Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-16 Thread aleksey . maksimov

Oh yeah :)
I mistakenly used a root certificate from a local CA for 
/etc/pki/ovirt-engine/apache-ca.pem.
Now I understood, and it works. 
Thanks again.

16.08.2016, 16:15, "Jiri Belka" :
> IMO you "owe" explanation what was wrong, so other users
> could learn from your mistakes and this mailing-list archive
> would thus be beneficial for them when searching for help ;)
>
> Anyway, that's great news!
>
> j.
>
> - Original Message -
> From: "aleksey maksimov" 
> To: "Jiri Belka" 
> Cc: "users" 
> Sent: Tuesday, August 16, 2016 2:59:21 PM
> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: 
> wss://ovirt.engine.fqdn:6100/
>
> Thank you, Jiri !
> I did everything step by step and SPICE HTML5 browser client now works.
>
> 16.08.2016, 10:46, "Jiri Belka" :
>>  So,
>>
>>  I used this for my own ca test:
>>
>>  OWN CA AND OWN ENGINE KEY/CRT
>>  =
>>
>>  0> CA
>>
>>  # awk '/my-/ || $1 ~ /^[^#]*_default/' /etc/pki/tls/openssl.cnf
>>  certificate = $dir/my-ca.crt # The CA certificate
>>  crl = $dir/my-ca.crl # The current CRL
>>  private_key = $dir/private/my-ca.key # The private key
>>  countryName_default = CZ
>>  stateOrProvinceName_default = Jihomoravsky kraj
>>  localityName_default = Brno
>>  0.organizationName_default = Shoot them in the head, s. r. o.
>>
>>  touch /etc/pki/CA/index.txt
>>  echo 01 > /etc/pki/CA/serial
>>  cd /etc/pki/CA
>>  (umask 077 ; openssl genrsa -out private/my-ca.key -des3 2048 )
>>  openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt
>>
>>  0> engine cert
>>
>>  openssl genrsa -out my-engine.key 4096
>>  openssl req -new -out my-engine.csr -key my-engine.key
>>  openssl ca -in my-engine.csr -out my-engine.crt
>>  # use 'mypass' for p12 bundle export !!!
>>  openssl pkcs12 -export -out my-engine.p12 -inkey my-engine.key -in 
>> my-engine.crt -chain -CAfile /etc/pki/CA/my-ca.crt
>>
>>  0> existing engine keys/certs/p12 replacement
>>
>>  (follow 
>> $engine_url/ovirt-engine/docs/manual/en_US/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html)
>>
>>  rm -f /etc/pki/ovirt-engine/apache-ca.pem
>>  cp my-engine.crt /etc/pki/ovirt-engine/apache-ca.pem
>>  cp my-engine.p12 /etc/pki/ovirt-engine/keys/apache.p12
>>  openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > 
>> /etc/pki/ovirt-engine/keys/apache.key.nopass
>>  openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > 
>> /etc/pki/ovirt-engine/certs/apache.cer
>>  install -o ovirt -g ovirt -m 600 /dev/null 
>> /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
>>  # 'changeit' is default java truststore pass on EL
>>  cat > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf << EOF
>>  ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
>>  ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit"
>>  EOF
>>
>>  0> add custom CA into system truststore after backup
>>
>>  cp /etc/pki/CA/my-ca.crt /etc/pki/ca-trust/source/anchors/CA.crt
>>  update-ca-trust
>>
>>  0> check if system truststore knows about custom CA
>>
>>  openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 
>> -noout
>>  # 'changeit' is default java truststore pass on EL
>>  keytool -list -keystore /etc/pki/java/cacerts -storepass changeit | grep 
>> "$( openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint 
>> -sha1 -noout | sed -e '/SHA1/s/.*=//;' )"
>>  grep -IR "$(sed -n '2p' /etc/pki/ca-trust/source/anchors/CA.crt)" 
>> /etc/pki/ca-trust/extracted/
>>
>>  0> engine-setup pki configuration check
>>
>>  engine-setup # see if 'PKI CONFIGURATION' section passed without errors
>>
>>  (doctext here https://bugzilla.redhat.com/show_bug.cgi?id=1336838)
>>
>>  And this for websocket proxy:
>>
>>  # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>>  PROXY_PORT=6100
>>  SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
>>  SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>  CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>  SSL_ONLY=True
>>
>>  You can start manually websocket proxy:
>>
>>  
>> /usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-proxy.py
>>  --help
>>  Usage: ovirt-websocket-proxy.py [options] start
>>
>>  Options:
>>    -h, --help show this help message and exit
>>    -d, --debug debug mode
>>    --pidfile=FILE pid file to use
>>    --background Go into the background
>>    --systemd=SYSTEMD Systemd type simple|notify
>>    --redirect-output Redirect output of daemon
>>
>>  It is also handy to do:
>>
>>  openssl s_client -connect $websocketproxy_host:6100
>>
>>  j.
>>
>>  - Original Message -
>>  From: "aleksey maksimov" 
>>  To: "Jiri Belka" 
>>  Cc: "users" 
>>  Sent: 

Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-16 Thread Jiri Belka
IMO you "owe" explanation what was wrong, so other users
could learn from your mistakes and this mailing-list archive
would thus be beneficial for them when searching for help ;)

Anyway, that's great news!

j.

- Original Message -
From: "aleksey maksimov" 
To: "Jiri Belka" 
Cc: "users" 
Sent: Tuesday, August 16, 2016 2:59:21 PM
Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 
browser client -> WebSocket error: Can't connect to websocket on URL: 
wss://ovirt.engine.fqdn:6100/

Thank you, Jiri ! 
I did everything step by step and SPICE HTML5 browser client now works.

