Hi Thomas, Thanks for your response! This goes a long way, however there is still the unknown where ovirt-engine takes the SPICE certificate and CA from.
Can somebody confirm that replacing just the files referenced in the apache configuration will be sufficient? Thanks! iordan On Wed, Nov 20, 2013 at 1:00 PM, Thomas Suckow <thomas.suc...@pnnl.gov>wrote: > I don't know about the native SPICE client, but here is what I did for > apache and the websocket proxy: > > In /etc/httpd/conf.d/ssl.conf it lists > SSLCertificateFile > SSLCertificateKeyFile > SSLCertificateChainFile > SSLCACertificateFile > > Those are the files you need to replace for the web interface. My certs > were combined, so I actually only use SSLCertificateFile and > SSLCertificateChainFile > > NOTE: If you modify ssl.conf, the path /etc/pki/ovirt-engine/apache-ca.pem > is used by ovirt-iso-uploader. Uploads will fail unless you replace/symlink > that file or specify a CA certificate on the command line. I actually > linked to my chain file and it seems to be happy. > > > > Websocket Proxy: > > /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf defines the > certificates. > > The websocket proxy needs a combined certificate file with your cert and > the entire chain for SSL_CERTIFICATE > SSL_KEY is just the unencrypted key, and it MUST be accessible by the > ovirt user. > > > > As for spice, I am not sure, I am guessing it is > /etc/pki/ovirt-engine/keys/engine_id_rsa and /etc/pki/ovirt-engine/keys/ > certs/engine.cer > Not sure where they are referenced except by the websocket proxy. > > -- > Thomas > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > -- The conscious mind has only one thread of execution.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
