[ovirt-users] Cannot install new host on 4.0, Certificate enrollment failed

Juan Hernández jhernand at redhat.com
Wed Jul 20 11:26:20 UTC 2016 

On 07/20/2016 01:21 PM, Matt . wrote:
> Hi,
> 
> Thanks a lot, it's good to know about this.
> 
> There is no way to shorten the commonname ? or wil it aways used the
> hostname there, as it's cn I doubt if we can use something else there.
> 
> Thanks!
> 
> Matt
> 

I think it can't be shortened, as most TLS/SSL clients check that the
host name matches exactly the common name inside the certificate, and
this check would fail if you shorten it.

> 
> 
> 2016-07-20 13:07 GMT+02:00 Juan Hernández <jhernand at redhat.com>:
>> On 07/20/2016 12:30 PM, Matt . wrote:
>>> Hi,
>>>
>>> I found out yesterday late I was looking in the certs folder for the
>>> serial, this was the issue all files are there.
>>>
>>> I need to test a shorter fqdn, which is a pity, but I wonder why it
>>> should be too long for a cert create.
>>>
>>
>> Looks like it is a limitation of the X.509 specification:
>>
>>   ub-common-name INTEGER ::= 64
>>   ...
>>   520CommonName ::= CHOICE {
>>       teletexString     TeletexString   (SIZE (1..ub-common-name)),
>>       printableString   PrintableString (SIZE (1..ub-common-name)),
>>       universalString   UniversalString (SIZE (1..ub-common-name)),
>>       utf8String        UTF8String      (SIZE (1..ub-common-name)),
>>       bmpString         BMPString       (SIZE (1..ub-common-name)) }
>>
>> The source is RFC 5280:
>>
>>   http://www.ietf.org/rfc/rfc5280.txt
>>
>> Maybe we should check these limits during the setup.
>>
>>>
>>>
>>> 2016-07-20 10:14 GMT+02:00 Juan Hernández <jhernand at redhat.com>:
>>>> On 07/19/2016 07:59 PM, Matt . wrote:
>>>>> Hi,
>>>>>
>>>>> Thanks for the heads up, I saw this in some thread too and this file
>>>>> was available here with the upcoming number.
>>>>>
>>>>> Which rightsdo the file has?
>>>>>
>>>>> I don't have a ca.pem in that cert folder anymore can that be an issue?
>>>>>
>>>>
>>>> In theory the ca.pem isn't needed to sign certificates, but the fact
>>>> that it isn't in that directory probably means that something has been
>>>> incorrectly manipulated, either manually or by the system itself. These
>>>> are the files/permissions from a working environment:
>>>>
>>>> lrwxrwxrwx. 1 root  root    28 Jul  8 11:34 apache-ca.pem ->
>>>> /etc/pki/ovirt-engine/ca.pem
>>>> -rw-r--r--. 1 root  root   384 Jul  8 11:34 cacert.conf
>>>> -rw-r--r--. 1 root  root   384 Jul  8 11:34 cacert.template
>>>> -rw-r--r--. 1 root  root   384 Jul 18 20:46 cacert.template.in
>>>> -rw-r--r--. 1 root  root  4587 Jul  8 11:34 ca.pem
>>>> -rw-r--r--. 1 root  root   923 Jul  8 11:34 cert.conf
>>>> drwxr-xr-x. 2 ovirt ovirt 4096 Jul 18 20:46 certs
>>>> -rw-r--r--. 1 root  root   923 Jul  8 11:34 cert.template
>>>> -rw-r--r--. 1 root  root   717 Jul 18 20:46 cert.template.in
>>>> -rw-r--r--. 1 ovirt ovirt  667 Jul  8 11:42 database.txt
>>>> -rw-r--r--. 1 ovirt ovirt   20 Jul  8 11:42 database.txt.attr
>>>> -rw-r--r--. 1 ovirt ovirt   20 Jul  8 11:42 database.txt.attr.old
>>>> -rw-r--r--. 1 ovirt ovirt  599 Jul  8 11:42 database.txt.old
>>>> drwxr-xr-x. 2 root  root  4096 Jul 18 20:46 keys
>>>> -rw-r--r--. 1 root  root   548 Jul 18 20:46 openssl.conf
>>>> drwxr-x---. 2 ovirt ovirt   19 Jul 18 20:46 private
>>>> drwxr-xr-x. 2 ovirt ovirt 4096 Jul 18 20:46 requests
>>>> -rw-r--r--. 1 ovirt ovirt    5 Jul  8 11:42 serial.txt
>>>> -rw-r--r--. 1 ovirt ovirt    5 Jul  8 11:42 serial.txt.old
>>>>
>>>>>
>>>>>
>>>>> 2016-07-19 19:08 GMT+02:00 Juan Hernández <jhernand at redhat.com>:
>>>>>> On 07/19/2016 06:16 PM, Matt . wrote:
>>>>>>> Can anyone confirm what max. number of subdomains can be used for a
>>>>>>> certificate ?
>>>>>>>
>>>>>>> The length of 65 per subdomain should be default.
>>>>>>>
>>>>>>> 2016-07-19 15:06 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>>> It's the fqdn indeed, not it's hostname.
>>>>>>>>
>>>>>>>> Fqdn should be possible I thought as discussed before in the channel
>>>>>>>> (while ago).
>>>>>>>>
>>>>>>>> 2016-07-19 15:04 GMT+02:00 Yaniv Kaul <ykaul at redhat.com>:
>>>>>>>>>
>>>>>>>>> On Tue, Jul 19, 2016 at 3:43 PM, Matt . <yamakasi.014 at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> kvm-01.hosts.services-01.clusters.mycluster-01.dc.ovirt.subdomain.dc-01.dc.my.network
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Is this the name of the host? perhaps it's a bit too long?
>>>>>>>>> Y.
>>>>>>
>>>>>> Not sure if this is relevant, but I had the same problem today, and the
>>>>>> cause was that the /etc/pki/ovirt-engine/serial.txt file was empty, and
>>>>>> openssl refused to open it. I wrote manually a number inside, taking the
>>>>>> value from /etc/pki/ovirt-engine/serial.txt.old (plus one), and then
>>>>>> things started to work.
>>>>>>
>>>>>> --
>>>>>> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
>>>>>> 3ºD, 28016 Madrid, Spain
>>>>>> Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
>>>>
>>>>
>>>> --
>>>> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
>>>> 3ºD, 28016 Madrid, Spain
>>>> Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>>
>>
>> --
>> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
>> 3ºD, 28016 Madrid, Spain
>> Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 


-- 
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.

More information about the Users mailing list