Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working
- Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org, Frantisek Kobzik fkob...@redhat.com Sent: Friday, August 16, 2013 3:55:28 AM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Curiously if one wanted the disable the need to download the Server CA certificate what are the changes needed to do so? (Realizing the security implications) I do not understand, what alternative do you propose? You can disable ssl but Frantisek, we need a vdc option for that so url will contain http or https. On Fri, Aug 2, 2013 at 2:49 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Friday, August 2, 2013 10:39:48 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Thanks Alon, That did the trick. Is there any way to get the engine to push this cert to a first time visitor by default? - DHC Well, it is actually depend on browser behavior... Internet Explorer does allow you to trust the root. I could not find such option in firefox. Frantisek: Maybe we can have the link for the ca certificate so people can press it to establish trust. Have you tried to perform XMLHttpRequest and see if you get some error we can use to warn user? On Fri, Aug 2, 2013 at 1:18 AM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 11:06:11 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Attached Firefox and Chrome screenshots of Certificates. errors thrown by websockify Firefox: 1: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Chrome: 11: handler exception: WSRequestHandler instance has no attribute 'last_code' For Firefox it looks like firefox needs a bit of proding to get it to accept the Websocket CA Cert: https://github.com/kanaka/websockify/issues/34 The error generated by chrome seems to be a websockify issue: https://github.com/kanaka/noVNC/issues/86 https://github.com/kanaka/websockify/issues/22#issuecomment-3263065 https://github.com/kanaka/noVNC/issues/177 In any event I got both Chrome and Firefox working by manually browsing to: https://ENGINEFQDN:6100 and accepting the self signed cert This is because your browser does not support the CA. Please go to: http://engine/ca.crt And install that certificate as trusted, remove the explicit trust you have added, and try again. Not pretty but it worked. - DHC On Thu, Aug 1, 2013 at 2:08 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 9:59:14 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working That did the trick for getting the websocket proxy configured ( i backed out all my changes prior to running engine-setup). I do notice that it still seems to leave the ovirt-websocket-proxy.conf in it's default state and makes no dedications to it. Instead it generated /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf I also noted engine setup generated: /etc/pki/ovirt-engine/certs/websocket-proxy.cer /etc/pki/ovirt-engine/keys/websocket-proxy.p12 /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass /etc/pki/ovirt-engine/requests/websocket-proxy.req None the less still neither spice nor novnc will connect. I tried changing Engine:6100 to EngineIP:6100 so that IP would be used instead. However using either the FQDN or IP still yielded the same results. You should not touch anything... all should be configured... Make sure your browser trust the *CA* of the engine and not the engine certificate directly. And try to open vnc console via webadmin. There was nothing interesting in the logs either. I do notice that whilst the websocket-proxy service is running I never see an websockify processes but instead in /var/log/messages I see: Aug 1 13:44:10 ovirtfoo ovirt-websocket-proxy.py[435]: 11: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL
Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working
Hi, exactly - the fact about the vdc option is true. (and I think we also have to allow serving novnc/spice-html5 pages using plain http. afaik now apache or jboss forces you to https). Regards, F. - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Dead Horse deadhorseconsult...@gmail.com Cc: users users@ovirt.org, Frantisek Kobzik fkob...@redhat.com Sent: Friday, August 16, 2013 8:45:05 AM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org, Frantisek Kobzik fkob...@redhat.com Sent: Friday, August 16, 2013 3:55:28 AM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Curiously if one wanted the disable the need to download the Server CA certificate what are the changes needed to do so? (Realizing the security implications) I do not understand, what alternative do you propose? You can disable ssl but Frantisek, we need a vdc option for that so url will contain http or https. On Fri, Aug 2, 2013 at 2:49 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Friday, August 2, 2013 10:39:48 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Thanks Alon, That did the trick. Is there any way to get the engine to push this cert to a first time visitor by default? - DHC Well, it is actually depend on browser behavior... Internet Explorer does allow you to trust the root. I could not find such option in firefox. Frantisek: Maybe we can have the link for the ca certificate so people can press it to establish trust. Have you tried to perform XMLHttpRequest and see if you get some error we can use to warn user? On Fri, Aug 2, 2013 at 1:18 AM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 11:06:11 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Attached Firefox and Chrome screenshots of Certificates. errors thrown by websockify Firefox: 1: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Chrome: 11: handler exception: WSRequestHandler instance has no attribute 'last_code' For Firefox it looks like firefox needs a bit of proding to get it to accept the Websocket CA Cert: https://github.com/kanaka/websockify/issues/34 The error generated by chrome seems to be a websockify issue: https://github.com/kanaka/noVNC/issues/86 https://github.com/kanaka/websockify/issues/22#issuecomment-3263065 https://github.com/kanaka/noVNC/issues/177 In any event I got both Chrome and Firefox working by manually browsing to: https://ENGINEFQDN:6100 and accepting the self signed cert This is because your browser does not support the CA. Please go to: http://engine/ca.crt And install that certificate as trusted, remove the explicit trust you have added, and try again. Not pretty but it worked. - DHC On Thu, Aug 1, 2013 at 2:08 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 9:59:14 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working That did the trick for getting the websocket proxy configured ( i backed out all my changes prior to running engine-setup). I do notice that it still seems to leave the ovirt-websocket-proxy.conf in it's default state and makes no dedications to it. Instead it generated /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf I also noted engine setup generated: /etc/pki/ovirt-engine/certs/websocket-proxy.cer /etc/pki/ovirt-engine/keys/websocket-proxy.p12 /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass /etc/pki/ovirt-engine/requests/websocket-proxy.req None the less still neither spice nor novnc will connect. I tried changing Engine:6100 to EngineIP:6100 so that IP would be used instead. However using either the FQDN or IP still yielded the same results. You should not touch anything... all should be configured... Make sure your browser trust the *CA
Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working
- Original Message - From: Frantisek Kobzik fkob...@redhat.com To: Alon Bar-Lev alo...@redhat.com Cc: Dead Horse deadhorseconsult...@gmail.com, users users@ovirt.org Sent: Friday, August 16, 2013 9:58:27 AM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Hi, exactly - the fact about the vdc option is true. (and I think we also have to allow serving novnc/spice-html5 pages using plain http. afaik now apache or jboss forces you to https). No... just a setting for the proxy. As the html files them-selves comes from same location of where user is on. Can you please handle that? Regards, F. - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Dead Horse deadhorseconsult...@gmail.com Cc: users users@ovirt.org, Frantisek Kobzik fkob...@redhat.com Sent: Friday, August 16, 2013 8:45:05 AM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org, Frantisek Kobzik fkob...@redhat.com Sent: Friday, August 16, 2013 3:55:28 AM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Curiously if one wanted the disable the need to download the Server CA certificate what are the changes needed to do so? (Realizing the security implications) I do not understand, what alternative do you propose? You can disable ssl but Frantisek, we need a vdc option for that so url will contain http or https. On Fri, Aug 2, 2013 at 2:49 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Friday, August 2, 2013 10:39:48 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Thanks Alon, That did the trick. Is there any way to get the engine to push this cert to a first time visitor by default? - DHC Well, it is actually depend on browser behavior... Internet Explorer does allow you to trust the root. I could not find such option in firefox. Frantisek: Maybe we can have the link for the ca certificate so people can press it to establish trust. Have you tried to perform XMLHttpRequest and see if you get some error we can use to warn user? On Fri, Aug 2, 2013 at 1:18 AM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 11:06:11 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Attached Firefox and Chrome screenshots of Certificates. errors thrown by websockify Firefox: 1: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Chrome: 11: handler exception: WSRequestHandler instance has no attribute 'last_code' For Firefox it looks like firefox needs a bit of proding to get it to accept the Websocket CA Cert: https://github.com/kanaka/websockify/issues/34 The error generated by chrome seems to be a websockify issue: https://github.com/kanaka/noVNC/issues/86 https://github.com/kanaka/websockify/issues/22#issuecomment-3263065 https://github.com/kanaka/noVNC/issues/177 In any event I got both Chrome and Firefox working by manually browsing to: https://ENGINEFQDN:6100 and accepting the self signed cert This is because your browser does not support the CA. Please go to: http://engine/ca.crt And install that certificate as trusted, remove the explicit trust you have added, and try again. Not pretty but it worked. - DHC On Thu, Aug 1, 2013 at 2:08 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 9:59:14 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working That did the trick for getting the websocket proxy configured ( i backed out all my changes prior to running engine-setup). I do notice that it still seems to leave the ovirt-websocket-proxy.conf in it's default state and makes no dedications to it. Instead it generated /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf I also noted engine
Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working
I'll try to resolve that soon. Thanks, F. - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Frantisek Kobzik fkob...@redhat.com Cc: Dead Horse deadhorseconsult...@gmail.com, users users@ovirt.org Sent: Friday, August 16, 2013 9:04:09 AM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working - Original Message - From: Frantisek Kobzik fkob...@redhat.com To: Alon Bar-Lev alo...@redhat.com Cc: Dead Horse deadhorseconsult...@gmail.com, users users@ovirt.org Sent: Friday, August 16, 2013 9:58:27 AM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Hi, exactly - the fact about the vdc option is true. (and I think we also have to allow serving novnc/spice-html5 pages using plain http. afaik now apache or jboss forces you to https). No... just a setting for the proxy. As the html files them-selves comes from same location of where user is on. Can you please handle that? Regards, F. - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Dead Horse deadhorseconsult...@gmail.com Cc: users users@ovirt.org, Frantisek Kobzik fkob...@redhat.com Sent: Friday, August 16, 2013 8:45:05 AM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org, Frantisek Kobzik fkob...