Bug 1855249
Summary: | noVNC console via websocket with separated host doesn't work in chrome | ||
---|---|---|---|
Product: | [oVirt] ovirt-engine | Reporter: | Guilherme Santos <gdeolive> |
Component: | Setup.EngineCommon | Assignee: | Yedidyah Bar David <didi> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Guilherme Santos <gdeolive> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.4.1.7 | CC: | ahadas, bpelled, bugs, didi, lleistne |
Target Milestone: | ovirt-4.4.3 | Flags: | pm-rhel:
ovirt-4.4+
pm-rhel: planning_ack+ sbonazzo: devel_ack+ lleistne: testing_ack+ |
Target Release: | 4.4.3.3 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ovirt-engine-4.4.3.3 | Doc Type: | Bug Fix |
Doc Text: |
Previously, when engine-setup was running on a separate machine (from the engine) and created a certificate for websocket-proxy or for grafana, this certificate was created without the extension "Subject Alternate Name". This causes problems with recent versions of browsers. This release fixes this issue - when engine-setup needs to create such a certificate, it creates it with this extension included.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-11 06:42:45 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Integration | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Guilherme Santos
2020-07-09 11:03:43 UTC
Beni, do we have this covered in the tests? I want to rule out an environment issue Also want to complement that when the websocket is running in the same host as the engine, it works on chrome (as well as firefox) Logs attached. Did you set it up with engine-setup as described in: https://www.ovirt.org/develop/release-management/features/integration/websocketproxy-on-a-separate-host.html Yes Arik And does it work if you change 'wss' to 'ws' in ./usr/share/ovirt-engine/engine.ear/services.war/novnc-main.jsp ? (might require to restart the engine) I was able to reproduce this and it looks like Chrome is rejecting certificate from websocket proxy even if engine CA certificate is properly installed in the system. Since v58 Chromium does not look at Common Name in certificates but compares host names only to the names in Subjet Alternative Names section. When engine-setup generates the certificate for websocket proxy it does not add the SAN section with hostname. It's not specific to websocket-proxy, affects all separate machine pki (meaning, currently, also grafana). The bug is that we do not pass --san to the call to pki-enroll-request in engine:packaging/setup/ovirt_engine_setup/remote_engine.py Verified on: ovirt-engine-4.4.3.8-0.1.el8ev.noarch ovirt-engine-websocket-proxy-4.4.3.8-0.1.el8ev.noarch Steps: 1. Install engine without websocket on engine A 2. Install websocket on engine B 3. Trusted the engine A certificate in the browser 4. Accessed a noVNC console in engine A UI via chrome Results: console successfully accessed on chrome This bugzilla is included in oVirt 4.4.3 release, published on November 10th 2020. Since the problem described in this bug report should be resolved in oVirt 4.4.3 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report. |