Thank you, Jiri ! I did everything step by step and SPICE HTML5 browser client now works.
16.08.2016, 10:46, "Jiri Belka" <jbe...@redhat.com>: > So, > > I used this for my own ca test: > > OWN CA AND OWN ENGINE KEY/CRT > ============================= > > 0> CA > > # awk '/my-/ || $1 ~ /^[^#]*_default/' /etc/pki/tls/openssl.cnf > certificate = $dir/my-ca.crt # The CA certificate > crl = $dir/my-ca.crl # The current CRL > private_key = $dir/private/my-ca.key # The private key > countryName_default = CZ > stateOrProvinceName_default = Jihomoravsky kraj > localityName_default = Brno > 0.organizationName_default = Shoot them in the head, s. r. o. > > touch /etc/pki/CA/index.txt > echo 01 > /etc/pki/CA/serial > cd /etc/pki/CA > (umask 077 ; openssl genrsa -out private/my-ca.key -des3 2048 ) > openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt > > 0> engine cert > > openssl genrsa -out my-engine.key 4096 > openssl req -new -out my-engine.csr -key my-engine.key > openssl ca -in my-engine.csr -out my-engine.crt > # use 'mypass' for p12 bundle export !!! > openssl pkcs12 -export -out my-engine.p12 -inkey my-engine.key -in > my-engine.crt -chain -CAfile /etc/pki/CA/my-ca.crt > > 0> existing engine keys/certs/p12 replacement > > (follow > $engine_url/ovirt-engine/docs/manual/en_US/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html) > > rm -f /etc/pki/ovirt-engine/apache-ca.pem > cp my-engine.crt /etc/pki/ovirt-engine/apache-ca.pem > cp my-engine.p12 /etc/pki/ovirt-engine/keys/apache.p12 > openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > > /etc/pki/ovirt-engine/keys/apache.key.nopass > openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > > /etc/pki/ovirt-engine/certs/apache.cer > install -o ovirt -g ovirt -m 600 /dev/null > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf > # 'changeit' is default java truststore pass on EL > cat > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf << EOF > ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" > ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit" > EOF > > 0> add custom CA into system truststore after backup > > cp /etc/pki/CA/my-ca.crt /etc/pki/ca-trust/source/anchors/CA.crt > update-ca-trust > > 0> check if system truststore knows about custom CA > > openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 > -noout > # 'changeit' is default java truststore pass on EL > keytool -list -keystore /etc/pki/java/cacerts -storepass changeit | grep "$( > openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 > -noout | sed -e '/SHA1/s/.*=//;' )" > grep -IR "$(sed -n '2p' /etc/pki/ca-trust/source/anchors/CA.crt)" > /etc/pki/ca-trust/extracted/ > > 0> engine-setup pki configuration check > > engine-setup # see if 'PKI CONFIGURATION' section passed without errors > > (doctext here https://bugzilla.redhat.com/show_bug.cgi?id=1336838) > > And this for websocket proxy: > > # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf > PROXY_PORT=6100 > SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem > SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass > CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer > SSL_ONLY=True > > You can start manually websocket proxy: > > /usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-proxy.py > --help > Usage: ovirt-websocket-proxy.py [options] start > > Options: > -h, --help show this help message and exit > -d, --debug debug mode > --pidfile=FILE pid file to use > --background Go into the background > --systemd=SYSTEMD Systemd type simple|notify > --redirect-output Redirect output of daemon > > It is also handy to do: > > openssl s_client -connect $websocketproxy_host:6100 > > j. > > ----- Original Message ----- > From: "aleksey maksimov" <aleksey.maksi...@it-kb.ru> > To: "Jiri Belka" <jbe...@redhat.com> > Cc: "users" <users@ovirt.org> > Sent: Tuesday, August 16, 2016 9:33:54 AM > Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE > HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: > wss://ovirt.engine.fqdn:6100/ > > Jiri, I did not hide information. Tell me what the log file should show and I > will show > > 16.08.2016, 10:29, "Jiri Belka" <jbe...@redhat.com>: >> It does have logs, filenames "hide" real data. >> >> You should reveal logs and what each file is and >> which exact commands you were executing. >> >> Vague statements won't help much. It does work for me, >> there much be something strange in your setup but we >> cannot know what without details. >> >> j. >> >> ----- Original Message ----- >> From: "aleksey maksimov" <aleksey.maksi...@it-kb.ru> >> To: "Jiri Belka" <jbe...