@redhat.com Sent: Friday, August 16, 2013 3:55:28 AM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Curiously if one wanted the disable the need to download the Server CA certificate what are the changes needed to do so? (Realizing the security implications) I do not understand, what alternative do you propose? You can disable ssl but Frantisek, we need a vdc option for that so url will contain http or https. On Fri, Aug 2, 2013 at 2:49 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Friday, August 2, 2013 10:39:48 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Thanks Alon, That did the trick. Is there any way to get the engine to push this cert to a first time visitor by default? - DHC Well, it is actually depend on browser behavior... Internet Explorer does allow you to trust the root. I could not find such option in firefox. Frantisek: Maybe we can have the link for the ca certificate so people can press it to establish trust. Have you tried to perform XMLHttpRequest and see if you get some error we can use to warn user? On Fri, Aug 2, 2013 at 1:18 AM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 11:06:11 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Attached Firefox and Chrome screenshots of Certificates. errors thrown by websockify Firefox: 1: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Chrome: 11: handler exception: WSRequestHandler instance has no attribute 'last_code' For Firefox it looks like firefox needs a bit of proding to get it to accept the Websocket CA Cert: https://github.com/kanaka/websockify/issues/34 The error generated by chrome seems to be a websockify issue: https://github.com/kanaka/noVNC/issues/86 https://github.com/kanaka/websockify/issues/22#issuecomment-3263065 https://github.com/kanaka/noVNC/issues/177 In any event I got both Chrome and Firefox working by manually browsing to: https://ENGINEFQDN:6100 and accepting the self signed cert This is because your browser does not support the CA. Please go to: http://engine/ca.crt And install that certificate as trusted, remove the explicit trust you have added, and try again. Not pretty but it worked. - DHC On Thu, Aug 1, 2013 at 2:08 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 9:59:14 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working That did the trick for getting the websocket proxy configured ( i backed
Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working
I was just more curious about exactly what files/options database options/configurations in the engine had to be changed to disable SSL for this and just allow for http. I am not quite 100% on what the engine option SSLEnabled exactly disables SSL wise (EG: HTTP/VDSM?) or what effect the SSL_ONLY option in the websocket configuration has (by default it is set to false but only SSL works?). Thus I am just curious on the underpinnings and how things are tied together and cause/effect ;-) - DHC On Fri, Aug 16, 2013 at 2:42 AM, Frantisek Kobzik fkob...@redhat.comwrote: I'll try to resolve that soon. Thanks, F. - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Frantisek Kobzik fkob...@redhat.com Cc: Dead Horse deadhorseconsult...@gmail.com, users users@ovirt.org Sent: Friday, August 16, 2013 9:04:09 AM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working - Original Message - From: Frantisek Kobzik fkob...@redhat.com To: Alon Bar-Lev alo...@redhat.com Cc: Dead Horse deadhorseconsult...@gmail.com, users users@ovirt.org Sent: Friday, August 16, 2013 9:58:27 AM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Hi, exactly - the fact about the vdc option is true. (and I think we also have to allow serving novnc/spice-html5 pages using plain http. afaik now apache or jboss forces you to https). No... just a setting for the proxy. As the html files them-selves comes from same location of where user is on. Can you please handle that? Regards, F. - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Dead Horse deadhorseconsult...@gmail.com Cc: users users@ovirt.org, Frantisek Kobzik fkob...@redhat.com Sent: Friday, August 16, 2013 8:45:05 AM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org, Frantisek Kobzik fkob...@redhat.com Sent: Friday, August 16, 2013 3:55:28 AM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Curiously if one wanted the disable the need to download the Server CA certificate what are the changes needed to do so? (Realizing the security implications) I do not understand, what alternative do you propose? You can disable ssl but Frantisek, we need a vdc option for that so url will contain http or https. On Fri, Aug 2, 2013 at 2:49 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Friday, August 2, 2013 10:39:48 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Thanks Alon, That did the trick. Is there any way to get the engine to push this cert to a first time visitor by default? - DHC Well, it is actually depend on browser behavior... Internet Explorer does allow you to trust the root. I could not find such option in firefox. Frantisek: Maybe we can have the link for the ca certificate so people can press it to establish trust. Have you tried to perform XMLHttpRequest and see if you get some error we can use to warn user? On Fri, Aug 2, 2013 at 1:18 AM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 11:06:11 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Attached Firefox and Chrome screenshots of Certificates. errors thrown by websockify Firefox: 1: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Chrome: 11: handler exception: WSRequestHandler instance has no attribute 'last_code' For Firefox it looks like firefox needs a bit of proding to get it to accept the Websocket CA Cert: https://github.com/kanaka/websockify/issues/34 The error generated by chrome seems to be a websockify issue: https://github.com/kanaka/noVNC/issues/86 https://github.com/kanaka/websockify/issues/22#issuecomment-3263065 https://github.com/kanaka/noVNC/issues/177 In any event I got both Chrome and Firefox working by manually browsing to: https://ENGINEFQDN:6100 and accepting the self signed cert This is because your browser does not support the CA. Please go to: http://engine/ca.crt
Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working
- Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Frantisek Kobzik fkob...@redhat.com Cc: Alon Bar-Lev alo...@redhat.com, users users@ovirt.org Sent: Friday, August 16, 2013 4:58:18 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working I was just more curious about exactly what files/options database options/configurations in the engine had to be changed to disable SSL for this and just allow for http. I am not quite 100% on what the engine option SSLEnabled exactly disables SSL wise (EG: HTTP/VDSM?) or what effect the SSL_ONLY option in the websocket configuration has (by default it is set to false but only SSL works?). It is not supported per my last response. Thus I am just curious on the underpinnings and how things are tied together and cause/effect ;-) The whole configuration subsystem is highly none flexible... adding option in code requires database upgrade. This is on my list to re-write... - DHC On Fri, Aug 16, 2013 at 2:42 AM, Frantisek Kobzik fkob...