Since our latest update in 5.8.1, we decided to provide an extra security step for connecting to non-valid HTTPS certificates.
Default in HTTPS
As usual when you try to add a new pool/host in Xen Orchestra, we'll try to connect to XenServer API in HTTPS by default. In other words, adding a host with
myxenserver.org is the same than adding
However, since 5.8.1, Xen Orchestra won't connect if the certificate is not valid (self-signed or expired).
By clicking on the warning message, you'll have a modal window:
Now, it will be automatically by-passed, as you can see with this toggle button activated:
Remember to use a HTTPS on a non-valid certificate won't protect you from man-in-the-middle attacks.
If you want to connect in HTTP, it's possible: you'll need to explicitly set it:
http://myxenserver.org. However, all the traffic between XOA and your pool will be in clear.
Change a certificate in XenServer
If you want to change the certificate of your XenServer host, the file to change is
/etc/xensource/xapi-ssl.pem. Don't forget to restart the toolstack then.
You'll have to do it on all hosts of the pool.