16.08.2016, 10:46, "Jiri Belka" :
> So,
>
> I used this for my own ca test:
>
> OWN CA AND OWN ENGINE KEY/CRT
> =
>
> 0> CA
>
> # awk '/my-/ || $1 ~ /^[^#]*_default/' /etc/pki/tls/openssl.cnf
> certificate = $dir/my-ca.crt # The CA certificate
> crl = $dir/my-ca.crl # The current CRL
> private_key = $dir/private/my-ca.key # The private key
> countryName_default = CZ
> stateOrProvinceName_default = Jihomoravsky kraj
> localityName_default = Brno
> 0.organizationName_default = Shoot them in the head, s. r. o.
>
> touch /etc/pki/CA/index.txt
> echo 01 > /etc/pki/CA/serial
> cd /etc/pki/CA
> (umask 077 ; openssl genrsa -out private/my-ca.key -des3 2048 )
> openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt
>
> 0> engine cert
>
> openssl genrsa -out my-engine.key 4096
> openssl req -new -out my-engine.csr -key my-engine.key
> openssl ca -in my-engine.csr -out my-engine.crt
> # use 'mypass' for p12 bundle export !!!
> openssl pkcs12 -export -out my-engine.p12 -inkey my-engine.key -in 
> my-engine.crt -chain -CAfile /etc/pki/CA/my-ca.crt
>
> 0> existing engine keys/certs/p12 replacement
>
> (follow 
> $engine_url/ovirt-engine/docs/manual/en_US/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html)
>
> rm -f /etc/pki/ovirt-engine/apache-ca.pem
> cp my-engine.crt /etc/pki/ovirt-engine/apache-ca.pem
> cp my-engine.p12 /etc/pki/ovirt-engine/keys/apache.p12
> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > 
> /etc/pki/ovirt-engine/keys/apache.key.nopass
> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > 
> /etc/pki/ovirt-engine/certs/apache.cer
> install -o ovirt -g ovirt -m 600 /dev/null 
> /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
> # 'changeit' is default java truststore pass on EL
> cat > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf << EOF
> ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit"
> EOF
>
> 0> add custom CA into system truststore after backup
>
> cp /etc/pki/CA/my-ca.crt /etc/pki/ca-trust/source/anchors/CA.crt
> update-ca-trust
>
> 0> check if system truststore knows about custom CA
>
> openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 
> -noout
> # 'changeit' is default java truststore pass on EL
> keytool -list -keystore /etc/pki/java/cacerts -storepass changeit | grep "$( 
> openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 
> -noout | sed -e '/SHA1/s/.*=//;' )"
> grep -IR "$(sed -n '2p' /etc/pki/ca-trust/source/anchors/CA.crt)" 
> /etc/pki/ca-trust/extracted/
>
> 0> engine-setup pki configuration check
>
> engine-setup # see if 'PKI CONFIGURATION' section passed without errors
>
> (doctext here https://bugzilla.redhat.com/show_bug.cgi?id=1336838)
>
> And this for websocket proxy:
>
> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
> PROXY_PORT=6100
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
> SSL_ONLY=True
>
> You can start manually websocket proxy:
>
> /usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-proxy.py
>  --help
> Usage: ovirt-websocket-proxy.py [options] start
>
> Options:
>   -h, --help show this help message and exit
>   -d, --debug debug mode
>   --pidfile=FILE pid file to use
>   --background Go into the background
>   --systemd=SYSTEMD Systemd type simple|notify
>   --redirect-output Redirect output of daemon
>
> It is also handy to do:
>
> openssl s_client -connect $websocketproxy_host:6100
>
> j.
>
> - Original Message -
> From: "aleksey maksimov" 
> To: "Jiri Belka" 
> Cc: "users" 
> Sent: Tuesday, August 16, 2016 9:33:54 AM
> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: 
> wss://ovirt.engine.fqdn:6100/
>
> Jiri, I did not hide information. Tell me what the log file should show and I 
> will show
>
> 16.08.2016, 10:29, "Jiri Belka" :
>>  It does have logs, filenames "hide" real data.
>>
>>  

Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-16 Thread aleksey . maksimov
Thank you, Jiri ! 
I did everything step by step and SPICE HTML5 browser client now works.