@redhat.comwrote: I'll try to resolve that soon. Thanks, F. - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Frantisek Kobzik fkob...@redhat.com Cc: Dead Horse deadhorseconsult...@gmail.com, users users@ovirt.org Sent: Friday, August 16, 2013 9:04:09 AM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working - Original Message - From: Frantisek Kobzik fkob...@redhat.com To: Alon Bar-Lev alo...@redhat.com Cc: Dead Horse deadhorseconsult...@gmail.com, users users@ovirt.org Sent: Friday, August 16, 2013 9:58:27 AM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Hi, exactly - the fact about the vdc option is true. (and I think we also have to allow serving novnc/spice-html5 pages using plain http. afaik now apache or jboss forces you to https). No... just a setting for the proxy. As the html files them-selves comes from same location of where user is on. Can you please handle that? Regards, F. - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Dead Horse deadhorseconsult...@gmail.com Cc: users users@ovirt.org, Frantisek Kobzik fkob...@redhat.com Sent: Friday, August 16, 2013 8:45:05 AM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org, Frantisek Kobzik fkob...@redhat.com Sent: Friday, August 16, 2013 3:55:28 AM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Curiously if one wanted the disable the need to download the Server CA certificate what are the changes needed to do so? (Realizing the security implications) I do not understand, what alternative do you propose? You can disable ssl but Frantisek, we need a vdc option for that so url will contain http or https. On Fri, Aug 2, 2013 at 2:49 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Friday, August 2, 2013 10:39:48 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Thanks Alon, That did the trick. Is there any way to get the engine to push this cert to a first time visitor by default? - DHC Well, it is actually depend on browser behavior... Internet Explorer does allow you to trust the root. I could not find such option in firefox. Frantisek: Maybe we can have the link for the ca certificate so people can press it to establish trust. Have you tried to perform XMLHttpRequest and see if you get some error we can use to warn user? On Fri, Aug 2, 2013 at 1:18 AM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 11:06:11 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Attached Firefox and Chrome screenshots of Certificates. errors thrown by websockify Firefox: 1: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Chrome: 11: handler exception: WSRequestHandler instance has no attribute 'last_code' For Firefox it looks like firefox needs a bit of proding
Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working
Curiously if one wanted the disable the need to download the Server CA certificate what are the changes needed to do so? (Realizing the security implications) On Fri, Aug 2, 2013 at 2:49 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Friday, August 2, 2013 10:39:48 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Thanks Alon, That did the trick. Is there any way to get the engine to push this cert to a first time visitor by default? - DHC Well, it is actually depend on browser behavior... Internet Explorer does allow you to trust the root. I could not find such option in firefox. Frantisek: Maybe we can have the link for the ca certificate so people can press it to establish trust. Have you tried to perform XMLHttpRequest and see if you get some error we can use to warn user? On Fri, Aug 2, 2013 at 1:18 AM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 11:06:11 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Attached Firefox and Chrome screenshots of Certificates. errors thrown by websockify Firefox: 1: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Chrome: 11: handler exception: WSRequestHandler instance has no attribute 'last_code' For Firefox it looks like firefox needs a bit of proding to get it to accept the Websocket CA Cert: https://github.com/kanaka/websockify/issues/34 The error generated by chrome seems to be a websockify issue: https://github.com/kanaka/noVNC/issues/86 https://github.com/kanaka/websockify/issues/22#issuecomment-3263065 https://github.com/kanaka/noVNC/issues/177 In any event I got both Chrome and Firefox working by manually browsing to: https://ENGINEFQDN:6100 and accepting the self signed cert This is because your browser does not support the CA. Please go to: http://engine/ca.crt And install that certificate as trusted, remove the explicit trust you have added, and try again. Not pretty but it worked. - DHC On Thu, Aug 1, 2013 at 2:08 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 9:59:14 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working That did the trick for getting the websocket proxy configured ( i backed out all my changes prior to running engine-setup). I do notice that it still seems to leave the ovirt-websocket-proxy.conf in it's default state and makes no dedications to it. Instead it generated /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf I also noted engine setup generated: /etc/pki/ovirt-engine/certs/websocket-proxy.cer /etc/pki/ovirt-engine/keys/websocket-proxy.p12 /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass /etc/pki/ovirt-engine/requests/websocket-proxy.req None the less still neither spice nor novnc will connect. I tried changing Engine:6100 to EngineIP:6100 so that IP would be used instead. However using either the FQDN or IP still yielded the same results. You should not touch anything... all should be configured... Make sure your browser trust the *CA* of the engine and not the engine certificate directly. And try to open vnc console via webadmin. There was nothing interesting in the logs either. I do notice that whilst the websocket-proxy service is running I never see an websockify processes but instead in /var/log/messages I see: Aug 1 13:44:10 ovirtfoo ovirt-websocket-proxy.py[435]: 11: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Thus I changed SSL_ONLY=True to SSL_ONLY=False in /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf and restarted engine and websocket-proxy No dice it still generated the same error as above during an attempted connection to /var/log/messages I also not the following error message at VM power off (albeit I am guessing it has nothing to do with this issue): 2013-08-01 13:41:03,742 ERROR [org.ovirt.engine.core.vdsbroker.DestroyVmVDSCommand] (pool-6-thread-50) [304efb3e] VDS::destroy
Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working
- Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 11:06:11 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Attached Firefox and Chrome screenshots of Certificates. errors thrown by websockify Firefox: 1: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Chrome: 11: handler exception: WSRequestHandler instance has no attribute 'last_code' For Firefox it looks like firefox needs a bit of proding to get it to accept the Websocket CA Cert: https://github.com/kanaka/websockify/issues/34 The error generated by chrome seems to be a websockify issue: https://github.com/kanaka/noVNC/issues/86 https://github.com/kanaka/websockify/issues/22#issuecomment-3263065 https://github.com/kanaka/noVNC/issues/177 In any event I got both Chrome and Firefox working by manually browsing to: https://ENGINEFQDN:6100 and accepting the self signed cert This is because your browser does not support the CA. Please go to: http://engine/ca.crt And install that certificate as trusted, remove the explicit trust you have added, and try again. Not pretty but it worked. - DHC On Thu, Aug 1, 2013 at 2:08 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 9:59:14 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working That did the trick for getting the websocket proxy configured ( i backed out all my changes prior to running engine-setup). I do notice that it still seems to leave the ovirt-websocket-proxy.conf in it's default state and makes no dedications to it. Instead it generated /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf I also noted engine setup generated: /etc/pki/ovirt-engine/certs/websocket-proxy.cer /etc/pki/ovirt-engine/keys/websocket-proxy.p12 /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass /etc/pki/ovirt-engine/requests/websocket-proxy.req None the less still neither spice nor novnc will connect. I tried changing Engine:6100 to EngineIP:6100 so that IP would be used instead. However using either the FQDN or IP still yielded the same results. You should not touch anything... all should be configured... Make sure your browser trust the *CA* of the engine and not the engine certificate directly. And try to open vnc console via webadmin. There was nothing interesting in the logs either. I do notice that whilst the websocket-proxy service is running I never see an websockify processes but instead in /var/log/messages I see: Aug 1 13:44:10 ovirtfoo ovirt-websocket-proxy.py[435]: 11: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Thus I changed SSL_ONLY=True to SSL_ONLY=False in /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf and restarted engine and websocket-proxy No dice it still generated the same error as above during an attempted connection to /var/log/messages I also not the following error message at VM power off (albeit I am guessing it has nothing to do with this issue): 2013-08-01 13:41:03,742 ERROR [org.ovirt.engine.core.vdsbroker.DestroyVmVDSCommand] (pool-6-thread-50) [304efb3e] VDS::destroy Failed destroying vm fec3260c-871a-4fbe-a006-9eee4fbfbbcc in vds = 5713e5c8-6252-4bce-a3f6-bbd8e1e6eb57 : ovirtnodefoo, error = org.ovirt.engine.core.vdsbroker.vdsbroker.VDSErrorException: VDSGenericException: VDSErrorException: Failed to DestroyVDS, error = Unexpected exception - DHC On Thu, Aug 1, 2013 at 1:07 PM, Alon Bar-Lev alo...@redhat.com wrote: If you install the proxy on the engine machine you just need: # yum install ovirt-engine-websocket-proxy # engine-setup then answer yes when prompt if you like to configure websocket proxy. you can execute engine-setup again even if you already installed. - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: users@ovirt.org users@ovirt.org Sent: Thursday, August 1, 2013 9:01:47 PM Subject: [Users] Questions on ovirt 3.3 browser based spice/novnc working After Referencing: http://www.ovirt.org/Features/noVNC_console http://www.ovirt.org/Features/SpiceHTML5 and looking at some of the related engine code. I am still attempting to get the spice/novnc browser based consoles to work. I am working from a build from master yesterday I used to upgrade over a previous 3.3 master build from about a month back. VDSM version on host
Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working
Thanks Alon, That did the trick. Is there any way to get the engine to push this cert to a first time visitor by default? - DHC On Fri, Aug 2, 2013 at 1:18 AM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 11:06:11 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Attached Firefox and Chrome screenshots of Certificates. errors thrown by websockify Firefox: 1: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Chrome: 11: handler exception: WSRequestHandler instance has no attribute 'last_code' For Firefox it looks like firefox needs a bit of proding to get it to accept the Websocket CA Cert: https://github.com/kanaka/websockify/issues/34 The error generated by chrome seems to be a websockify issue: https://github.com/kanaka/noVNC/issues/86 https://github.com/kanaka/websockify/issues/22#issuecomment-3263065 https://github.com/kanaka/noVNC/issues/177 In any event I got both Chrome and Firefox working by manually browsing to: https://ENGINEFQDN:6100 and accepting the self signed cert This is because your browser does not support the CA. Please go to: http://engine/ca.crt And install that certificate as trusted, remove the explicit trust you have added, and try again. Not pretty but it worked. - DHC On Thu, Aug 1, 2013 at 2:08 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 9:59:14 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working That did the trick for getting the websocket proxy configured ( i backed out all my changes prior to running engine-setup). I do notice that it still seems to leave the ovirt-websocket-proxy.conf in it's default state and makes no dedications to it. Instead it generated /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf I also noted engine setup generated: /etc/pki/ovirt-engine/certs/websocket-proxy.cer /etc/pki/ovirt-engine/keys/websocket-proxy.p12 /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass /etc/pki/ovirt-engine/requests/websocket-proxy.req None the less still neither spice nor novnc will connect. I tried changing Engine:6100 to EngineIP:6100 so that IP would be used instead. However using either the FQDN or IP still yielded the same results. You should not touch anything... all should be configured... Make sure your browser trust the *CA* of the engine