Oh yeah :) I mistakenly used a root certificate from a local CA for /etc/pki/ovirt-engine/apache-ca.pem. Now I understood, and it works. Thanks again.
16.08.2016, 16:15, "Jiri Belka" <jbe...@redhat.com>: > IMO you "owe" explanation what was wrong, so other users > could learn from your mistakes and this mailing-list archive > would thus be beneficial for them when searching for help ;) > > Anyway, that's great news! > > j. > > ----- Original Message ----- > From: "aleksey maksimov" <aleksey.maksi...@it-kb.ru> > To: "Jiri Belka" <jbe...@redhat.com> > Cc: "users" <users@ovirt.org> > Sent: Tuesday, August 16, 2016 2:59:21 PM > Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE > HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: > wss://ovirt.engine.fqdn:6100/ > > Thank you, Jiri ! > I did everything step by step and SPICE HTML5 browser client now works. > > 16.08.2016, 10:46, "Jiri Belka" <jbe...@redhat.com>: >> So, >> >> I used this for my own ca test: >> >> OWN CA AND OWN ENGINE KEY/CRT >> ============================= >> >> 0> CA >> >> # awk '/my-/ || $1 ~ /^[^#]*_default/' /etc/pki/tls/openssl.cnf >> certificate = $dir/my-ca.crt # The CA certificate >> crl = $dir/my-ca.crl # The current CRL >> private_key = $dir/private/my-ca.key # The private key >> countryName_default = CZ >> stateOrProvinceName_default = Jihomoravsky kraj >> localityName_default = Brno >> 0.organizationName_default = Shoot them in the head, s. r. o. >> >> touch /etc/pki/CA/index.txt >> echo 01 > /etc/pki/CA/serial >> cd /etc/pki/CA >> (umask 077 ; openssl genrsa -out private/my-ca.key -des3 2048 ) >> openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt >> >> 0> engine cert >> >> openssl genrsa -out my-engine.key 4096 >> openssl req -new -out my-engine.csr -key my-engine.key >> openssl ca -in my-engine.csr -out my-engine.crt >> # use 'mypass' for p12 bundle export !!! >> openssl pkcs12 -export -out my-engine.p12 -inkey my-engine.key -in >> my-engine.crt -chain -CAfile /etc/pki/CA/my-ca.crt >> >> 0> existing engine keys/certs/p12 replacement >> >> (follow >> $engine_url/ovirt-engine/docs/manual/en_US/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html) >> >> rm -f /etc/pki/ovirt-engine/apache-ca.pem >> cp my-engine.crt /etc/pki/ovirt-engine/apache-ca.pem >> cp my-engine.p12 /etc/pki/ovirt-engine/keys/apache.p12 >> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > >> /etc/pki/ovirt-engine/keys/apache.key.nopass >> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > >> /etc/pki/ovirt-engine/certs/apache.cer >> install -o ovirt -g ovirt -m 600 /dev/null >> /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf >> # 'changeit' is default java truststore pass on EL >> cat > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf << EOF >> ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" >> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit" >> EOF >> >> 0> add custom CA into system truststore after backup >> >> cp /etc/pki/CA/my-ca.crt /etc/pki/ca-trust/source/anchors/CA.crt >> update-ca-trust >> >> 0> check if system truststore knows about custom CA >> >> openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 >> -noout >> # 'changeit' is default java truststore pass on EL >> keytool -list -keystore /etc/pki/java/cacerts -storepass changeit | grep >> "$( openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint >> -sha1 -noout | sed -e '/SHA1/s/.*=//;' )" >> grep -IR "$(sed -n '2p' /etc/pki/ca-trust/source/anchors/CA.crt)" >> /etc/pki/ca-trust/extracted/ >> >> 0> engine-setup pki configuration check >> >> engine-setup # see if 'PKI CONFIGURATION' section passed without errors >> >> (doctext here https://bugzilla.redhat.com/show_bug.cgi?id=1336838) >> >> And this for websocket proxy: >> >> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf >> PROXY_PORT=6100 >> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem >> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass >> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer >> SSL_ONLY=True >> >> You can start manually websocket proxy: >> >> >> /usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-proxy.py >> --help >> Usage: ovirt-websocket-proxy.py [options] start >> >> Options: >> -h, --help show this help message and exit >> -d, --debug debug mode >> --pidfile=FILE pid file to use >> --background Go into the background >> --systemd=SYSTEMD Systemd type simple|notify >> --redirect-output Redirect output of daemon >> >> It is also handy to do: >> >> openssl s_client -connect $websocketproxy_host:6100 >> >> j. >> >> ----- Original Message ----- >> From: "aleksey maksimov" <aleksey.maksi...@it-kb.ru> >> To: "Jiri Belka" <jbe...@redhat.com> >> Cc: "users" <users@ovirt.org> >> Sent: Tuesday, August 16, 2016 9:33:54 AM >> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE >> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: >> wss://ovirt.engine.fqdn:6100/ >> >> Jiri, I did not hide information. Tell me what the log file should show and >> I will show >> >> 16.08.2016, 10:29, "Jiri Belka" <jbe...@redhat.com>: >>> It does have logs, filenames "hide" real data. >>> >>> You should reveal logs and what each file is and >>> which exact commands you were executing. >>> >>> Vague statements won't help much. It does work for me, >>> there much be something strange in your setup but we >>> cannot know what without details. >>> >>> j. >>> >>> ----- Original Message ----- >>> From: "aleksey maksimov" <aleksey.maksi...