----- Original Message ----- > From: "Punit Dambiwal" <hypu...@gmail.com> > To: "Alon Bar-Lev" <alo...@redhat.com> > Cc: users@ovirt.org, aha...@redhat.com, "Sven Kieske" <s.kie...@mittwald.de>, > "Dan Kenigsberg" <dan...@redhat.com>, > "Michal Skrivanek" <michal.skriva...@redhat.com>, "Antoni Segura Puimedon" > <asegu...@redhat.com>, "Frantisek Kobzik" > <fkob...@redhat.com>, "Itamar Heim" <ih...@redhat.com>, "sabose" > <sab...@redhat.com>, barum...@redhat.com, "Simone > Tiraboschi" <stira...@redhat.com> > Sent: Friday, August 15, 2014 4:56:36 AM > Subject: Re: [ovirt-users] Ovirt SSL Question > > Hi Alon, > > Thanks...that means even we use the standalone websocket proxy or > standalone websockify...do i need to do the same process :- > > http://www.ovirt.org/Features/noVNC_console#Setup_Websocket_Proxy_on_a_Separate_Machine > > On the engine, generate a certificate and key. substitute <FQDN> with the > DNS name of the host. Substitute <country>, <organization> to suite your > environment (i.e. the values must match values in the certificate authority > of your engine). > > /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh > --name=websocket-proxy-standalone --password=mypass > --subject="/C=<country>/O=<organization>/CN=<fqdn>" > > Copy /etc/pki/ovirt-engine/keys/websocket-proxy-standalone.p12 and > /etc/pki/ovirt-engine/certs/engine.cer from the engine to the proxy machine > at /etc/pki/ovirt-websocket-proxy > At websocket-proxy machine > > Install ovirt-engine-websocket-proxy package. > > Extract keys: > > cd /etc/pki/ovirt-websocket-proxy > openssl pkcs12 -in websocket-proxy-standalone.p12 -nokeys -out > websocket-proxy-standalone.cer > openssl pkcs12 -in websocket-proxy-standalone.p12 -nocerts -nodes -out > websocket-proxy-standalone.key > chown ovirt:ovirt * > chmod 0600 * > > And then Create /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf > and override the SSL_CERTIFICATE and SSL_KEY with 3rd party certificate > chain and matching key. ??
you wanted to use a certificate from 3rd party certificate authority, you do not need to enroll a certificate from the internal certificate authority. > > > > On Fri, Aug 15, 2014 at 9:51 AM, Alon Bar-Lev <alo...@redhat.com> wrote: > > > > > > > ----- Original Message ----- > > > From: "Punit Dambiwal" <hypu...@gmail.com> > > > To: "Alon Bar-Lev" <alo...@redhat.com> > > > Cc: users@ovirt.org, aha...@redhat.com, "Sven Kieske" < > > s.kie...@mittwald.de>, "Dan Kenigsberg" <dan...@redhat.com>, > > > "Michal Skrivanek" <michal.skriva...@redhat.com>, "Antoni Segura > > Puimedon" <asegu...@redhat.com>, "Frantisek Kobzik" > > > <fkob...@redhat.com>, "Itamar Heim" <ih...@redhat.com>, "sabose" < > > sab...@redhat.com>, barum...@redhat.com, "Simone > > > Tiraboschi" <stira...@redhat.com> > > > Sent: Friday, August 15, 2014 4:48:13 AM > > > Subject: Re: [ovirt-users] Ovirt SSL Question > > > > > > Hi Alon, > > > > > > Thanks...but still the same question....for which FQDN i need to purchase > > > the SSL (Ovirt engine FQDN or standalone websocket proxy FQDN) ?? > > > > this is standard https, the browser expects the name of the remote host, > > which is the websocket proxy host. > > > > > > > > > > > > > > > > > On Fri, Aug 15, 2014 at 9:46 AM, Alon Bar-Lev <alo...@redhat.com> wrote: > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Punit Dambiwal" <hypu...@gmail.com> > > > > > To: "Alon Bar-Lev" <alo...@redhat.com> > > > > > Cc: users@ovirt.org, aha...@redhat.com, "Sven Kieske" < > > > > s.kie...@mittwald.de>, "Dan Kenigsberg" <dan...@redhat.com>, > > > > > "Michal Skrivanek" <michal.skriva...@redhat.com>, "Antoni Segura > > > > Puimedon" <asegu...@redhat.com>, "Frantisek Kobzik" > > > > > <fkob...@redhat.com>, "Itamar Heim" <ih...@redhat.com>, "sabose" < > > > > sab...@redhat.com>, barum...@redhat.com, "Simone > > > > > Tiraboschi" <stira...