@redhat.com> >> Cc: "users" <users@ovirt.org> >> Sent: Monday, August 15, 2016 6:18:48 PM >> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE >> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: >> wss://ovirt.engine.fqdn:6100/ >> >> I tried a version of Nicolás. >> No success :(( >> >> 1) I create full bundle cert file: >> >> # cat /etc/pki/ovirt-engine/certs/apache.cer >> /etc/pki/ovirt-engine/apache-ca.pem > >> /etc/pki/ovirt-engine/certs/apache-with-ca.cer >> # openssl verify /etc/pki/ovirt-engine/certs/apache-with-ca.cer >> >> /etc/pki/ovirt-engine/certs/apache-with-ca.cer: OK >> >> 2) I changed config file: >> >> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf >> >> PROXY_PORT=6100 >> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache-with-ca.cer >> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass >> SSL_ONLY=True >> FORCE_DATA_VERIFICATION=False >> >> 3) I restarted the service >> >> # service ovirt-websocket-proxy restart >> >> Problem still exists :( >> Any ideas how to trablshut problem? >> >> 14.08.2016, 08:59, "aleksey.maksi...@it-kb.ru" <aleksey.maksi...@it-kb.ru>: >>> Hi Jiri. >>> But your variant does not work, too >>> >>> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf >>> PROXY_PORT=6100 >>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem >>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass >>> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer >>> SSL_ONLY=True >>> >>> Some error: >>> WebSocket error: Can't connect to websocket on URL: >>> wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event] >>> >>> any ideas how to trablshut problem? >>> >>> 14.08.2016, 01:53, "Jiri Belka" <jbe...@redhat.com>: >>>> I have different files for those variables, maybe this is the case? >>>> >>>> Review again. >>>> >>>> j. >>>> >>>> ----- Original Message ----- >>>> From: "aleksey maksimov" <aleksey.maksi...@it-kb.ru> >>>> To: "Jiri Belka" <jbe...@redhat.com> >>>> Cc: "users" <users@ovirt.org> >>>> Sent: Saturday, August 13, 2016 4:57:45 PM >>>> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and >>>> SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket >>>> on URL: wss://ovirt.engine.fqdn:6100/ >>>> >>>> I changed my file >>>> /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf to: >>>> >>>> PROXY_PORT=6100 >>>> #SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer >>>> #SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass >>>> #CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer >>>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer >>>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass >>>> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/apache-ca.pem >>>> SSL_ONLY=True >>>> >>>> ...and restart HostedEngine VM. >>>> Problem still exists. >>>> >>>> 13.08.2016, 17:52, "aleksey.maksi...@it-kb.ru" >>>> <aleksey.maksi...@it-kb.ru>: >>>>> It does not work for me. any ideas? >>>>> >>>>> 02.08.2016, 17:22, "Jiri Belka" <jbe...@redhat.com>: >>>>>> This works for me: >>>>>> >>>>>> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf >>>>>> PROXY_PORT=6100 >>>>>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem >>>>>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass >>>>>> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer >>>>>> SSL_ONLY=True >>>>>> >>>>>> ----- Original Message ----- >>>>>> From: "aleksey maksimov" <aleksey.maksi...@it-kb.ru> >>>>>> To: "users" <users@ovirt.org> >>>>>> Sent: Monday, August 1, 2016 12:13:38 PM >>>>>> Subject: [ovirt-users] oVirt 4 with custom SSL-certificate and >>>>>> SPICE HTML5 browser client -> WebSocket error: Can't connect to >>>>>> websocket on URL: wss://ovirt.engine.fqdn:6100/ >>>>>> >>>>>> Hello oVirt guru`s ! >>>>>> >>>>>> I have successfully replaced the oVirt 4 site SSL-certificate >>>>>> according to the instructions from "Replacing oVirt SSL Certificate" >>>>>> section in "oVirt Administration Guide" >>>>>> http://www.ovirt.org/documentation/admin-guide/administration-guide/ >>>>>> >>>>>> 3 files have been replaced: >>>>>> >>>>>> /etc/pki/ovirt-engine/certs/apache.cer >>>>>> /etc/pki/ovirt-engine/keys/apache.key.nopass >>>>>> /etc/pki/ovirt-engine/apache-ca.pem >>>>>> >>>>>> Now the oVirt site using my certificate and everything works fine, >>>>>> but when I try to use SPICE HTML5 browser client in Firefox or Chrome I >>>>>> see a gray screen and message under the button "Toggle messages output": >>>>>> >>>>>> WebSocket error: Can't connect to websocket on URL: >>>>>> wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event] >>>>>> >>>>>> Before replacing certificates SPICE HTML5 browser client works. >>>>>> Native SPICE client works fine. >>>>>> >>>>>> Tell me what to do with SPICE HTML5 browser client? >>>>>> _______________________________________________ >>>>>> Users mailing list >>>>>> Users@ovirt.org >>>>>> http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