16.08.2016, 10:46, "Jiri Belka" :
> So,
>
> I used this for my own ca test:
>
> OWN CA AND OWN ENGINE KEY/CRT
> =
>
> 0> CA
>
> # awk '/my-/ || $1 ~ /^[^#]*_default/' /etc/pki/tls/openssl.cnf
> certificate = $dir/my-ca.crt # The CA certificate
> crl = $dir/my-ca.crl # The current CRL
> private_key = $dir/private/my-ca.key # The private key
> countryName_default = CZ
> stateOrProvinceName_default = Jihomoravsky kraj
> localityName_default = Brno
> 0.organizationName_default = Shoot them in the head, s. r. o.
>
> touch /etc/pki/CA/index.txt
> echo 01 > /etc/pki/CA/serial
> cd /etc/pki/CA
> (umask 077 ; openssl genrsa -out private/my-ca.key -des3 2048 )
> openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt
>
> 0> engine cert
>
> openssl genrsa -out my-engine.key 4096
> openssl req -new -out my-engine.csr -key my-engine.key
> openssl ca -in my-engine.csr -out my-engine.crt
> # use 'mypass' for p12 bundle export !!!
> openssl pkcs12 -export -out my-engine.p12 -inkey my-engine.key -in 
> my-engine.crt -chain -CAfile /etc/pki/CA/my-ca.crt
>
> 0> existing engine keys/certs/p12 replacement
>
> (follow 
> $engine_url/ovirt-engine/docs/manual/en_US/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html)
>
> rm -f /etc/pki/ovirt-engine/apache-ca.pem
> cp my-engine.crt /etc/pki/ovirt-engine/apache-ca.pem
> cp my-engine.p12 /etc/pki/ovirt-engine/keys/apache.p12
> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > 
> /etc/pki/ovirt-engine/keys/apache.key.nopass
> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > 
> /etc/pki/ovirt-engine/certs/apache.cer
> install -o ovirt -g ovirt -m 600 /dev/null 
> /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
> # 'changeit' is default java truststore pass on EL
> cat > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf << EOF
> ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit"
> EOF
>
> 0> add custom CA into system truststore after backup
>
> cp /etc/pki/CA/my-ca.crt /etc/pki/ca-trust/source/anchors/CA.crt
> update-ca-trust
>
> 0> check if system truststore knows about custom CA
>
> openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 
> -noout
> # 'changeit' is default java truststore pass on EL
> keytool -list -keystore /etc/pki/java/cacerts -storepass changeit | grep "$( 
> openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 
> -noout | sed -e '/SHA1/s/.*=//;' )"
> grep -IR "$(sed -n '2p' /etc/pki/ca-trust/source/anchors/CA.crt)" 
> /etc/pki/ca-trust/extracted/
>
> 0> engine-setup pki configuration check
>
> engine-setup # see if 'PKI CONFIGURATION' section passed without errors
>
> (doctext here https://bugzilla.redhat.com/show_bug.cgi?id=1336838)
>
> And this for websocket proxy:
>
> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
> PROXY_PORT=6100
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
> SSL_ONLY=True
>
> You can start manually websocket proxy:
>
> /usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-proxy.py
>  --help
> Usage: ovirt-websocket-proxy.py [options] start
>
> Options:
>   -h, --help show this help message and exit
>   -d, --debug debug mode
>   --pidfile=FILE pid file to use
>   --background Go into the background
>   --systemd=SYSTEMD Systemd type simple|notify
>   --redirect-output Redirect output of daemon
>
> It is also handy to do:
>
> openssl s_client -connect $websocketproxy_host:6100
>
> j.
>
> - Original Message -
> From: "aleksey maksimov" 
> To: "Jiri Belka" 
> Cc: "users" 
> Sent: Tuesday, August 16, 2016 9:33:54 AM
> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: 
> wss://ovirt.engine.fqdn:6100/
>
> Jiri, I did not hide information. Tell me what the log file should show and I 
> will show
>
> 16.08.2016, 10:29, "Jiri Belka" :
>>  It does have logs, filenames "hide" real data.
>>
>>  You should reveal logs and what each file is and
>>  which exact commands you were executing.
>>
>>  Vague statements won't help much. It does work for me,
>>  there much be something strange in your setup but we
>>  cannot know what without details.
>>
>>  j.
>>
>>  - Original Message -
>>  From: "aleksey maksimov" 
>>  To: "Jiri Belka" 
>>  Cc: "users" 
>>  Sent: Monday, August 15, 2016 6:18:48 PM
>>  Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
>> HTML5 browser client -> 

Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-16 Thread Jiri Belka
So,

I used this for my own ca test:

OWN CA AND OWN ENGINE KEY/CRT
=


0> CA

# awk '/my-/ || $1 ~ /^[^#]*_default/' /etc/pki/tls/openssl.cnf
certificate = $dir/my-ca.crt# The CA certificate
crl = $dir/my-ca.crl# The current CRL
private_key = $dir/private/my-ca.key # The private key
countryName_default = CZ
stateOrProvinceName_default = Jihomoravsky kraj
localityName_default= Brno
0.organizationName_default  = Shoot them in the head, s. r. o.

touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial
cd /etc/pki/CA
(umask 077 ; openssl genrsa -out private/my-ca.key -des3 2048 )
openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt


0> engine cert

openssl genrsa -out my-engine.key 4096
openssl req -new -out my-engine.csr -key my-engine.key
openssl ca -in my-engine.csr -out my-engine.crt
# use 'mypass' for p12 bundle export !!!
openssl pkcs12 -export -out my-engine.p12 -inkey my-engine.key -in 
my-engine.crt -chain -CAfile /etc/pki/CA/my-ca.crt


0> existing engine keys/certs/p12 replacement

(follow 
$engine_url/ovirt-engine/docs/manual/en_US/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html)

rm -f /etc/pki/ovirt-engine/apache-ca.pem
cp my-engine.crt /etc/pki/ovirt-engine/apache-ca.pem
cp my-engine.p12 /etc/pki/ovirt-engine/keys/apache.p12
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > 
/etc/pki/ovirt-engine/keys/apache.key.nopass
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > 
/etc/pki/ovirt-engine/certs/apache.cer
install -o ovirt -g ovirt -m 600 /dev/null 
/etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
# 'changeit' is default java truststore pass on EL
cat > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf << EOF
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit"
EOF


0> add custom CA into system truststore after backup

cp /etc/pki/CA/my-ca.crt /etc/pki/ca-trust/source/anchors/CA.crt
update-ca-trust


0> check if system truststore knows about custom CA

openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 
-noout
# 'changeit' is default java truststore pass on EL
keytool -list -keystore /etc/pki/java/cacerts -storepass changeit | grep "$( 
openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 
-noout | sed -e '/SHA1/s/.*=//;' )"
grep -IR "$(sed -n '2p' /etc/pki/ca-trust/source/anchors/CA.crt)" 
/etc/pki/ca-trust/extracted/


0> engine-setup pki configuration check

engine-setup # see if 'PKI CONFIGURATION' section passed without errors

(doctext here https://bugzilla.redhat.com/show_bug.cgi?id=1336838)

And this for websocket proxy:

# cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
PROXY_PORT=6100
SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
SSL_ONLY=True

You can start manually websocket proxy:

/usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-proxy.py 
--help
Usage: ovirt-websocket-proxy.py [options] start

Options:
  -h, --help show this help message and exit
  -d, --debugdebug mode
  --pidfile=FILE pid file to use
  --background   Go into the background
  --systemd=SYSTEMD  Systemd type simple|notify
  --redirect-output  Redirect output of daemon

It is also handy to do:

openssl s_client -connect $websocketproxy_host:6100

j.

