
<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 10, 2017 at 9:13 AM, Juan Hernández <span dir="ltr">&lt;<a href="mailto:jhernand@redhat.com" target="_blank">jhernand@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 05/10/2017 09:07 AM, Yaniv Kaul wrote:<br>

&gt;<br>

&gt;<br>

&gt; On Wed, May 10, 2017 at 9:35 AM, Martin Perina &lt;<a href="mailto:mperina@redhat.com">mperina@redhat.com</a><br>

&gt; &lt;mailto:<a href="mailto:mperina@redhat.com">mperina@redhat.com</a>&gt;&gt; wrote:<br>

&gt;<br>

&gt;     Does this mean that we need to create new CA for all existing oVirt<br>

&gt;     installations which are not using custom HTTPS certificate signed by<br>

&gt;     external CA?<br>

&gt;<br>

&gt;<br>

&gt; No, just a new certificate for Engine, I believe.<br>

&gt; Y.<br>

&gt;<br>

<br>

Probably not even for the engine, but just for the web server.<br></blockquote><div><br><div style="font-family:arial,helvetica,sans-serif;display:inline" class="gmail_default">@Sandro/@Didi: do we</div> <div style="font-family:arial,helvetica,sans-serif;display:inline" class="gmail_default">have some documentation how to create new engine HTTPS certificate signed by oVirt internal CA with subjectAltName properly set?<br><br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<br>

&gt;<br>

&gt;     On Sun, May 7, 2017 at 7:37 PM, Nir Soffer &lt;<a href="mailto:nsoffer@redhat.com">nsoffer@redhat.com</a><br>

&gt;     &lt;mailto:<a href="mailto:nsoffer@redhat.com">nsoffer@redhat.com</a>&gt;&gt; wrote:<br>

&gt;<br>

&gt;         On Sun, May 7, 2017 at 8:27 PM Dan Kenigsberg &lt;<a href="mailto:danken@redhat.com">danken@redhat.com</a><br>

&gt;         &lt;mailto:<a href="mailto:danken@redhat.com">danken@redhat.com</a>&gt;&gt; wrote:<br>

&gt;<br>

&gt;             On Sun, May 7, 2017 at 8:22 PM, Nir Soffer<br>

&gt;             &lt;<a href="mailto:nsoffer@redhat.com">nsoffer@redhat.com</a> &lt;mailto:<a href="mailto:nsoffer@redhat.com">nsoffer@redhat.com</a>&gt;&gt; wrote:<br>

&gt;             &gt; I imported the certificate from my engine into chrome[1],<br>

&gt;             but Chrome<br>

&gt;             &gt; refuses to use it because:<br>

&gt;             &gt;<br>

&gt;             &gt;     This server could not prove that it is ...; its security<br>

&gt;             &gt;     certificate is from [missing_subjectAltName].<br>

&gt;             &gt;<br>

&gt;             &gt; Same certificate used to work 2 weeks ago, looks like new<br>

&gt;             Chrome<br>

&gt;             &gt; version changed the rules.<br>

&gt;             &gt;<br>

&gt;             &gt; Without importing engine CA, there is no way to upload images<br>

&gt;             &gt; via engine.<br>

&gt;             &gt;<br>

&gt;             &gt; Tested on engine 4.1.1 and 4.1.2 on Centos 7.3.<br>

&gt;             &gt;<br>

&gt;             &gt; Is this  known issue?<br>

&gt;             &gt;<br>

&gt;             &gt; [1] from<br>

&gt;             &gt;<br>

&gt;             http://&lt;engine_url&gt;/ovirt-<wbr>engine/services/pki-resource?<wbr>resource=ca-certificate&amp;<wbr>format=X509-PEM-CA<br>

&gt;             &gt;<br>

&gt;             &gt; Nir<br>

&gt;<br>

&gt;             <a href="https://gerrit.ovirt.org/#/c/74614/" rel="noreferrer" target="_blank">https://gerrit.ovirt.org/#/c/<wbr>74614/</a><br>

&gt;             &lt;<a href="https://gerrit.ovirt.org/#/c/74614/" rel="noreferrer" target="_blank">https://gerrit.ovirt.org/#/c/<wbr>74614/</a>&gt;<br>

&gt;<br>

&gt;             &quot;This patch is not yet working, but can be used for discussion.&quot;<br>

&gt;<br>

&gt;<br>

&gt;         Thanks!<br>

&gt;<br>

&gt;         Do you know how to manually fix engine certificates until we<br>

&gt;         have a working<br>

&gt;         patch?<br>

&gt;<br>

&gt;         Nir<br>

&gt;<br>

&gt;         ______________________________<wbr>_________________<br>

&gt;         Devel mailing list<br>

&gt;         <a href="mailto:Devel@ovirt.org">Devel@ovirt.org</a> &lt;mailto:<a href="mailto:Devel@ovirt.org">Devel@ovirt.org</a>&gt;<br>

&gt;         <a href="http://lists.ovirt.org/mailman/listinfo/devel" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/devel</a><br>

&gt;         &lt;<a href="http://lists.ovirt.org/mailman/listinfo/devel" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/devel</a>&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;     ______________________________<wbr>_________________<br>

&gt;     Devel mailing list<br>

&gt;     <a href="mailto:Devel@ovirt.org">Devel@ovirt.org</a> &lt;mailto:<a href="mailto:Devel@ovirt.org">Devel@ovirt.org</a>&gt;<br>

&gt;     <a href="http://lists.ovirt.org/mailman/listinfo/devel" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/devel</a><br>

&gt;     &lt;<a href="http://lists.ovirt.org/mailman/listinfo/devel" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/devel</a>&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; ______________________________<wbr>_________________<br>

&gt; Devel mailing list<br>

&gt; <a href="mailto:Devel@ovirt.org">Devel@ovirt.org</a><br>

&gt; <a href="http://lists.ovirt.org/mailman/listinfo/devel" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/devel</a><br>

&gt;<br>

<br>

</blockquote></div><br></div></div>