[one-users] Sunstone noVNC with WSS support

[Wilma Hermann]

Hi Valentin,

> Last time I checked, my CA looked pretty real to me
Admittedly, "real" might have been the wrong word. Probably "common"
would have better described what I meant.

> And why is that? Is Verisign's random number generator better than yours?
No, but their root certificate is shipped with every common browser
out there, even on mobile devices.

> None of the RFCs I've read about PKI don't tell me that I SHOULD NOT use
> self signed certs for production environments.
Fair enough, that's true. And when you have an environment where you
can ensure that all users have your root certificate installed, then
there's no downside of a private CA-infrastructure. But from ML's
comments I assumed that this particular OpenNebula installation is to
be opened to the public (or at least an audience where ML cannot make
sure that the root certificate is trusted by default).
If that assumption holds and you're not willing to spend a few dollars
for an uninterrupted user-experience, then I question your business
model...

Greetings
Wilma


2014-03-07 17:37 GMT+01:00 Valentin Bud <valentin.bud at gmail.com>:
>
> Hello Wilma,
>
> On Thu, Feb 6, 2014 at 6:20 PM, Wilma Hermann <wilma.hermann at gmail.com> wrote:
>>
>> There is a really easy fix for that: Get a real certificate from a real CA. You should not use self-signed certs for a production environment.
>
>
> And why is that? Is Verisign's random number generator better than yours?
> A real certificate from a real CA? I don't get that. Last time I checked, my CA
> looked pretty real to me, conforming with RFC 5280. And the certificates from the
> browser and VPNs issued by that CA are also real.
>
> None of the RFCs I've read about PKI don't tell me that I SHOULD NOT use
> self signed certs for production environments.
>
> Your business's image could suffer from a self signed cert but that's another
> story. Technology is technology and it should work either way, be it self signed
> or not.
>
> Best,
> Valentin
>
>>
>> Greetings
>> Wilma
>>
>>
>> 2014-02-06 ML mail <mlnospam at yahoo.com>:
>>
>>> This workaround fixes that problem yes but it is not a good workaround especially if you want to offer opennebula to real customers. I hope another better alternative can be found in the future but I am aware that this is mostly a browser problem :|
>>>
>>> Regards
>>> ML
>>>
>>>
>>>
>>> On Thursday, February 6, 2014 10:56 AM, Daniel Molina <dmolina at opennebula.org> wrote:
>>> Hi,
>>>
>>>
>>> On 5 February 2014 16:58, ML mail <mlnospam at yahoo.com> wrote:
>>>
>>> Hello,
>>>
>>> I would like to use noVNC in Sunstone over an encrypted channel (WSS). Therefore I have generated my own SSL key and certificate which I have added to the sunstone-server.conf configuration. The problem is that this does not work, when I start VNC from the Sunstone web interface I get the following error message in novnc.log:
>>>
>>> SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>>>
>>> Does this mean I need an official SSL certificate?
>>>
>>>
>>> Please, check if the solution proposed in this thread, fixes your problem
>>> http://lists.opennebula.org/pipermail/users-opennebula.org/2014-February/026405.html
>>>
>>> Cheers
>>>
>>>
>>>
>>> Regards
>>>
>>> ML
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>
>>>
>>>
>>>
>>> --
>>> --
>>> Daniel Molina
>>> Project Engineer
>>> OpenNebula - Flexible Enterprise Cloud Made Simple
>>> www.OpenNebula.org | dmolina at opennebula.org | @OpenNebula
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>
>
>
> --
> Valentin Bud
> http://databus.pro | valentin at databus.pro