and not the engine certificate directly. And try to open vnc console via webadmin. There was nothing interesting in the logs either. I do notice that whilst the websocket-proxy service is running I never see an websockify processes but instead in /var/log/messages I see: Aug 1 13:44:10 ovirtfoo ovirt-websocket-proxy.py[435]: 11: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Thus I changed SSL_ONLY=True to SSL_ONLY=False in /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf and restarted engine and websocket-proxy No dice it still generated the same error as above during an attempted connection to /var/log/messages I also not the following error message at VM power off (albeit I am guessing it has nothing to do with this issue): 2013-08-01 13:41:03,742 ERROR [org.ovirt.engine.core.vdsbroker.DestroyVmVDSCommand] (pool-6-thread-50) [304efb3e] VDS::destroy Failed destroying vm fec3260c-871a-4fbe-a006-9eee4fbfbbcc in vds = 5713e5c8-6252-4bce-a3f6-bbd8e1e6eb57 : ovirtnodefoo, error = org.ovirt.engine.core.vdsbroker.vdsbroker.VDSErrorException: VDSGenericException: VDSErrorException: Failed to DestroyVDS, error = Unexpected exception - DHC On Thu, Aug 1, 2013 at 1:07 PM, Alon Bar-Lev alo...@redhat.com wrote: If you install the proxy on the engine machine you just need: # yum install ovirt-engine-websocket-proxy # engine-setup then answer yes when prompt if you like to configure websocket proxy. you can execute engine-setup again even if you already installed. - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: users@ovirt.org users@ovirt.org Sent: Thursday, August 1, 2013 9:01:47 PM Subject: [Users] Questions on ovirt 3.3 browser based spice/novnc working After Referencing: http://www.ovirt.org/Features/noVNC_console http://www.ovirt.org/Features/SpiceHTML5
Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working
- Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Friday, August 2, 2013 10:39:48 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Thanks Alon, That did the trick. Is there any way to get the engine to push this cert to a first time visitor by default? - DHC Well, it is actually depend on browser behavior... Internet Explorer does allow you to trust the root. I could not find such option in firefox. Frantisek: Maybe we can have the link for the ca certificate so people can press it to establish trust. Have you tried to perform XMLHttpRequest and see if you get some error we can use to warn user? On Fri, Aug 2, 2013 at 1:18 AM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 11:06:11 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working Attached Firefox and Chrome screenshots of Certificates. errors thrown by websockify Firefox: 1: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Chrome: 11: handler exception: WSRequestHandler instance has no attribute 'last_code' For Firefox it looks like firefox needs a bit of proding to get it to accept the Websocket CA Cert: https://github.com/kanaka/websockify/issues/34 The error generated by chrome seems to be a websockify issue: https://github.com/kanaka/noVNC/issues/86 https://github.com/kanaka/websockify/issues/22#issuecomment-3263065 https://github.com/kanaka/noVNC/issues/177 In any event I got both Chrome and Firefox working by manually browsing to: https://ENGINEFQDN:6100 and accepting the self signed cert This is because your browser does not support the CA. Please go to: http://engine/ca.crt And install that certificate as trusted, remove the explicit trust you have added, and try again. Not pretty but it worked. - DHC On Thu, Aug 1, 2013 at 2:08 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 9:59:14 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working That did the trick for getting the websocket proxy configured ( i backed out all my changes prior to running engine-setup). I do notice that it still seems to leave the ovirt-websocket-proxy.conf in it's default state and makes no dedications to it. Instead it generated /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf I also noted engine setup generated: /etc/pki/ovirt-engine/certs/websocket-proxy.cer /etc/pki/ovirt-engine/keys/websocket-proxy.p12 /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass /etc/pki/ovirt-engine/requests/websocket-proxy.req None the less still neither spice nor novnc will connect. I tried changing Engine:6100 to EngineIP:6100 so that IP would be used instead. However using either the FQDN or IP still yielded the same results. You should not touch anything... all should be configured... Make sure your browser trust the *CA* of the engine and not the engine certificate directly. And try to open vnc console via webadmin. There was nothing interesting in the logs either. I do notice that whilst the websocket-proxy service is running I never see an websockify processes but instead in /var/log/messages I see: Aug 1 13:44:10 ovirtfoo ovirt-websocket-proxy.py[435]: 11: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Thus I changed SSL_ONLY=True to SSL_ONLY=False in /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf and restarted engine and websocket-proxy No dice it still generated the same error as above during an attempted connection to /var/log/messages I also not the following error message at VM power off (albeit I am guessing it has nothing to do with this issue): 2013-08-01 13:41:03,742 ERROR [org.ovirt.engine.core.vdsbroker.DestroyVmVDSCommand] (pool-6-thread-50) [304efb3e] VDS::destroy Failed destroying vm fec3260c-871a-4fbe-a006-9eee4fbfbbcc in vds = 5713e5c8-6252-4bce-a3f6-bbd8e1e6eb57 : ovirtnodefoo, error = org.ovirt.engine.core.vdsbroker.vdsbroker.VDSErrorException: VDSGenericException: VDSErrorException: Failed to DestroyVDS, error = Unexpected exception - DHC On Thu, Aug 1, 2013 at 1:07 PM
Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working