- Original Message -
From: "aleksey maksimov" 
To: "Jiri Belka" 
Cc: "users" 
Sent: Tuesday, August 16, 2016 9:33:54 AM
Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 
browser client -> WebSocket error: Can't connect to websocket on URL: 
wss://ovirt.engine.fqdn:6100/


Jiri, I did not hide information. Tell me what the log file should show and I 
will show

16.08.2016, 10:29, "Jiri Belka" :
> It does have logs, filenames "hide" real data.
>
> You should reveal logs and what each file is and
> which exact commands you were executing.
>
> Vague statements won't help much. It does work for me,
> there much be something strange in your setup but we
> cannot know what without details.
>
> j.
>
> - Original Message -
> From: "aleksey maksimov" 
> To: "Jiri Belka" 
> Cc: "users" 
> Sent: Monday, August 15, 2016 6:18:48 PM
> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: 
> wss://ovirt.engine.fqdn:6100/
>
> I tried a version of Nicolás.
> No success :((
>
> 1) I create full bundle cert file:
>
> # cat /etc/pki/ovirt-engine/certs/apache.cer 
> /etc/pki/ovirt-engine/apache-ca.pem > 
> 

Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-16 Thread aleksey . maksimov

Jiri, I did not hide information. Tell me what the log file should show and I 
will show

16.08.2016, 10:29, "Jiri Belka" :
> It does have logs, filenames "hide" real data.
>
> You should reveal logs and what each file is and
> which exact commands you were executing.
>
> Vague statements won't help much. It does work for me,
> there much be something strange in your setup but we
> cannot know what without details.
>
> j.
>
> - Original Message -
> From: "aleksey maksimov" 
> To: "Jiri Belka" 
> Cc: "users" 
> Sent: Monday, August 15, 2016 6:18:48 PM
> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: 
> wss://ovirt.engine.fqdn:6100/
>
> I tried a version of Nicolás.
> No success :((
>
> 1) I create full bundle cert file:
>
> # cat /etc/pki/ovirt-engine/certs/apache.cer 
> /etc/pki/ovirt-engine/apache-ca.pem > 
> /etc/pki/ovirt-engine/certs/apache-with-ca.cer
> # openssl verify /etc/pki/ovirt-engine/certs/apache-with-ca.cer
>
> /etc/pki/ovirt-engine/certs/apache-with-ca.cer: OK
>
> 2) I changed config file:
>
> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>
> PROXY_PORT=6100
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache-with-ca.cer
> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
> SSL_ONLY=True
> FORCE_DATA_VERIFICATION=False
>
> 3) I restarted the service
>
> # service ovirt-websocket-proxy restart
>
> Problem still exists :(
> Any ideas how to trablshut problem?
>
> 14.08.2016, 08:59, "aleksey.maksi...@it-kb.ru" :
>>  Hi Jiri.
>>  But your variant does not work, too
>>
>>  # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>>  PROXY_PORT=6100
>>  SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
>>  SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>  CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>  SSL_ONLY=True
>>
>>  Some error:
>>  WebSocket error: Can't connect to websocket on URL: 
>> wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
>>
>>  any ideas how to trablshut problem?
>>
>>  14.08.2016, 01:53, "Jiri Belka" :
>>>   I have different files for those variables, maybe this is the case?
>>>
>>>   Review again.
>>>
>>>   j.
>>>
>>>   - Original Message -
>>>   From: "aleksey maksimov" 
>>>   To: "Jiri Belka" 
>>>   Cc: "users" 
>>>   Sent: Saturday, August 13, 2016 4:57:45 PM
>>>   Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
>>> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: 
>>> wss://ovirt.engine.fqdn:6100/
>>>
>>>   I changed my file 
>>> /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf to:
>>>
>>>   PROXY_PORT=6100
>>>   #SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
>>>   #SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
>>>   #CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>>   SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
>>>   SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>>   CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/apache-ca.pem
>>>   SSL_ONLY=True
>>>
>>>   ...and restart HostedEngine VM.
>>>   Problem still exists.
>>>
>>>   13.08.2016, 17:52, "aleksey.maksi...@it-kb.ru" 
>>> :
    It does not work for me. any ideas?

    02.08.2016, 17:22, "Jiri Belka" :
> This works for me:
>
> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
> PROXY_PORT=6100
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
> SSL_ONLY=True
>
> - Original Message -
> From: "aleksey maksimov" 
> To: "users" 
> Sent: Monday, August 1, 2016 12:13:38 PM
> Subject: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
> HTML5 browser client -> WebSocket error: Can't connect to websocket on 
> URL: wss://ovirt.engine.fqdn:6100/
>
> Hello oVirt guru`s !
>
> I have successfully replaced the oVirt 4 site SSL-certificate 
> according to the instructions from "Replacing oVirt SSL Certificate"
> section in "oVirt Administration Guide"
> http://www.ovirt.org/documentation/admin-guide/administration-guide/
>
> 3 files have been replaced:
>
> /etc/pki/ovirt-engine/certs/apache.cer
> /etc/pki/ovirt-engine/keys/apache.key.nopass
> /etc/pki/ovirt-engine/apache-ca.pem
>
> Now the oVirt site using my certificate and everything works fine, 
> 

Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-16 Thread Jiri Belka
It does have logs, filenames "hide" real data.

