[ovirt-users] Unable to connect to VMs via noVnc or Spice after engine-rename and replacing apache cert

David Jaša djasa at redhat.com
Mon Dec 12 16:36:54 UTC 2016 

Ahoj,

Through websockets, you're connecting to TLS port with cert issued by
oVirt CA so you need have your browser trust oVirt CA in order to
connect successfully to spice-html5.

AFAIU you should be able to replace certs for spice (it's separate file
on host from vdsm cert although their contents are the same [1]). I
don't know however if you can configure engine to fill this
non-embedded-CA root in .vv files instead (or not to set it at all if
this CA is in your client trust stores).

[1]
# ls -l /etc/pki/vdsm/*/*pem
-rw-r--r--. 1 root kvm 1452  4. zář  2015 /etc/pki/vdsm/certs/cacert.pem
-rw-r--r--. 1 root kvm 1444  4. zář  2015 /etc/pki/vdsm/certs/vdsmcert.pem
-r--r-----. 1 vdsm kvm 1675  4. zář  2015 /etc/pki/vdsm/keys/vdsmkey.pem
-rw-r--r--. 1 root kvm 1452  4. zář  2015 /etc/pki/vdsm/libvirt-spice/ca-cert.pem
-rw-r--r--. 1 root kvm 1444  4. zář  2015 /etc/pki/vdsm/libvirt-spice/server-cert.pem
-r--r-----. 1 vdsm kvm 1675  4. zář  2015 /etc/pki/vdsm/libvirt-spice/server-key.pem

