[ovirt-devel] [missing_subjectAltName] in engine ca certificate?

Martin Perina mperina at redhat.com
Wed May 10 11:06:30 UTC 2017 

On Wed, May 10, 2017 at 9:13 AM, Juan Hernández <jhernand at redhat.com> wrote:

> On 05/10/2017 09:07 AM, Yaniv Kaul wrote:
> >
> >
> > On Wed, May 10, 2017 at 9:35 AM, Martin Perina <mperina at redhat.com
> > <mailto:mperina at redhat.com>> wrote:
> >
> >     Does this mean that we need to create new CA for all existing oVirt
> >     installations which are not using custom HTTPS certificate signed by
> >     external CA?
> >
> >
> > No, just a new certificate for Engine, I believe.
> > Y.
> >
>
> Probably not even for the engine, but just for the web server.
>

​@Sandro/@Didi: do we​

​have some documentation how to create new engine HTTPS certificate signed
by oVirt internal CA​ with subjectAltName properly set?


> >
> >     On Sun, May 7, 2017 at 7:37 PM, Nir Soffer <nsoffer at redhat.com
> >     <mailto:nsoffer at redhat.com>> wrote:
> >
> >         On Sun, May 7, 2017 at 8:27 PM Dan Kenigsberg <danken at redhat.com
> >         <mailto:danken at redhat.com>> wrote:
> >
> >             On Sun, May 7, 2017 at 8:22 PM, Nir Soffer
> >             <nsoffer at redhat.com <mailto:nsoffer at redhat.com>> wrote:
> >             > I imported the certificate from my engine into chrome[1],
> >             but Chrome
> >             > refuses to use it because:
> >             >
> >             >     This server could not prove that it is ...; its
> security
> >             >     certificate is from [missing_subjectAltName].
> >             >
> >             > Same certificate used to work 2 weeks ago, looks like new
> >             Chrome
> >             > version changed the rules.
> >             >
> >             > Without importing engine CA, there is no way to upload
> images
> >             > via engine.
> >             >
> >             > Tested on engine 4.1.1 and 4.1.2 on Centos 7.3.
> >             >
> >             > Is this  known issue?
> >             >
> >             > [1] from
> >             >
> >             http://<engine_url>/ovirt-engine/services/pki-resource?
> resource=ca-certificate&format=X509-PEM-CA
> >             >
> >             > Nir
> >
> >             https://gerrit.ovirt.org/#/c/74614/
> >             <https://gerrit.ovirt.org/#/c/74614/>
> >
> >             "This patch is not yet working, but can be used for
> discussion."
> >
> >
> >         Thanks!
> >
> >         Do you know how to manually fix engine certificates until we
> >         have a working
> >         patch?
> >
> >         Nir
> >
> >         _______________________________________________
> >         Devel mailing list
> >         Devel at ovirt.org <mailto:Devel at ovirt.org>
> >         http://lists.ovirt.org/mailman/listinfo/devel
> >         <http://lists.ovirt.org/mailman/listinfo/devel>
> >
> >
> >
> >     _______________________________________________
> >     Devel mailing list
> >     Devel at ovirt.org <mailto:Devel at ovirt.org>
> >     http://lists.ovirt.org/mailman/listinfo/devel
> >     <http://lists.ovirt.org/mailman/listinfo/devel>
> >
> >
> >
> >
> > _______________________________________________
> > Devel mailing list
> > Devel at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/devel
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/devel/attachments/20170510/28c9faa4/attachment.html>

More information about the Devel mailing list