That did the trick for getting the websocket proxy configured ( i backed out all my changes prior to running engine-setup). I do notice that it still seems to leave the ovirt-websocket-proxy.conf in it's default state and makes no dedications to it. Instead it generated /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf I also noted engine setup generated: /etc/pki/ovirt-engine/certs/websocket-proxy.cer /etc/pki/ovirt-engine/keys/websocket-proxy.p12 /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass /etc/pki/ovirt-engine/requests/websocket-proxy.req None the less still neither spice nor novnc will connect. I tried changing Engine:6100 to EngineIP:6100 so that IP would be used instead. However using either the FQDN or IP still yielded the same results. There was nothing interesting in the logs either. I do notice that whilst the websocket-proxy service is running I never see an websockify processes but instead in /var/log/messages I see: Aug 1 13:44:10 ovirtfoo ovirt-websocket-proxy.py[435]: 11: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Thus I changed SSL_ONLY=True to SSL_ONLY=False in /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf and restarted engine and websocket-proxy No dice it still generated the same error as above during an attempted connection to /var/log/messages I also not the following error message at VM power off (albeit I am guessing it has nothing to do with this issue): 2013-08-01 13:41:03,742 ERROR [org.ovirt.engine.core.vdsbroker.DestroyVmVDSCommand] (pool-6-thread-50) [304efb3e] VDS::destroy Failed destroying vm fec3260c-871a-4fbe-a006-9eee4fbfbbcc in vds = 5713e5c8-6252-4bce-a3f6-bbd8e1e6eb57 : ovirtnodefoo, error = org.ovirt.engine.core.vdsbroker.vdsbroker.VDSErrorException: VDSGenericException: VDSErrorException: Failed to DestroyVDS, error = Unexpected exception - DHC On Thu, Aug 1, 2013 at 1:07 PM, Alon Bar-Lev alo...@redhat.com wrote: If you install the proxy on the engine machine you just need: # yum install ovirt-engine-websocket-proxy # engine-setup then answer yes when prompt if you like to configure websocket proxy. you can execute engine-setup again even if you already installed. - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: users@ovirt.org users@ovirt.org Sent: Thursday, August 1, 2013 9:01:47 PM Subject: [Users] Questions on ovirt 3.3 browser based spice/novnc working After Referencing: http://www.ovirt.org/Features/noVNC_console http://www.ovirt.org/Features/SpiceHTML5 and looking at some of the related engine code. I am still attempting to get the spice/novnc browser based consoles to work. I am working from a build from master yesterday I used to upgrade over a previous 3.3 master build from about a month back. VDSM version on host is 4.12.0 built minutes ago. I have installed and configured the websocket proxy like so: Set WebSocketProxy to engine ENGINEIP port 6100 engine-config -s WebSocketProxy=ENGINEIP:6100 /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=websocket-proxy --password=install --subject=/C=US/O=DHC/CN=ENGINEFQDN This generates: /etc/pki/ovirt-engine/keys/websocket-proxy.p12 /etc/pki/ovirt-engine/certs/websocket-proxy.cer /etc/pki/ovirt-engine/requests/websocket-proxy.req However it does not generate the key that websockify wants so we do: openssl pkcs12 -in websocket-proxy.p12 -nocerts -nodes -out /etc/pki/ovirt-engine/keys/websocket-proxy.key The configuration of ovirt-websocket-proxy: PROXY_HOST=* PROXY_PORT=6100 SOURCE_IS_IPV6=False SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key FORCE_DATA_VERIFICATION=False CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer SSL_ONLY=True TRACE_ENABLE=False TRACE_FILE= ENGINE_USR=/usr/share/ovirt-engine Install spice-html5 git clone http://anongit.freedesktop.org/git/spice/spice-html5.git mv spice-html5 /usr/share Test spice: In Webadmin UI we set create a VM, set display as spice, start it and set it's console to spice-html5. Result spice-html client opens in a new tab but does not connect. From engine.log: 2013-08-01 12:49:52,352 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--127.0.0.1-8702-9) Running command: SetVmTicketCommand internal: false. Entities affected : ID: fec3260c-871a-4fbe-a006-9eee4fbfbbcc Type: VM 2013-08-01 12:49:52,371 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--127.0.0.1-8702-9) START, SetVmTicketVDSCommand(HostName = ovirtnodefoo, HostId = 5713e5c8-6252-4bce-a3f6-bbd8e1e6eb57, vmId=fec3260c-871a-4fbe-a006-9eee4fbfbbcc, ticket=TKfzUQJLLrUI, validTime=120,m userName=admin@internal, userId=fdfc627c-d875-11e0-90f0-83df133b58cc), log id: 5d258049 2013-08-01 12:49:52,445 INFO
Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working
- Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 9:59:14 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working That did the trick for getting the websocket proxy configured ( i backed out all my changes prior to running engine-setup). I do notice that it still seems to leave the ovirt-websocket-proxy.conf in it's default state and makes no dedications to it. Instead it generated /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf I also noted engine setup generated: /etc/pki/ovirt-engine/certs/websocket-proxy.cer /etc/pki/ovirt-engine/keys/websocket-proxy.p12 /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass /etc/pki/ovirt-engine/requests/websocket-proxy.req None the less still neither spice nor novnc will connect. I tried changing Engine:6100 to EngineIP:6100 so that IP would be used instead. However using either the FQDN or IP still yielded the same results. You should not touch anything... all should be configured... Make sure your browser trust the *CA* of the engine and not the engine certificate directly. And try to open vnc console via webadmin. There was nothing interesting in the logs either. I do notice that whilst the websocket-proxy service is running I never see an websockify processes but instead in /var/log/messages I see: Aug 1 13:44:10 ovirtfoo ovirt-websocket-proxy.py[435]: 11: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Thus I changed SSL_ONLY=True to SSL_ONLY=False in /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf and restarted engine and websocket-proxy No dice it still generated the same error as above during an attempted connection to /var/log/messages I also not the following error message at VM power off (albeit I am guessing it has nothing to do with this issue): 2013-08-01 13:41:03,742 ERROR [org.ovirt.engine.core.vdsbroker.DestroyVmVDSCommand] (pool-6-thread-50) [304efb3e] VDS::destroy Failed destroying vm fec3260c-871a-4fbe-a006-9eee4fbfbbcc in vds = 5713e5c8-6252-4bce-a3f6-bbd8e1e6eb57 : ovirtnodefoo, error = org.ovirt.engine.core.vdsbroker.vdsbroker.VDSErrorException: VDSGenericException: VDSErrorException: Failed to DestroyVDS, error = Unexpected exception - DHC On Thu, Aug 1, 2013 at 1:07 PM, Alon Bar-Lev alo...