# rpm -qf /etc/pki/vdsm/libvirt-spice/ca-cert.pem
file /etc/pki/vdsm/libvirt-spice/ca-cert.pem

Regards,

David Jaša

On Pá, 2016-12-09 at 21:09 +0100, Karol Vaclavik wrote:
> Hi all,
> 
> i had running ovirt. After renaming it (to the final domain it will be
> assigned to), and replacing self-signed apache cert with a trustworthy
> one, i am unable to connect to remote desktop of any VM (noVnc and
> SPICE).
> 
> for NoVNC the problem is: Server disconnected (code: 1006) 
> and in the javascript i can find:  
> 
> VM6119:37 WebSocket connection to
> 'wss://realaddressofmyengine:6100/eyJzYWx0IjoiQ01pOUNBV1YrTjA9IiwiZGF0YSI6…FsaWRGcm9tIjoiMjAxNjEyMDkyMDA2MjEiLCJ2YWxpZFRvIjoiMjAxNjEyMDkyMDA4MjEifQ==' failed: WebSocket opening handshake was canceled
> 
> and  when trying Spice the error is: 
> 
> WebSocket error: Can't connect to websocket on URL:
> wss://realaddressofmyengine:6100/eyJzYWx0IjoiTUJXQzVPT004UWM9IiwiZGF0YSI6IiU3QiUyMmhvc3QlMjI6JTIyMTkyLjE2OC4yMDAuMTExJTIyLCUyMnBvcnQlMjI6JTIyNTkwMCUyMiwlMjJzc2xfdGFyZ2V0JTIyOnRydWUlN0QiLCJzaWduYXR1cmUiOiJueUZEM1NIenE0WXY0UmJqYmtnbFNtUEM1QUJSRUsvM294a1VieXBqa3ZuckhsOTdLVWFFTFNsTEpHaUpTR0dJQXgrVEJFNTJna0dWR3VCRVVIZE4vdkJEY3JZbEtmcmQxK0ZqTTZMMXhtb1F3aHM4Y1VRR0t5Z1dLSENsanZvdFZFVkxNaCszU3VvU0s5d2VDczViVnRoRDdWZXFQM1ZtQkxoUnFnS0xmYjhxS1g4ZnBKTllUUG5iRmV1bGhVc2N6UTJwNE5CZ05ZalR0K3BTcFYvaGJlaFBPcnFBV01oMjRkV1ZrNVA3WEJmbTZ5a2RSVy8zNW1takY4Ym9FQlNZZzIrU1YvaWNwaldySW1SWmtQd3d5V3Y3dEhYVGNLSGFCek4vcnBQaS9xbnZoWXdyWEd4akRBSk9GVTRuRnl6ei9mNTAxU1BIMFNESEdIaEh3UXBoWFE9PSIsImRpZ2VzdCI6InNoYTEiLCJjZXJ0aWZpY2F0ZSI6Ii0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLVxuTUlJRW5UQ0NBNFdnQXdJQkFnSUNFQUV3RFFZSktvWklodmNOQVFFRkJRQXdWekVMTUFrR0ExVUVCaE1DVlZNeEhEQWFCZ05WQkFvVFxyXG5FMmwwWTI5dGJYVnVhV05oZEdsdmJuTXVjMnN4S2pBb0JnTlZCQU1USVdWdVoybHVaV0V1YVhSamIyMXRkVzVwWTJGMGFXOXVjeTV6XHJcbmF5NDFPVFl6TXpBZUZ3MHhOakV3TWpVeE5EQTBORGxhRncweU1UQTVNekF4TkRBME5EbGFNRkV4Q3pBSkJnTlZCQVlUQWxWVE1Sd3dcclxuR2dZRFZRUUtFeE5wZEdOdmJXMTFibWxqWVhScGIyNXpMbk5yTVNRd0lnWURWUVFERXh0bGJtZHBibVZoTG1sMFkyOXRiWFZ1YVdOaFxyXG5kR2x2Ym5NdWMyc3dnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEamVkZExkakJtUHk5R0ZYMzAza1owXHJcbnU5cUprSWg4TFZRVDZxWFcvSjV3V1QvWUtaMDlxdFdta25wTXRkd21WMWQ0WFBoajd6SGxuYUxjckpSeWIyZTNqTGxHcklHRDNvRmNcclxuUktETnAvMkhDU3JieHBoci9RVmhvMnNsRXpBUzRwS3d3Wno3RkU2cTVGbFI4OUZLTXRBSjlRZDVORi9LNTdUaUJuaDBzUCsvS0IycVxyXG4xSlAwZ2RGTUY1aERrREJGUG9xZklMUzhRN09GYW9vQXBveEhtdFZYaXp3Q1BlczJKMjVFM0NhRE1YWWpIOXdpREQrTi9kNkxuU1NYXHJcbld3V2c5d09ud2kwcHQ0TDhCTmxIL2ZtaW9Mb0ZpME9uUmdOY3Ryc09VN1BvR0hpb3VCZkZjNUpIWndJQm9YUWswakZja0RxMnZjYnlcclxuM2o1aEtSdWVkUVg2SUxJM0FnTUJBQUdqZ2dGM01JSUJjekFkQmdOVkhRNEVGZ1FVRlJLSEp5UmJHQmQ3RmdSOThZT29vOFlCMGRRd1xyXG5nWkVHQ0NzR0FRVUZCd0VCQklHRU1JR0JNSDhHQ0NzR0FRVUZCekFDaG5Ob2RIUndPaTh2Wlc1bmFXNWxZUzVwZEdOdmJXMTFibWxqXHJcbllYUnBiMjV6TG5Ock9qZ3dMMjkyYVhKMExXVnVaMmx1WlM5elpYSjJhV05sY3k5d2Eya3RjbVZ6YjNWeVkyVS9jbVZ6YjNWeVkyVTlcclxuWTJFdFkyVnlkR2xtYVdOaGRHVW1abTl5YldGMFBWZzFNRGt0VUVWTkxVTkJNSUdBQmdOVkhTTUVlVEIzZ0JSY2JUS2lmWWZIMXVjdFxyXG4zTUFGanptQnhUMzJqcUZicEZrd1Z6RUxNQWtHQTFVRUJoTUNWVk14SERBYUJnTlZCQW9URTJsMFkyOXRiWFZ1YVdOaGRHbHZibk11XHJcbmMyc3hLakFvQmdOVkJBTVRJV1Z1WjJsdVpXRXVhWFJqYjIxdGRXNXBZMkYwYVc5dWN5NXpheTQxT1RZek00SUNFQUF3Q1FZRFZSMFRcclxuQkFJd0FEQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0lBWURWUjBsQVFIL0JCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUEwR1xyXG5DU3FHU0liM0RRRUJCUVVBQTRJQkFRQUVmN1VMUzdldGx4NWxXZzI3TlVKSDJsRmtzQVZnY2d3QlFSd1JSSXdEWWRWSGREbWEwS0wxXHJcbjBEL0tKcTJpelFwZ1RtSWxEdXh5Z3NiZm9IUHZOMDFzOW5IR0s3TXRrOG9iaHdUMUQrQ3RIakZlT0pQWUpkUVl1ZzhkSU9HZTZoN0NcclxucGZWSXAyeTFjYkpIVm11c2ZieGhNRy9QcEljalBoc3lFYW9qVmZQbU9Bd0M5UVJGV3Uxck0yZ0czUnBRamphVDJCVFY0SDQwUzdkSFxyXG5makduOGdkckxxYVYzaHpSZlR3S2JjRXdQL0lDTmwxUDFyOEpXNDdJM1cveGRkb2kvdm5FUlJiUktTNk51TjhYM3dtOVJkeDQ1WCtxXHJcbjdhRFVqb0VtbGk1dUNieHQ2SGxXb1RSL2NCamVoZnNXeTBMMVR0amIzNHJFeFBoNHFGR1FKZFhGV1Y0WlxyXG4tLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tXG4iLCJzaWduZWRGaWVsZHMiOiJzYWx0LGRhdGEsZGlnZXN0LHZhbGlkRnJvbSx2YWxpZFRvIiwidmFsaWRGcm9tIjoiMjAxNjEyMDkyMDA5MDAiLCJ2YWxpZFRvIjoiMjAxNjEyMDkyMDExMDAifQ==
> [object Event]
> 
> I have no idea how to regenerate websocket cert, that is still
> pointing at the old machine name.
> 
> thanks for any help
> 
> Karol Vaclavik
> IT ARCHITECT
> 
> 
> 
> 
> 
> Mlynske Nivy 49
> Bratislava, 82109
> 01873 
> Slovakia
> 
> e-mail: karol.vaclavik at sk.ibm.com
> phone: 00421 904 943 684
> 
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.phx.ovirt.org/mailman/listinfo/users

More information about the Users mailing list