[Users] noVNC https certs
Hey everyone, So far I am impressed with the product and am enjoying it thoroughly. I am looking to put in new certs for noVNC, so I or clients do not have to repeatedly accept the cert at https://FQDN:6100 Is there a way, or documentation? I was unable to find any and the default certs install on the system, I am unfamiliar with. Is there an easy way of updating/replacing them for a trusted connection? Thank you, Neil ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] noVNC https certs
You should trust the engine internal CA. it can be downloaded from http://engine/ca.crt, mark it as trusted for web identity. - Original Message - From: Neil Schulz neil.sch...@neteasy.us To: users@ovirt.org Sent: Monday, January 13, 2014 7:44:35 PM Subject: [Users] noVNC https certs Hey everyone, So far I am impressed with the product and am enjoying it thoroughly. I am looking to put in new certs for noVNC, so I or clients do not have to repeatedly accept the cert at https://FQDN:6100 Is there a way, or documentation? I was unable to find any and the default certs install on the system, I am unfamiliar with. Is there an easy way of updating/replacing them for a trusted connection? Thank you, Neil ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] noVNC https certs
So, this is the only way to stop having to accept the cert? I'd have to tell all our clients to download and install that cert to their workstation? On 1/13/2014 12:48 PM, Alon Bar-Lev wrote: You should trust the engine internal CA. it can be downloaded from http://engine/ca.crt, mark it as trusted for web identity. - Original Message - From: Neil Schulz neil.sch...@neteasy.us To: users@ovirt.org Sent: Monday, January 13, 2014 7:44:35 PM Subject: [Users] noVNC https certs Hey everyone, So far I am impressed with the product and am enjoying it thoroughly. I am looking to put in new certs for noVNC, so I or clients do not have to repeatedly accept the cert at https://FQDN:6100 Is there a way, or documentation? I was unable to find any and the default certs install on the system, I am unfamiliar with. Is there an easy way of updating/replacing them for a trusted connection? Thank you, Neil ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] noVNC https certs
- Original Message - From: Neil Schulz neil.sch...@neteasy.us To: Alon Bar-Lev alo...@redhat.com, users@ovirt.org Sent: Monday, January 13, 2014 7:50:06 PM Subject: Re: [Users] noVNC https certs So, this is the only way to stop having to accept the cert? I'd have to tell all our clients to download and install that cert to their workstation? Yes, the other option is to buy certificates from already trusted 3rd parties, and install it for both apache and websocket proxy instead the internally issued ons. On 1/13/2014 12:48 PM, Alon Bar-Lev wrote: You should trust the engine internal CA. it can be downloaded from http://engine/ca.crt, mark it as trusted for web identity. - Original Message - From: Neil Schulz neil.sch...@neteasy.us To: users@ovirt.org Sent: Monday, January 13, 2014 7:44:35 PM Subject: [Users] noVNC https certs Hey everyone, So far I am impressed with the product and am enjoying it thoroughly. I am looking to put in new certs for noVNC, so I or clients do not have to repeatedly accept the cert at https://FQDN:6100 Is there a way, or documentation? I was unable to find any and the default certs install on the system, I am unfamiliar with. Is there an easy way of updating/replacing them for a trusted connection? Thank you, Neil ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] noVNC https certs
On 01/13/2014 09:50 AM, Neil Schulz wrote: So, this is the only way to stop having to accept the cert? I'd have to tell all our clients to download and install that cert to their workstation? No. You can replace the Websocket Proxy certs referenced by /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf The websocket proxy needs a combined certificate file with your cert and the entire chain for SSL_CERTIFICATE SSL_KEY is just the unencrypted key, and it MUST be accessible by the ovirt user. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] noVNC https certs
Excellent, that's what I was looking for. I already tried going to http://FQDN/ca.crt, downloaded it, and installed it but still received the same error. I'm going to replace them for 3rd party ones. Thank you for the help! On 1/13/2014 12:54 PM, Thomas Suckow wrote: On 01/13/2014 09:50 AM, Neil Schulz wrote: So, this is the only way to stop having to accept the cert? I'd have to tell all our clients to download and install that cert to their workstation? No. You can replace the Websocket Proxy certs referenced by /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf The websocket proxy needs a combined certificate file with your cert and the entire chain for SSL_CERTIFICATE SSL_KEY is just the unencrypted key, and it MUST be accessible by the ovirt user. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] noVNC https certs
- Original Message - From: Neil Schulz neil.sch...@neteasy.us To: Thomas Suckow thomas.suc...@pnnl.gov, users@ovirt.org Sent: Monday, January 13, 2014 7:57:38 PM Subject: Re: [Users] noVNC https certs Excellent, that's what I was looking for. I already tried going to http://FQDN/ca.crt, downloaded it, and installed it but still received the same error. I'm going to replace them for 3rd party ones. It should not happen. Which browser do you use? how did you mark the CA certificate within the browser? Thank you for the help! On 1/13/2014 12:54 PM, Thomas Suckow wrote: On 01/13/2014 09:50 AM, Neil Schulz wrote: So, this is the only way to stop having to accept the cert? I'd have to tell all our clients to download and install that cert to their workstation? No. You can replace the Websocket Proxy certs referenced by /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf The websocket proxy needs a combined certificate file with your cert and the entire chain for SSL_CERTIFICATE SSL_KEY is just the unencrypted key, and it MUST be accessible by the ovirt user. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] noVNC https certs