You should reveal logs and what each file is and
which exact commands you were executing.

Vague statements won't help much. It does work for me,
there much be something strange in your setup but we
cannot know what without details.

j.

- Original Message -
From: "aleksey maksimov" 
To: "Jiri Belka" 
Cc: "users" 
Sent: Monday, August 15, 2016 6:18:48 PM
Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 
browser client -> WebSocket error: Can't connect to websocket on URL: 
wss://ovirt.engine.fqdn:6100/

I tried a version of Nicolás. 
No success :((

1) I create full bundle cert file:

# cat /etc/pki/ovirt-engine/certs/apache.cer 
/etc/pki/ovirt-engine/apache-ca.pem > 
/etc/pki/ovirt-engine/certs/apache-with-ca.cer
# openssl verify /etc/pki/ovirt-engine/certs/apache-with-ca.cer

/etc/pki/ovirt-engine/certs/apache-with-ca.cer: OK

2) I changed config file:

# cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf

PROXY_PORT=6100
SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache-with-ca.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
SSL_ONLY=True
FORCE_DATA_VERIFICATION=False

3) I restarted the service

# service ovirt-websocket-proxy restart

Problem still exists :(
Any ideas how to trablshut problem?

14.08.2016, 08:59, "aleksey.maksi...@it-kb.ru" :
> Hi Jiri.
> But your variant does not work, too
>
> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
> PROXY_PORT=6100
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
> SSL_ONLY=True
>
> Some error:
> WebSocket error: Can't connect to websocket on URL: 
> wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
>
> any ideas how to trablshut problem?
>
> 14.08.2016, 01:53, "Jiri Belka" :
>>  I have different files for those variables, maybe this is the case?
>>
>>  Review again.
>>
>>  j.
>>
>>  - Original Message -
>>  From: "aleksey maksimov" 
>>  To: "Jiri Belka" 
>>  Cc: "users" 
>>  Sent: Saturday, August 13, 2016 4:57:45 PM
>>  Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
>> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: 
>> wss://ovirt.engine.fqdn:6100/
>>
>>  I changed my file 
>> /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf to:
>>
>>  PROXY_PORT=6100
>>  #SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
>>  #SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
>>  #CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>  SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
>>  SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>  CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/apache-ca.pem
>>  SSL_ONLY=True
>>
>>  ...and restart HostedEngine VM.
>>  Problem still exists.
>>
>>  13.08.2016, 17:52, "aleksey.maksi...@it-kb.ru" :
>>>   It does not work for me. any ideas?
>>>
>>>   02.08.2016, 17:22, "Jiri Belka" :
    This works for me:

    # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
    PROXY_PORT=6100
    SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
    SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
    CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
    SSL_ONLY=True

    - Original Message -
    From: "aleksey maksimov" 
    To: "users" 
    Sent: Monday, August 1, 2016 12:13:38 PM
    Subject: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
 HTML5 browser client -> WebSocket error: Can't connect to websocket on 
 URL: wss://ovirt.engine.fqdn:6100/

    Hello oVirt guru`s !

    I have successfully replaced the oVirt 4 site SSL-certificate according 
 to the instructions from "Replacing oVirt SSL Certificate"
    section in "oVirt Administration Guide"
    http://www.ovirt.org/documentation/admin-guide/administration-guide/

    3 files have been replaced:

    /etc/pki/ovirt-engine/certs/apache.cer
    /etc/pki/ovirt-engine/keys/apache.key.nopass
    /etc/pki/ovirt-engine/apache-ca.pem

    Now the oVirt site using my certificate and everything works fine, but 
 when I try to use SPICE HTML5 browser client in Firefox or Chrome I see a 
 gray screen and message under the button "Toggle messages output":

    WebSocket error: Can't connect to websocket on URL: 
 wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]

    Before replacing certificates SPICE HTML5 browser client works.
    Native SPICE 

Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-15 Thread aleksey . maksimov
I tried a version of Nicolás. 
No success :((

1) I create full bundle cert file:

# cat /etc/pki/ovirt-engine/certs/apache.cer 
/etc/pki/ovirt-engine/apache-ca.pem > 
/etc/pki/ovirt-engine/certs/apache-with-ca.cer
# openssl verify /etc/pki/ovirt-engine/certs/apache-with-ca.cer

/etc/pki/ovirt-engine/certs/apache-with-ca.cer: OK

2) I changed config file:

# cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf

PROXY_PORT=6100
SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache-with-ca.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
SSL_ONLY=True
FORCE_DATA_VERIFICATION=False

3) I restarted the service

# service ovirt-websocket-proxy restart

Problem still exists :(
Any ideas how to trablshut problem?

