So, I used this for my own ca test:
OWN CA AND OWN ENGINE KEY/CRT ============================= 0> CA # awk '/my-/ || $1 ~ /^[^#]*_default/' /etc/pki/tls/openssl.cnf certificate = $dir/my-ca.crt # The CA certificate crl = $dir/my-ca.crl # The current CRL private_key = $dir/private/my-ca.key # The private key countryName_default = CZ stateOrProvinceName_default = Jihomoravsky kraj localityName_default = Brno 0.organizationName_default = Shoot them in the head, s. r. o. touch /etc/pki/CA/index.txt echo 01 > /etc/pki/CA/serial cd /etc/pki/CA (umask 077 ; openssl genrsa -out private/my-ca.key -des3 2048 ) openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt 0> engine cert openssl genrsa -out my-engine.key 4096 openssl req -new -out my-engine.csr -key my-engine.key openssl ca -in my-engine.csr -out my-engine.crt # use 'mypass' for p12 bundle export !!! openssl pkcs12 -export -out my-engine.p12 -inkey my-engine.key -in my-engine.crt -chain -CAfile /etc/pki/CA/my-ca.crt 0> existing engine keys/certs/p12 replacement (follow $engine_url/ovirt-engine/docs/manual/en_US/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html) rm -f /etc/pki/ovirt-engine/apache-ca.pem cp my-engine.crt /etc/pki/ovirt-engine/apache-ca.pem cp my-engine.p12 /etc/pki/ovirt-engine/keys/apache.p12 openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/apache.key.nopass openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /etc/pki/ovirt-engine/certs/apache.cer install -o ovirt -g ovirt -m 600 /dev/null /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf # 'changeit' is default java truststore pass on EL cat > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf << EOF ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit" EOF 0> add custom CA into system truststore after backup cp /etc/pki/CA/my-ca.crt /etc/pki/ca-trust/source/anchors/CA.crt update-ca-trust 0> check if system truststore knows about custom CA openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 -noout # 'changeit' is default java truststore pass on EL keytool -list -keystore /etc/pki/java/cacerts -storepass changeit | grep "$( openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 -noout | sed -e '/SHA1/s/.*=//;' )" grep -IR "$(sed -n '2p' /etc/pki/ca-trust/source/anchors/CA.crt)" /etc/pki/ca-trust/extracted/ 0> engine-setup pki configuration check engine-setup # see if 'PKI CONFIGURATION' section passed without errors (doctext here https://bugzilla.redhat.com/show_bug.cgi?id=1336838) And this for websocket proxy: # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf PROXY_PORT=6100 SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer SSL_ONLY=True You can start manually websocket proxy: /usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-proxy.py --help Usage: ovirt-websocket-proxy.py [options] start Options: -h, --help show this help message and exit -d, --debug debug mode --pidfile=FILE pid file to use --background Go into the background --systemd=SYSTEMD Systemd type simple|notify --redirect-output Redirect output of daemon It is also handy to do: openssl s_client -connect $websocketproxy_host:6100 j. ----- Original Message ----- From: "aleksey maksimov" <aleksey.maksi...@it-kb.ru> To: "Jiri Belka" <jbe...@redhat.com> Cc: "users" <users@ovirt.org> Sent: Tuesday, August 16, 2016 9:33:54 AM Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/ Jiri, I did not hide information. Tell me what the log file should show and I will show 16.08.2016, 10:29, "Jiri Belka" <jbe...@redhat.com>: > It does have logs, filenames "hide" real data. > > You should reveal logs and what each file is and > which exact commands you were executing. > > Vague statements won't help much. It does work for me, > there much be something strange in your setup but we > cannot know what without details. > > j. > > ----- Original Message ----- > From: "aleksey maksimov" <aleksey.maksi...@it-kb.ru> > To: "Jiri Belka" <jbe...