@redhat.com wrote: If you install the proxy on the engine machine you just need: # yum install ovirt-engine-websocket-proxy # engine-setup then answer yes when prompt if you like to configure websocket proxy. you can execute engine-setup again even if you already installed. - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: users@ovirt.org users@ovirt.org Sent: Thursday, August 1, 2013 9:01:47 PM Subject: [Users] Questions on ovirt 3.3 browser based spice/novnc working After Referencing: http://www.ovirt.org/Features/noVNC_console http://www.ovirt.org/Features/SpiceHTML5 and looking at some of the related engine code. I am still attempting to get the spice/novnc browser based consoles to work. I am working from a build from master yesterday I used to upgrade over a previous 3.3 master build from about a month back. VDSM version on host is 4.12.0 built minutes ago. I have installed and configured the websocket proxy like so: Set WebSocketProxy to engine ENGINEIP port 6100 engine-config -s WebSocketProxy=ENGINEIP:6100 /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=websocket-proxy --password=install --subject=/C=US/O=DHC/CN=ENGINEFQDN This generates: /etc/pki/ovirt-engine/keys/websocket-proxy.p12 /etc/pki/ovirt-engine/certs/websocket-proxy.cer /etc/pki/ovirt-engine/requests/websocket-proxy.req However it does not generate the key that websockify wants so we do: openssl pkcs12 -in websocket-proxy.p12 -nocerts -nodes -out /etc/pki/ovirt-engine/keys/websocket-proxy.key The configuration of ovirt-websocket-proxy: PROXY_HOST=* PROXY_PORT=6100 SOURCE_IS_IPV6=False SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key FORCE_DATA_VERIFICATION=False CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer SSL_ONLY=True TRACE_ENABLE=False TRACE_FILE= ENGINE_USR=/usr/share/ovirt-engine Install spice-html5 git clone http://anongit.freedesktop.org/git/spice/spice-html5.git mv spice-html5 /usr/share Test spice: In Webadmin UI we set create a VM, set display as spice, start it and set it's console to spice-html5. Result spice-html client opens in a new tab but does not connect. From engine.log: 2013-08-01 12:49:52,352 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp
Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working
Attached Firefox and Chrome screenshots of Certificates. errors thrown by websockify Firefox: 1: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Chrome: 11: handler exception: WSRequestHandler instance has no attribute 'last_code' For Firefox it looks like firefox needs a bit of proding to get it to accept the Websocket CA Cert: https://github.com/kanaka/websockify/issues/34 The error generated by chrome seems to be a websockify issue: https://github.com/kanaka/noVNC/issues/86 https://github.com/kanaka/websockify/issues/22#issuecomment-3263065 https://github.com/kanaka/noVNC/issues/177 In any event I got both Chrome and Firefox working by manually browsing to: https://ENGINEFQDN:6100 and accepting the self signed cert Not pretty but it worked. - DHC On Thu, Aug 1, 2013 at 2:08 PM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: users users@ovirt.org Sent: Thursday, August 1, 2013 9:59:14 PM Subject: Re: [Users] Questions on ovirt 3.3 browser based spice/novnc working That did the trick for getting the websocket proxy configured ( i backed out all my changes prior to running engine-setup). I do notice that it still seems to leave the ovirt-websocket-proxy.conf in it's default state and makes no dedications to it. Instead it generated /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf I also noted engine setup generated: /etc/pki/ovirt-engine/certs/websocket-proxy.cer /etc/pki/ovirt-engine/keys/websocket-proxy.p12 /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass /etc/pki/ovirt-engine/requests/websocket-proxy.req None the less still neither spice nor novnc will connect. I tried changing Engine:6100 to EngineIP:6100 so that IP would be used instead. However using either the FQDN or IP still yielded the same results. You should not touch anything... all should be configured... Make sure your browser trust the *CA* of the engine and not the engine certificate directly. And try to open vnc console via webadmin. There was nothing interesting in the logs either. I do notice that whilst the websocket-proxy service is running I never see an websockify processes but instead in /var/log/messages I see: Aug 1 13:44:10 ovirtfoo ovirt-websocket-proxy.py[435]: 11: handler exception: [Errno 1] _ssl.c:1359: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Thus I changed SSL_ONLY=True to SSL_ONLY=False in /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf and restarted engine and websocket-proxy No dice it still generated the same error as above during an attempted connection to /var/log/messages I also not the following error message at VM power off (albeit I am guessing it has nothing to do with this issue): 2013-08-01 13:41:03,742 ERROR [org.ovirt.engine.core.vdsbroker.DestroyVmVDSCommand] (pool-6-thread-50) [304efb3e] VDS::destroy Failed destroying vm fec3260c-871a-4fbe-a006-9eee4fbfbbcc in vds = 5713e5c8-6252-4bce-a3f6-bbd8e1e6eb57 : ovirtnodefoo, error = org.ovirt.engine.core.vdsbroker.vdsbroker.VDSErrorException: VDSGenericException: VDSErrorException: Failed to DestroyVDS, error = Unexpected exception - DHC On Thu, Aug 1, 2013 at 1:07 PM, Alon Bar-Lev alo...@redhat.com wrote: If you install the proxy on the engine machine you just need: # yum install ovirt-engine-websocket-proxy # engine-setup then answer yes when prompt if you like to configure websocket proxy. you can execute engine-setup again even if you already installed. - Original Message - From: Dead Horse deadhorseconsult...@gmail.com To: users@ovirt.org users@ovirt.org Sent: Thursday, August 1, 2013 9:01:47 PM Subject: [Users] Questions on ovirt 3.3 browser based spice/novnc working After Referencing: http://www.ovirt.org/Features/noVNC_console http://www.ovirt.org/Features/SpiceHTML5 and looking at some of the related engine code. I am still attempting to get the spice/novnc browser based consoles to work. I am working from a build from master yesterday I used to upgrade over a previous 3.3 master build from about a month back. VDSM version on host is 4.12.0 built minutes ago. I have installed and configured the websocket proxy like so: Set WebSocketProxy to engine ENGINEIP port 6100 engine-config -s WebSocketProxy=ENGINEIP:6100 /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=websocket-proxy --password=install --subject=/C=US/O=DHC/CN=ENGINEFQDN This generates: /etc/pki/ovirt-engine/keys/websocket-proxy.p12 /etc/pki/ovirt-engine/certs/websocket-proxy.cer /etc/pki/ovirt-engine/requests/websocket-proxy.req However it does not generate the key