14.08.2016, 08:59, "aleksey.maksi...@it-kb.ru" :
> Hi Jiri.
> But your variant does not work, too
>
> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
> PROXY_PORT=6100
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
> SSL_ONLY=True
>
> Some error:
> WebSocket error: Can't connect to websocket on URL: 
> wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
>
> any ideas how to trablshut problem?
>
> 14.08.2016, 01:53, "Jiri Belka" :
>>  I have different files for those variables, maybe this is the case?
>>
>>  Review again.
>>
>>  j.
>>
>>  - Original Message -
>>  From: "aleksey maksimov" 
>>  To: "Jiri Belka" 
>>  Cc: "users" 
>>  Sent: Saturday, August 13, 2016 4:57:45 PM
>>  Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
>> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: 
>> wss://ovirt.engine.fqdn:6100/
>>
>>  I changed my file 
>> /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf to:
>>
>>  PROXY_PORT=6100
>>  #SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
>>  #SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
>>  #CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>  SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
>>  SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>  CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/apache-ca.pem
>>  SSL_ONLY=True
>>
>>  ...and restart HostedEngine VM.
>>  Problem still exists.
>>
>>  13.08.2016, 17:52, "aleksey.maksi...@it-kb.ru" :
>>>   It does not work for me. any ideas?
>>>
>>>   02.08.2016, 17:22, "Jiri Belka" :
    This works for me:

    # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
    PROXY_PORT=6100
    SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
    SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
    CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
    SSL_ONLY=True

    - Original Message -
    From: "aleksey maksimov" 
    To: "users" 
    Sent: Monday, August 1, 2016 12:13:38 PM
    Subject: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
 HTML5 browser client -> WebSocket error: Can't connect to websocket on 
 URL: wss://ovirt.engine.fqdn:6100/

    Hello oVirt guru`s !

    I have successfully replaced the oVirt 4 site SSL-certificate according 
 to the instructions from "Replacing oVirt SSL Certificate"
    section in "oVirt Administration Guide"
    http://www.ovirt.org/documentation/admin-guide/administration-guide/

    3 files have been replaced:

    /etc/pki/ovirt-engine/certs/apache.cer
    /etc/pki/ovirt-engine/keys/apache.key.nopass
    /etc/pki/ovirt-engine/apache-ca.pem

    Now the oVirt site using my certificate and everything works fine, but 
 when I try to use SPICE HTML5 browser client in Firefox or Chrome I see a 
 gray screen and message under the button "Toggle messages output":

    WebSocket error: Can't connect to websocket on URL: 
 wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]

    Before replacing certificates SPICE HTML5 browser client works.
    Native SPICE client works fine.

    Tell me what to do with SPICE HTML5 browser client?
    ___
    Users mailing list
    Users@ovirt.org
    http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-14 Thread Nicolás

We have a pretty likely configuration, with just one additional option:

FORCE_DATA_VERIFICATION=False

If it doesn't work, make sure the SSL_CERTIFICATE has the full bundle of 
your certificate, including intermediate certs, not just the public 
certificate. Then make sure to restart the ovirt-websocket-proxy daemon 
(not ovirt-engine).


El 14/08/16 a las 06:59, aleksey.maksi...@it-kb.ru escribió:

Hi Jiri.
But your variant does not work, too

# cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
PROXY_PORT=6100
SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
SSL_ONLY=True

Some error:
WebSocket error: Can't connect to websocket on URL: 
wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]

any ideas how to trablshut problem?

14.08.2016, 01:53, "Jiri Belka" :

I have different files for those variables, maybe this is the case?

Review again.

j.

- Original Message -
From: "aleksey maksimov" 
To: "Jiri Belka" 
Cc: "users" 
Sent: Saturday, August 13, 2016 4:57:45 PM
Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 
browser client -> WebSocket error: Can't connect to websocket on URL: 
wss://ovirt.engine.fqdn:6100/

I changed my file /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf 
to:

PROXY_PORT=6100
#SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
#SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
#CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/apache-ca.pem
SSL_ONLY=True

...and restart HostedEngine VM.
Problem still exists.

13.08.2016, 17:52, "aleksey.maksi...@it-kb.ru" :

  It does not work for me. any ideas?

  02.08.2016, 17:22, "Jiri Belka" :

   This works for me:

   # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
   PROXY_PORT=6100
   SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
   SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
   CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
   SSL_ONLY=True

   - Original Message -
   From: "aleksey maksimov" 
   To: "users" 
   Sent: Monday, August 1, 2016 12:13:38 PM
   Subject: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 
browser client -> WebSocket error: Can't connect to websocket on URL: 
wss://ovirt.engine.fqdn:6100/

   Hello oVirt guru`s !

   I have successfully replaced the oVirt 4 site SSL-certificate according to the 
instructions from "Replacing oVirt SSL Certificate"
   section in "oVirt Administration Guide"
   http://www.ovirt.org/documentation/admin-guide/administration-guide/

   3 files have been replaced:

   /etc/pki/ovirt-engine/certs/apache.cer
   /etc/pki/ovirt-engine/keys/apache.key.nopass
   /etc/pki/ovirt-engine/apache-ca.pem

   Now the oVirt site using my certificate and everything works fine, but when I try to 
use SPICE HTML5 browser client in Firefox or Chrome I see a gray screen and message under 
the button "Toggle messages output":

   WebSocket error: Can't connect to websocket on URL: 
wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]

   Before replacing certificates SPICE HTML5 browser client works.
   Native SPICE client works fine.

   Tell me what to do with SPICE HTML5 browser client?
   ___
   Users mailing list
   Users@ovirt.org
   http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-14 Thread aleksey . maksimov

Hi Jiri.
But your variant does not work, too

# cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
PROXY_PORT=6100
SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
SSL_ONLY=True

Some error:
WebSocket error: Can't connect to websocket on URL: 
wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]

any ideas how to trablshut problem?