@redhat.com> > Cc: "users" <users@ovirt.org> > Sent: Monday, August 15, 2016 6:18:48 PM > Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE > HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: > wss://ovirt.engine.fqdn:6100/ > > I tried a version of Nicolás. > No success :(( > > 1) I create full bundle cert file: > > # cat /etc/pki/ovirt-engine/certs/apache.cer > /etc/pki/ovirt-engine/apache-ca.pem > > /etc/pki/ovirt-engine/certs/apache-with-ca.cer > # openssl verify /etc/pki/ovirt-engine/certs/apache-with-ca.cer > > /etc/pki/ovirt-engine/certs/apache-with-ca.cer: OK > > 2) I changed config file: > > # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf > > PROXY_PORT=6100 > SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache-with-ca.cer > SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass > SSL_ONLY=True > FORCE_DATA_VERIFICATION=False > > 3) I restarted the service > > # service ovirt-websocket-proxy restart > > Problem still exists :( > Any ideas how to trablshut problem? > > 14.08.2016, 08:59, "aleksey.maksi...@it-kb.ru" <aleksey.maksi...@it-kb.ru>: >> Hi Jiri. >> But your variant does not work, too >> >> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf >> PROXY_PORT=6100 >> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem >> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass >> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer >> SSL_ONLY=True >> >> Some error: >> WebSocket error: Can't connect to websocket on URL: >> wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event] >> >> any ideas how to trablshut problem? >> >> 14.08.2016, 01:53, "Jiri Belka" <jbe...@redhat.com>: >>> I have different files for those variables, maybe this is the case? >>> >>> Review again. >>> >>> j. >>> >>> ----- Original Message ----- >>> From: "aleksey maksimov" <aleksey.maksi...@it-kb.ru> >>> To: "Jiri Belka" <jbe...@redhat.com> >>> Cc: "users" <users@ovirt.org> >>> Sent: Saturday, August 13, 2016 4:57:45 PM >>> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE >>> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: >>> wss://ovirt.engine.fqdn:6100/ >>> >>> I changed my file >>> /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf to: >>> >>> PROXY_PORT=6100 >>> #SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer >>> #SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass >>> #CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer >>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer >>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass >>> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/apache-ca.pem >>> SSL_ONLY=True >>> >>> ...and restart HostedEngine VM. >>> Problem still exists. >>> >>> 13.08.2016, 17:52, "aleksey.maksi...@it-kb.ru" >>> <aleksey.maksi...@it-kb.ru>: >>>> It does not work for me. any ideas? >>>> >>>> 02.08.2016, 17:22, "Jiri Belka" <jbe...@redhat.com>: >>>>> This works for me: >>>>> >>>>> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf >>>>> PROXY_PORT=6100 >>>>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem >>>>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass >>>>> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer >>>>> SSL_ONLY=True >>>>> >>>>> ----- Original Message ----- >>>>> From: "aleksey maksimov" <aleksey.maksi...@it-kb.ru> >>>>> To: "users" <users@ovirt.org> >>>>> Sent: Monday, August 1, 2016 12:13:38 PM >>>>> Subject: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE >>>>> HTML5 browser client -> WebSocket error: Can't connect to websocket on >>>>> URL: wss://ovirt.engine.fqdn:6100/ >>>>> >>>>> Hello oVirt guru`s ! >>>>> >>>>> I have successfully replaced the oVirt 4 site SSL-certificate >>>>> according to the instructions from "Replacing oVirt SSL Certificate" >>>>> section in "oVirt Administration Guide" >>>>> http://www.ovirt.org/documentation/admin-guide/administration-guide/ >>>>> >>>>> 3 files have been replaced: >>>>> >>>>> /etc/pki/ovirt-engine/certs/apache.cer >>>>> /etc/pki/ovirt-engine/keys/apache.key.nopass >>>>> /etc/pki/ovirt-engine/apache-ca.pem >>>>> >>>>> Now the oVirt site using my certificate and everything works fine, >>>>> but when I try to use SPICE HTML5 browser client in Firefox or Chrome I >>>>> see a gray screen and message under the button "Toggle messages output": >>>>> >>>>> WebSocket error: Can't connect to websocket on URL: >>>>> wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event] >>>>> >>>>> Before replacing certificates SPICE HTML5 browser client works. >>>>> Native SPICE client works fine. >>>>> >>>>> Tell me what to do with SPICE HTML5 browser client? >>>>> _______________________________________________ >>>>> Users mailing list >>>>> Users@ovirt.org >>>>> http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users