Administration Guide"
>>>>>>>       http://www.ovirt.org/documentation/admin-guide/administration-guide/
>>>>>>>
>>>>>>>       3 files have been replaced:
>>>>>>>
>>>>>>>       /etc/pki/ovirt-engine/certs/apache.cer
>>>>>>>       /etc/pki/ovirt-engine/keys/apache.key.nopass
>>>>>>>       /etc/pki/ovirt-engine/apache-ca.pem
>>>>>>>
>>>>>>>       Now the oVirt site using my certificate and everything works fine, but when I try to use SPICE HTML5 browser client in Firefox or Chrome I see a gray screen and message under the button "Toggle messages output":
>>>>>>>
>>>>>>>       WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
>>>>>>>
>>>>>>>       Before replacing certificates SPICE HTML5 browser client works.
>>>>>>>       Native SPICE client works fine.
>>>>>>>
>>>>>>>       Tell me what to do with SPICE HTML5 browser client?
>>>>>>>       _______________________________________________
>>>>>>>       Users mailing list
>>>>>>>       Users at ovirt.org
>>>>>>>       http://lists.ovirt.org/mailman/listinfo/users



More information about the Users mailing list