14.08.2016, 01:53, "Jiri Belka" :
> I have different files for those variables, maybe this is the case?
>
> Review again.
>
> j.
>
> - Original Message -
> From: "aleksey maksimov" 
> To: "Jiri Belka" 
> Cc: "users" 
> Sent: Saturday, August 13, 2016 4:57:45 PM
> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: 
> wss://ovirt.engine.fqdn:6100/
>
> I changed my file 
> /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf to:
>
> PROXY_PORT=6100
> #SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
> #SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
> #CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/apache-ca.pem
> SSL_ONLY=True
>
> ...and restart HostedEngine VM.
> Problem still exists.
>
> 13.08.2016, 17:52, "aleksey.maksi...@it-kb.ru" :
>>  It does not work for me. any ideas?
>>
>>  02.08.2016, 17:22, "Jiri Belka" :
>>>   This works for me:
>>>
>>>   # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>>>   PROXY_PORT=6100
>>>   SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
>>>   SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>>   CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>>   SSL_ONLY=True
>>>
>>>   - Original Message -
>>>   From: "aleksey maksimov" 
>>>   To: "users" 
>>>   Sent: Monday, August 1, 2016 12:13:38 PM
>>>   Subject: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
>>> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: 
>>> wss://ovirt.engine.fqdn:6100/
>>>
>>>   Hello oVirt guru`s !
>>>
>>>   I have successfully replaced the oVirt 4 site SSL-certificate according 
>>> to the instructions from "Replacing oVirt SSL Certificate"
>>>   section in "oVirt Administration Guide"
>>>   http://www.ovirt.org/documentation/admin-guide/administration-guide/
>>>
>>>   3 files have been replaced:
>>>
>>>   /etc/pki/ovirt-engine/certs/apache.cer
>>>   /etc/pki/ovirt-engine/keys/apache.key.nopass
>>>   /etc/pki/ovirt-engine/apache-ca.pem
>>>
>>>   Now the oVirt site using my certificate and everything works fine, but 
>>> when I try to use SPICE HTML5 browser client in Firefox or Chrome I see a 
>>> gray screen and message under the button "Toggle messages output":
>>>
>>>   WebSocket error: Can't connect to websocket on URL: 
>>> wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
>>>
>>>   Before replacing certificates SPICE HTML5 browser client works.
>>>   Native SPICE client works fine.
>>>
>>>   Tell me what to do with SPICE HTML5 browser client?
>>>   ___
>>>   Users mailing list
>>>   Users@ovirt.org
>>>   http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-13 Thread Jiri Belka
I have different files for those variables, maybe this is the case?

Review again.

j.

- Original Message -
From: "aleksey maksimov" 
To: "Jiri Belka" 
Cc: "users" 
Sent: Saturday, August 13, 2016 4:57:45 PM
Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 
browser client -> WebSocket error: Can't connect to websocket on URL: 
wss://ovirt.engine.fqdn:6100/


I changed my file /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf 
to:


PROXY_PORT=6100
#SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
#SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
#CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/apache-ca.pem
SSL_ONLY=True

...and restart HostedEngine VM.
Problem still exists.

13.08.2016, 17:52, "aleksey.maksi...@it-kb.ru" :
> It does not work for me. any ideas?
>
> 02.08.2016, 17:22, "Jiri Belka" :
>>  This works for me:
>>
>>  # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>>  PROXY_PORT=6100
>>  SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
>>  SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>  CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>  SSL_ONLY=True
>>
>>  - Original Message -
>>  From: "aleksey maksimov" 
>>  To: "users" 
>>  Sent: Monday, August 1, 2016 12:13:38 PM
>>  Subject: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 
>> browser client -> WebSocket error: Can't connect to websocket on URL: 
>> wss://ovirt.engine.fqdn:6100/
>>
>>  Hello oVirt guru`s !
>>
>>  I have successfully replaced the oVirt 4 site SSL-certificate according to 
>> the instructions from "Replacing oVirt SSL Certificate"
>>  section in "oVirt Administration Guide"
>>  http://www.ovirt.org/documentation/admin-guide/administration-guide/
>>
>>  3 files have been replaced:
>>
>>  /etc/pki/ovirt-engine/certs/apache.cer
>>  /etc/pki/ovirt-engine/keys/apache.key.nopass
>>  /etc/pki/ovirt-engine/apache-ca.pem
>>
>>  Now the oVirt site using my certificate and everything works fine, but when 
>> I try to use SPICE HTML5 browser client in Firefox or Chrome I see a gray 
>> screen and message under the button "Toggle messages output":
>>
>>  WebSocket error: Can't connect to websocket on URL: 
>> wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
>>
>>  Before replacing certificates SPICE HTML5 browser client works.
>>  Native SPICE client works fine.
>>
>>  Tell me what to do with SPICE HTML5 browser client?
>>  ___
>>  Users mailing list
>>  Users@ovirt.org
>>  http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-13 Thread aleksey . maksimov

I changed my file /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf 
to:


PROXY_PORT=6100
#SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
#SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
#CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/apache-ca.pem
SSL_ONLY=True

...and restart HostedEngine VM.
Problem still exists.