@redhat.com> > > > > > Sent: Friday, August 15, 2014 4:43:31 AM > > > > > Subject: Re: [ovirt-users] Ovirt SSL Question > > > > > > > > > > Hi Alon, > > > > > > > > > > Thanks for your reply...but i didn't find 20-pki.conf file in my > > > > > ovirt-engine server.... > > > > > > > > > > I am using websocket proxy as standalone....and fetch the vm console > > with > > > > > the help of API...and then it will display to the browser with our > > portal > > > > > url... > > > > > > > > this is conf.d structure, files are sorted by name, last wins. > > > > so instead of overriding files you can add your own. > > > > > > > > > > > > > > Thanks, > > > > > Punit > > > > > > > > > > > > > > > On Thu, Aug 14, 2014 at 11:13 PM, Alon Bar-Lev <alo...@redhat.com> > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "Punit Dambiwal" <hypu...@gmail.com> > > > > > > > To: users@ovirt.org, aha...@redhat.com, "Sven Kieske" < > > > > > > s.kie...@mittwald.de>, "Dan Kenigsberg" <dan...@redhat.com>, > > > > > > > "Michal Skrivanek" <michal.skriva...@redhat.com>, "Antoni Segura > > > > > > Puimedon" <asegu...@redhat.com>, "Frantisek Kobzik" > > > > > > > <fkob...@redhat.com>, "Itamar Heim" <ih...@redhat.com>, > > "sabose" < > > > > > > sab...@redhat.com>, barum...@redhat.com, "Simone > > > > > > > Tiraboschi" <stira...@redhat.com> > > > > > > > Sent: Thursday, August 14, 2014 12:37:01 PM > > > > > > > Subject: Re: [ovirt-users] Ovirt SSL Question > > > > > > > > > > > > > > Hi All, > > > > > > > > > > > > > > Is there any one can help me to solve this issue.. > > > > > > > > > > > > > > Thanks, > > > > > > > Punit > > > > > > > > > > > > > > > > > > > > > On Wed, Aug 13, 2014 at 9:53 AM, Punit Dambiwal < > > hypu...@gmail.com > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi All, > > > > > > > > > > > > > > I have one question regarding the SSL settings in Ovirt....let me > > > > > > explain my > > > > > > > environment first :- > > > > > > > > > > > > > > 1. Ovirt engine :- mgmt.3linux.com > > > > > > > 2. Standalone websocket proxy :- web-proxy.3linux.com > > > > > > > 3. Our Own Portal :- portal.3linux.com > > > > > > > > > > > > > > We have the above architecture...we fetch the VM console from the > > > > > > websocket > > > > > > > proxy to our own portal through API....because still we are using > > > > > > selfsigned > > > > > > > certificate...we need to trust the certificate every > > time,whenever we > > > > > > open > > > > > > > the VM console... (https://< web-proxy.3linux.com >:<port>) > > > > > > > > > > > > > > When we initiate the VM console through our own web portal the > > url ( > > > > > > > > > > > > > > > > > > > https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-ae7d-493e-a51d-ecc32f507f00 > > > > > > > ),if we accept the SSL certificate with https://< > > > > web-proxy.3linux.com > > > > > > > >:<port> ....then it will open as expected but if we didn't > > accept > > > > the > > > > > > > certificate manually...then it through failed to connect:1006 > > > > error... > > > > > > > > > > > > > > We don't want that every time end user will accept the > > certificate > > > > > > > manually...as our link to open VM console is different then > > > > webproxy.... > > > > > > > > > > > > > > Now we want to replace the self signed certificate with valid > > > > SSL....can > > > > > > any > > > > > > > one tell me where we need to put the certificates and how to > > > > generate the > > > > > > > CSR for them and how many SSL we need to purchase to make this > > thing > > > > > > > workable without accepting the certificate everytime.... > > > > > > > > > > > > Create /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf > > and > > > > > > override the SSL_CERTIFICATE and SSL_KEY with 3rd party certificate > > > > chain > > > > > > and matching key. > > > > > > > > > > > > You can create the request in any tool you like, what we need is > > the > > > > > > certificate and key. > > > > > > > > > > > > Regards, > > > > > > Alon > > > > > > > > > > > > > > > > > > > > > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
