It’s a clean 3.6 install, and I installed the proxy later on.

I did run the engine-setup command again (don’t know if it creates a new CA 
every time?)

And also used this command as given in the bugreport:
engine-setup 
--otopi-environment="OVESETUP_CONFIG/websocketProxyConfig=bool:True"


Van: Michal Skrivanek [mailto:mskri...@redhat.com]
Verzonden: woensdag 23 december 2015 13:42
Aan: Kristof VAN DEN EYNDEN
CC: users@ovirt.org
Onderwerp: Re: [ovirt-users] Spice SSL Certificate



On 23 Dec 2015, at 13:18, Kristof VAN DEN EYNDEN 
<kristof.vandeneyn...@politiewestkust.be<mailto:kristof.vandeneyn...@politiewestkust.be>>
 wrote:
I was trying to get Spice or VNC to work on Firefox. After activating the 
ovirt-websocket-proxy settings (using this guide 
https://access.redhat.com/solutions/718653)

I kept on getting error - Server disconnected (code: 1006). This pointed me to 
other posts stating it was a certificate issue. After doing some research I 
found  post: https://bugzilla.redhat.com/show_bug.cgi?id=1098574

So I started tracing the messages: grep -i 'websocket.*trace' /var/log/messages

Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,314 ovirt-websocket-proxy: INFO 
msg:824 Got SIGTERM, exiting
Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,314 ovirt-websocket-proxy: INFO 
msg:824 In exit
Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,514 ovirt-websocket-proxy: INFO 
msg:824 WebSocket server settings:
Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,515 ovirt-websocket-proxy: INFO 
msg:824   - Listen on *:6100
Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,515 ovirt-websocket-proxy: INFO 
msg:824   - Flash security policy server
Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,515 ovirt-websocket-proxy: INFO 
msg:824   - SSL/TLS support
Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,515 ovirt-websocket-proxy: INFO 
msg:824   - Deny non-SSL/TLS connections
Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,515 ovirt-websocket-proxy: INFO 
msg:824   - Recording to '/tmp/websocketproxy_trace.log.*'
Dec 23 13:47:07 ovirt36 2015-12-23 13:47:07,519 ovirt-websocket-proxy: INFO 
msg:824   - proxying from *:6100 to targets in /dummy
Dec 23 13:47:19 ovirt36 2015-12-23 13:47:19,543 ovirt-websocket-proxy: INFO 
msg:824 handler exception: [Errno 1] _ssl.c:1390: error:14094412:SSL 
routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Dec 23 13:48:12 ovirt36 2015-12-23 13:48:12,328 ovirt-websocket-proxy: INFO 
msg:824 handler exception: [Errno 1] _ssl.c:1390: error:14094412:SSL 
routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Dec 23 13:49:49 ovirt36 2015-12-23 13:49:49,420 ovirt-websocket-proxy: INFO 
msg:824 handler exception: [Errno 1] _ssl.c:1390: error:14094412:SSL 
routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Dec 23 13:55:36 ovirt36 2015-12-23 13:55:36,114 ovirt-websocket-proxy: INFO 
msg:824 handler exception: [Errno 1] _ssl.c:1390: error:14094418:SSL 
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Dec 23 13:56:40 ovirt36 2015-12-23 13:56:40,201 ovirt-websocket-proxy: INFO 
msg:824 handler exception: [Errno 1] _ssl.c:1390: error:14094418:SSL 
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

So I added the certificate by surfing to https://(ovirt)/ca.crt
which gives following box in firefox :

[cid:image001.png@01D13D87.DAD0A080]

So I assume it would be OK now? Nevertheless it still doesn’t work! 
/var/log/messages still shows the same error? On another post I found that 
someone surfed to https://(ovirt):6100 and accepted the certificiate there. So 
I did the same thing which solved my problem immediately.

I don’t quite understand the issue, feels like the CA is not getting authorized 
or the 2 certificates do not belong to the same CA ?

Indeed it looks like two different CAs. Can you please check whether they are 
the same or not? How did you install the websocket proxy, together at the same 
time as you installed engine or later? Was it an upgrade from 3.5?
Note you need the proxy only for web-based clients, remote-viewer (or custom 
vnc viewer) doesn't need any

Thanks,
michal



I can continue like this, but I feel it should be easier to complete?


_______________________________________________
Users mailing list
Users@ovirt.org<mailto:Users@ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Reply via email to