13.08.2016, 17:52, "aleksey.maksi...@it-kb.ru" :
> It does not work for me. any ideas?
>
> 02.08.2016, 17:22, "Jiri Belka" :
>>  This works for me:
>>
>>  # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>>  PROXY_PORT=6100
>>  SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
>>  SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>  CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>  SSL_ONLY=True
>>
>>  - Original Message -
>>  From: "aleksey maksimov" 
>>  To: "users" 
>>  Sent: Monday, August 1, 2016 12:13:38 PM
>>  Subject: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 
>> browser client -> WebSocket error: Can't connect to websocket on URL: 
>> wss://ovirt.engine.fqdn:6100/
>>
>>  Hello oVirt guru`s !
>>
>>  I have successfully replaced the oVirt 4 site SSL-certificate according to 
>> the instructions from "Replacing oVirt SSL Certificate"
>>  section in "oVirt Administration Guide"
>>  http://www.ovirt.org/documentation/admin-guide/administration-guide/
>>
>>  3 files have been replaced:
>>
>>  /etc/pki/ovirt-engine/certs/apache.cer
>>  /etc/pki/ovirt-engine/keys/apache.key.nopass
>>  /etc/pki/ovirt-engine/apache-ca.pem
>>
>>  Now the oVirt site using my certificate and everything works fine, but when 
>> I try to use SPICE HTML5 browser client in Firefox or Chrome I see a gray 
>> screen and message under the button "Toggle messages output":
>>
>>  WebSocket error: Can't connect to websocket on URL: 
>> wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
>>
>>  Before replacing certificates SPICE HTML5 browser client works.
>>  Native SPICE client works fine.
>>
>>  Tell me what to do with SPICE HTML5 browser client?
>>  ___
>>  Users mailing list
>>  Users@ovirt.org
>>  http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-13 Thread aleksey . maksimov

It does not work for me. any ideas?

02.08.2016, 17:22, "Jiri Belka" :
> This works for me:
>
> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
> PROXY_PORT=6100
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
> SSL_ONLY=True
>
> - Original Message -
> From: "aleksey maksimov" 
> To: "users" 
> Sent: Monday, August 1, 2016 12:13:38 PM
> Subject: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 
> browser client -> WebSocket error: Can't connect to websocket on URL: 
> wss://ovirt.engine.fqdn:6100/
>
> Hello oVirt guru`s !
>
> I have successfully replaced the oVirt 4 site SSL-certificate according to 
> the instructions from "Replacing oVirt SSL Certificate"
> section in "oVirt Administration Guide"
> http://www.ovirt.org/documentation/admin-guide/administration-guide/
>
> 3 files have been replaced:
>
> /etc/pki/ovirt-engine/certs/apache.cer
> /etc/pki/ovirt-engine/keys/apache.key.nopass
> /etc/pki/ovirt-engine/apache-ca.pem
>
> Now the oVirt site using my certificate and everything works fine, but when I 
> try to use SPICE HTML5 browser client in Firefox or Chrome I see a gray 
> screen and message under the button "Toggle messages output":
>
> WebSocket error: Can't connect to websocket on URL: 
> wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
>
> Before replacing certificates SPICE HTML5 browser client works.
> Native SPICE client works fine.
>
> Tell me what to do with SPICE HTML5 browser client?
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-02 Thread Jiri Belka
This works for me:

# cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf 
PROXY_PORT=6100
SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
SSL_ONLY=True

- Original Message -
From: "aleksey maksimov" 
To: "users" 
Sent: Monday, August 1, 2016 12:13:38 PM
Subject: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5  
browser client -> WebSocket error: Can't connect to websocket   on URL: 
wss://ovirt.engine.fqdn:6100/

Hello oVirt guru`s !

I have successfully replaced the oVirt 4 site SSL-certificate according to the 
instructions from "Replacing oVirt SSL Certificate" 
section in "oVirt Administration Guide"
http://www.ovirt.org/documentation/admin-guide/administration-guide/

3 files have been replaced:

/etc/pki/ovirt-engine/certs/apache.cer
/etc/pki/ovirt-engine/keys/apache.key.nopass
/etc/pki/ovirt-engine/apache-ca.pem

Now the oVirt site using my certificate and everything works fine, but when I 
try to use SPICE HTML5 browser client in Firefox or Chrome I see a gray screen 
and message under the button "Toggle messages output":
 
WebSocket error: Can't connect to websocket on URL: 
wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]


Before replacing certificates SPICE HTML5 browser client works.
Native SPICE client works fine.

Tell me what to do with SPICE HTML5 browser client?
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-01 Thread aleksey . maksimov
Hello oVirt guru`s !

I have successfully replaced the oVirt 4 site SSL-certificate according to the 
instructions from "Replacing oVirt SSL Certificate" 
section in "oVirt Administration Guide"
http://www.ovirt.org/documentation/admin-guide/administration-guide/

3 files have been replaced:

/etc/pki/ovirt-engine/certs/apache.cer
/etc/pki/ovirt-engine/keys/apache.key.nopass
/etc/pki/ovirt-engine/apache-ca.pem

Now the oVirt site using my certificate and everything works fine, but when I 
try to use SPICE HTML5 browser client in Firefox or Chrome I see a gray screen 
and message under the button "Toggle messages output":
 
WebSocket error: Can't connect to websocket on URL: 
wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]


Before replacing certificates SPICE HTML5 browser client works.
Native SPICE client works fine.

Tell me what to do with SPICE HTML5 browser client?
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] oVirt 4 with custom SSL certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-01 Thread Алексей Максимов
Hello oVirt guru`s !

I have successfully replaced the oVirt 4 site SSL-certificate according to the 
instructions from "Replacing oVirt SSL Certificate" 
section in "oVirt Administration Guide"
http://www.ovirt.org/documentation/admin-guide/administration-guide/

3 files have been replaced:

/etc/pki/ovirt-engine/certs/apache.cer
/etc/pki/ovirt-engine/keys/apache.key.nopass
/etc/pki/ovirt-engine/apache-ca.pem

Now the oVirt site using my certificate and everything works fine, but when I 
try to use SPICE HTML5 browser client in Firefox or Chrome 
I see a gray screen and message under the button "Toggle messages output":
 
WebSocket error: Can't connect to websocket on URL: 
wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]


Before replacing certificates SPICE HTML5 browser client works.
Native SPICE client works fine.

Tell me what to do with SPICE HTML5 browser client?
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users