@it-kb.ru> >>> To: "Jiri Belka" <jbe...@redhat.com> >>> Cc: "users" <users@ovirt.org> >>> Sent: Monday, August 15, 2016 6:18:48 PM >>> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE >>> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: >>> wss://ovirt.engine.fqdn:6100/ >>> >>> I tried a version of Nicolás. >>> No success :(( >>> >>> 1) I create full bundle cert file: >>> >>> # cat /etc/pki/ovirt-engine/certs/apache.cer >>> /etc/pki/ovirt-engine/apache-ca.pem > >>> /etc/pki/ovirt-engine/certs/apache-with-ca.cer >>> # openssl verify /etc/pki/ovirt-engine/certs/apache-with-ca.cer >>> >>> /etc/pki/ovirt-engine/certs/apache-with-ca.cer: OK >>> >>> 2) I changed config file: >>> >>> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf >>> >>> PROXY_PORT=6100 >>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache-with-ca.cer >>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass >>> SSL_ONLY=True >>> FORCE_DATA_VERIFICATION=False >>> >>> 3) I restarted the service >>> >>> # service ovirt-websocket-proxy restart >>> >>> Problem still exists :( >>> Any ideas how to trablshut problem? >>> >>> 14.08.2016, 08:59, "aleksey.maksi...@it-kb.ru" >>> <aleksey.maksi...@it-kb.ru>: >>>> Hi Jiri. >>>> But your variant does not work, too >>>> >>>> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf >>>> PROXY_PORT=6100 >>>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem >>>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass >>>> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer >>>> SSL_ONLY=True >>>> >>>> Some error: >>>> WebSocket error: Can't connect to websocket on URL: >>>> wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event] >>>> >>>> any ideas how to trablshut problem? >>>> >>>> 14.08.2016, 01:53, "Jiri Belka" <jbe...@redhat.com>: >>>>> I have different files for those variables, maybe this is the case? >>>>> >>>>> Review again. >>>>> >>>>> j. >>>>> >>>>> ----- Original Message ----- >>>>> From: "aleksey maksimov" <aleksey.maksi...@it-kb.ru> >>>>> To: "Jiri Belka" <jbe...@redhat.com> >>>>> Cc: "users" <users@ovirt.org> >>>>> Sent: Saturday, August 13, 2016 4:57:45 PM >>>>> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and >>>>> SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket >>>>> on URL: wss://ovirt.engine.fqdn:6100/ >>>>> >>>>> I changed my file >>>>> /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf to: >>>>> >>>>> PROXY_PORT=6100 >>>>> #SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer >>>>> #SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass >>>>> #CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer >>>>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer >>>>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass >>>>> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/apache-ca.pem >>>>> SSL_ONLY=True >>>>> >>>>> ...and restart HostedEngine VM. >>>>> Problem still exists. >>>>> >>>>> 13.08.2016, 17:52, "aleksey.maksi...@it-kb.ru" >>>>> <aleksey.maksi...@it-kb.ru>: >>>>>> It does not work for me. any ideas? >>>>>> >>>>>> 02.08.2016, 17:22, "Jiri Belka" <jbe...@redhat.com>: >>>>>>> This works for me: >>>>>>> >>>>>>> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf >>>>>>> PROXY_PORT=6100 >>>>>>> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem >>>>>>> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass >>>>>>> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer >>>>>>> SSL_ONLY=True >>>>>>> >>>>>>> ----- Original Message ----- >>>>>>> From: "aleksey maksimov" <aleksey.maksi...@it-kb.ru> >>>>>>> To: "users" <users@ovirt.org> >>>>>>> Sent: Monday, August 1, 2016 12:13:38 PM >>>>>>> Subject: [ovirt-users] oVirt 4 with custom SSL-certificate and >>>>>>> SPICE HTML5 browser client -> WebSocket error: Can't connect to >>>>>>> websocket on URL: wss://ovirt.engine.fqdn:6100/ >>>>>>> >>>>>>> Hello oVirt guru`s ! >>>>>>> >>>>>>> I have successfully replaced the oVirt 4 site SSL-certificate >>>>>>> according to the instructions from "Replacing oVirt SSL Certificate" >>>>>>> section in "oVirt Administration Guide" >>>>>>> >>>>>>> http://www.ovirt.org/documentation/admin-guide/administration-guide/ >>>>>>> >>>>>>> 3 files have been replaced: >>>>>>> >>>>>>> /etc/pki/ovirt-engine/certs/apache.cer >>>>>>> /etc/pki/ovirt-engine/keys/apache.key.nopass >>>>>>> /etc/pki/ovirt-engine/apache-ca.pem >>>>>>> >>>>>>> Now the oVirt site using my certificate and everything works >>>>>>> fine, but when I try to use SPICE HTML5 browser client in Firefox or >>>>>>> Chrome I see a gray screen and message under the button "Toggle >>>>>>> messages output": >>>>>>> >>>>>>> WebSocket error: Can't connect to websocket on URL: >>>>>>> wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event] >>>>>>> >>>>>>> Before replacing certificates SPICE HTML5 browser client works. >>>>>>> Native SPICE client works fine. >>>>>>> >>>>>>> Tell me what to do with SPICE HTML5 browser client? >>>>>>> _______________________________________________ >>>>>>> Users mailing list >>>>>>> Users@ovirt.org >>>>>>> http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users