Google Chrome. I downloaded the ca.crt for the server. I went into Settings Show advance settings... Manage Certificates... Import The cert appeared under the tabs. I closed and restarted my browser, navigated back to the ovirt engine page, launched noVNC and received Server disconnected (code: 1006) On 1/13/2014 1:12 PM, Alon Bar-Lev wrote: - Original Message - From: Neil Schulz neil.sch...@neteasy.us To: Thomas Suckow thomas.suc...@pnnl.gov, users@ovirt.org Sent: Monday, January 13, 2014 7:57:38 PM Subject: Re: [Users] noVNC https certs Excellent, that's what I was looking for. I already tried going to http://FQDN/ca.crt, downloaded it, and installed it but still received the same error. I'm going to replace them for 3rd party ones. It should not happen. Which browser do you use? how did you mark the CA certificate within the browser? Thank you for the help! On 1/13/2014 12:54 PM, Thomas Suckow wrote: On 01/13/2014 09:50 AM, Neil Schulz wrote: So, this is the only way to stop having to accept the cert? I'd have to tell all our clients to download and install that cert to their workstation? No. You can replace the Websocket Proxy certs referenced by /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf The websocket proxy needs a combined certificate file with your cert and the entire chain for SSL_CERTIFICATE SSL_KEY is just the unencrypted key, and it MUST be accessible by the ovirt user. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] noVNC https certs
I downloaded the ca.crt for the server. I went into Settings Show advance settings... Manage Certificates... Import The cert appeared under the tabs. I closed and restarted my browser, navigated back to the ovirt engine page, launched noVNC and received Server disconnected (code: 1006) Should be: Manage Certificates... Authorities Tab Import Regardless, installing your own certificate is preferred. You don't even have to buy one, you can get as many basic one year certs as you need for free from startcom. - Thomas ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] noVNC https certs
I see it under there as well, however, still getting server disconnect. On 1/13/2014 1:38 PM, Thomas Suckow wrote: I downloaded the ca.crt for the server. I went into Settings Show advance settings... Manage Certificates... Import The cert appeared under the tabs. I closed and restarted my browser, navigated back to the ovirt engine page, launched noVNC and received Server disconnected (code: 1006) Should be: Manage Certificates... Authorities Tab Import Regardless, installing your own certificate is preferred. You don't even have to buy one, you can get as many basic one year certs as you need for free from startcom. - Thomas ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] noVNC https certs
Neil Schulz wrote: I see it under there as well, however, still getting server disconnect. Seeing anything being logged/outputted by the webproxy if you run it on the commandline instead of a service? I have recently got noVNC working and I, ehhh, had a firewall in the way :-) Make sure you can connect to engine:6100 from you client and that engine can connect to your hosts. Its highly unlikely that this is your problem but ... Regards, Joop ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] noVNC https certs
I am able to gain noNVC access by going to https://FQDN:6100, however, I'm trying to find a practical, permanent solution, to make it more user friendly for clients. The firewall is allowing connections to it. On 1/13/2014 3:25 PM, Joop wrote: Neil Schulz wrote: I see it under there as well, however, still getting server disconnect. Seeing anything being logged/outputted by the webproxy if you run it on the commandline instead of a service? I have recently got noVNC working and I, ehhh, had a firewall in the way :-) Make sure you can connect to engine:6100 from you client and that engine can connect to your hosts. Its highly unlikely that this is your problem but ... Regards, Joop ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] noVNC https certs
Neil Schulz wrote: I am able to gain noNVC access by going to https://FQDN:6100, however, I'm trying to find a practical, permanent solution, to make it more user friendly for clients. The firewall is allowing connections to it. Are you trying to directly access noVNC throught that URL? I use the webui and click on the console icon/button and then FF opens a new tab with the console in it. Looking at the address bar it shows some magic url but nothing that I can see that you can use directly. Joop On 1/13/2014 3:25 PM, Joop wrote: Neil Schulz wrote: I see it under there as well, however, still getting server disconnect. Seeing anything being logged/outputted by the webproxy if you run it on the commandline instead of a service? I have recently got noVNC working and I, ehhh, had a firewall in the way :-) Make sure you can connect to engine:6100 from you client and that engine can connect to your hosts. Its highly unlikely that this is your problem but ... Regards, Joop ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] noVNC https certs
I use oVirt-Engine web interface to connect to the console. I was saying I go to that link to accept the certificate, which then allows me to connect to the noVNC page. Supposedly, importing that cert prevents you from having to do that continuously. However, that is not working correctly for me, in Chrome. -Neil On 1/13/2014 3:50 PM, Joop wrote: Neil Schulz wrote: I am able to gain noNVC access by going to https://FQDN:6100, however, I'm trying to find a practical, permanent solution, to make it more user friendly for clients. The firewall is allowing connections to it. Are you trying to directly access noVNC throught that URL? I use the webui and click on the console icon/button and then FF opens a new tab with the console in it. Looking at the address bar it shows some magic url but nothing that I can see that you can use directly. Joop On 1/13/2014 3:25 PM, Joop wrote: Neil Schulz wrote: I see it under there as well, however, still getting server disconnect. Seeing anything being logged/outputted by the webproxy if you run it on the commandline instead of a service? I have recently got noVNC working and I, ehhh, had a firewall in the way :-) Make sure you can connect to engine:6100 from you client and that engine can connect to your hosts. Its highly unlikely that this is your problem but ... Regards, Joop Suite 200 Richmond, VA 23230 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users