Ahoj, Through websockets, you're connecting to TLS port with cert issued by oVirt CA so you need have your browser trust oVirt CA in order to connect successfully to spice-html5.
AFAIU you should be able to replace certs for spice (it's separate file on host from vdsm cert although their contents are the same [1]). I don't know however if you can configure engine to fill this non-embedded-CA root in .vv files instead (or not to set it at all if this CA is in your client trust stores). [1] # ls -l /etc/pki/vdsm/*/*pem -rw-r--r--. 1 root kvm 1452 4. zář 2015 /etc/pki/vdsm/certs/cacert.pem -rw-r--r--. 1 root kvm 1444 4. zář 2015 /etc/pki/vdsm/certs/vdsmcert.pem -r--r-----. 1 vdsm kvm 1675 4. zář 2015 /etc/pki/vdsm/keys/vdsmkey.pem -rw-r--r--. 1 root kvm 1452 4. zář 2015 /etc/pki/vdsm/libvirt-spice/ca-cert.pem -rw-r--r--. 1 root kvm 1444 4. zář 2015 /etc/pki/vdsm/libvirt-spice/server-cert.pem -r--r-----. 1 vdsm kvm 1675 4. zář 2015 /etc/pki/vdsm/libvirt-spice/server-key.pem # rpm -qf /etc/pki/vdsm/libvirt-spice/ca-cert.pem file /etc/pki/vdsm/libvirt-spice/ca-cert.pem Regards, David Jaša On Pá, 2016-12-09 at 21:09 +0100, Karol Vaclavik wrote: > Hi all, > > i had running ovirt. After renaming it (to the final domain it will be > assigned to), and replacing self-signed apache cert with a trustworthy > one, i am unable to connect to remote desktop of any VM (noVnc and > SPICE). > > for NoVNC the problem is: Server disconnected (code: 1006) > and in the javascript i can find: > > VM6119:37 WebSocket connection to > 'wss://realaddressofmyengine:6100/eyJzYWx0IjoiQ01pOUNBV1YrTjA9IiwiZGF0YSI6…FsaWRGcm9tIjoiMjAxNjEyMDkyMDA2MjEiLCJ2YWxpZFRvIjoiMjAxNjEyMDkyMDA4MjEifQ==' > failed: WebSocket opening handshake was canceled > > and when trying Spice the error is: > > WebSocket error: Can't connect to websocket on URL: > wss://realaddressofmyengine:6100/eyJzYWx0IjoiTUJXQzVPT004UWM9IiwiZGF0YSI6IiU3QiUyMmhvc3QlMjI6JTIyMTkyLjE2OC4yMDAuMTExJTIyLCUyMnBvcnQlMjI6JTIyNTkwMCUyMiwlMjJzc2xfdGFyZ2V0JTIyOnRydWUlN0QiLCJzaWduYXR1cmUiOiJueUZEM1NIenE0WXY0UmJqYmtnbFNtUEM1QUJSRUsvM294a1VieXBqa3ZuckhsOTdLVWFFTFNsTEpHaUpTR0dJQXgrVEJFNTJna0dWR3VCRVVIZE4vdkJEY3JZbEtmcmQxK0ZqTTZMMXhtb1F3aHM4Y1VRR0t5Z1dLSENsanZvdFZFVkxNaCszU3VvU0s5d2VDczViVnRoRDdWZXFQM1ZtQkxoUnFnS0xmYjhxS1g4ZnBKTllUUG5iRmV1bGhVc2N6UTJwNE5CZ05ZalR0K3BTcFYvaGJlaFBPcnFBV01oMjRkV1ZrNVA3WEJmbTZ5a2RSVy8zNW1takY4Ym9FQlNZZzIrU1YvaWNwaldySW1SWmtQd3d5V3Y3dEhYVGNLSGFCek4vcnBQaS9xbnZoWXdyWEd4akRBSk9GVTRuRnl6ei9mNTAxU1BIMFNESEdIaEh3UXBoWFE9PSIsImRpZ2VzdCI6InNoYTEiLCJjZXJ0aWZpY2F0ZSI6Ii0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLVxuTUlJRW5UQ0NBNFdnQXdJQkFnSUNFQUV3RFFZSktvWklodmNOQVFFRkJRQXdWekVMTUFrR0ExVUVCaE1DVlZNeEhEQWFCZ05WQkFvVFxyXG5FMmwwWTI5dGJYVnVhV05oZEdsdmJuTXVjMnN4S2pBb0JnTlZCQU1USVdWdVoybHVaV0V1YVhSamIyMXRkVzVwWTJGMGFXOXVjeTV6XHJcbmF5NDFPVFl6TXpBZUZ3MHhOakV3TWpVeE5EQTBORGxhRncweU1UQTVNekF4TkRBME5EbGFNRkV4Q3pBSkJnTlZCQVlUQWxWVE1Sd3dcclxuR2dZRFZRUUtFeE5wZEdOdmJXMTFibWxqWVhScGIyNXpMbk5yTVNRd0lnWURWUVFERXh0bGJtZHBibVZoTG1sMFkyOXRiWFZ1YVdOaFxyXG5kR2x2Ym5NdWMyc3dnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEamVkZExkakJtUHk5R0ZYMzAza1owXHJcbnU5cUprSWg4TFZRVDZxWFcvSjV3V1QvWUtaMDlxdFdta25wTXRkd21WMWQ0WFBoajd6SGxuYUxjckpSeWIyZTNqTGxHcklHRDNvRmNcclxuUktETnAvMkhDU3JieHBoci9RVmhvMnNsRXpBUzRwS3d3Wno3RkU2cTVGbFI4OUZLTXRBSjlRZDVORi9LNTdUaUJuaDBzUCsvS0IycVxyXG4xSlAwZ2RGTUY1aERrREJGUG9xZklMUzhRN09GYW9vQXBveEhtdFZYaXp3Q1BlczJKMjVFM0NhRE1YWWpIOXdpREQrTi9kNkxuU1NYXHJcbld3V2c5d09ud2kwcHQ0TDhCTmxIL2ZtaW9Mb0ZpME9uUmdOY3Ryc09VN1BvR0hpb3VCZkZjNUpIWndJQm9YUWswakZja0RxMnZjYnlcclxuM2o1aEtSdWVkUVg2SUxJM0FnTUJBQUdqZ2dGM01JSUJjekFkQmdOVkhRNEVGZ1FVRlJLSEp5UmJHQmQ3RmdSOThZT29vOFlCMGRRd1xyXG5nWkVHQ0NzR0FRVUZCd0VCQklHRU1JR0JNSDhHQ0NzR0FRVUZCekFDaG5Ob2RIUndPaTh2Wlc1bmFXNWxZUzVwZEdOdmJXMTFibWxqXHJcbllYUnBiMjV6TG5Ock9qZ3dMMjkyYVhKMExXVnVaMmx1WlM5elpYSjJhV05sY3k5d2Eya3RjbVZ6YjNWeVkyVS9jbVZ6YjNWeVkyVTlcclxuWTJFdFkyVnlkR2xtYVdOaGRHVW1abTl5YldGMFBWZzFNRGt0VUVWTkxVTkJNSUdBQmdOVkhTTUVlVEIzZ0JSY2JUS2lmWWZIMXVjdFxyXG4zTUFGanptQnhUMzJqcUZicEZrd1Z6RUxNQWtHQTFVRUJoTUNWVk14SERBYUJnTlZCQW9URTJsMFkyOXRiWFZ1YVdOaGRHbHZibk11XHJcbmMyc3hLakFvQmdOVkJBTVRJV1Z1WjJsdVpXRXVhWFJqYjIxdGRXNXBZMkYwYVc5dWN5NXpheTQxT1RZek00SUNFQUF3Q1FZRFZSMFRcclxuQkFJd0FEQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0lBWURWUjBsQVFIL0JCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUEwR1xyXG5DU3FHU0liM0RRRUJCUVVBQTRJQkFRQUVmN1VMUzdldGx4NWxXZzI3TlVKSDJsRmtzQVZnY2d3QlFSd1JSSXdEWWRWSGREbWEwS0wxXHJcbjBEL0tKcTJpelFwZ1RtSWxEdXh5Z3NiZm9IUHZOMDFzOW5IR0s3TXRrOG9iaHdUMUQrQ3RIakZlT0pQWUpkUVl1ZzhkSU9HZTZoN0NcclxucGZWSXAyeTFjYkpIVm11c2ZieGhNRy9QcEljalBoc3lFYW9qVmZQbU9Bd0M5UVJGV3Uxck0yZ0czUnBRamphVDJCVFY0SDQwUzdkSFxyXG5makduOGdkckxxYVYzaHpSZlR3S2JjRXdQL0lDTmwxUDFyOEpXNDdJM1cveGRkb2kvdm5FUlJiUktTNk51TjhYM3dtOVJkeDQ1WCtxXHJcbjdhRFVqb0VtbGk1dUNieHQ2SGxXb1RSL2NCamVoZnNXeTBMMVR0amIzNHJFeFBoNHFGR1FKZFhGV1Y0WlxyXG4tLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tXG4iLCJzaWduZWRGaWVsZHMiOiJzYWx0LGRhdGEsZGlnZXN0LHZhbGlkRnJvbSx2YWxpZFRvIiwidmFsaWRGcm9tIjoiMjAxNjEyMDkyMDA5MDAiLCJ2YWxpZFRvIjoiMjAxNjEyMDkyMDExMDAifQ== > [object Event] > > I have no idea how to regenerate websocket cert, that is still > pointing at the old machine name. > > thanks for any help > > Karol Vaclavik > IT ARCHITECT > > > > > > Mlynske Nivy 49 > Bratislava, 82109 > 01873 > Slovakia > > e-mail: karol.vacla...@sk.ibm.com > phone: 00421 904 943 684 > > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.phx.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.phx.ovirt.org/mailman/listinfo/users
