<html><body><div style="font-family: times new roman, new york, times, serif; font-size: 12pt; color: #000000"><div></div><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Andrew Lau" <andrew@andrewklau.com><br><b>To: </b>"users" <users@ovirt.org><br><b>Sent: </b>Wednesday, January 29, 2014 8:38:33 AM<br><b>Subject: </b>[Users] Hosted Engine adding host SSL Failure (w/ engine custom cert)<br><div><br></div><div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">Hi,</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">
After running through the new patch posted in BZ 1055153 I'm adding a second host to the hosted-engine cluster but it seems to fail right before the finish:</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default"><div class="gmail_default"><span face="tahoma, sans-serif" data-mce-style="font-family: tahoma, sans-serif;" style="font-family: tahoma, sans-serif;">[ ERROR ] Failed to execute stage 'Closing up': [ERROR]::oVirt API connection failure, [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed</span></div><div style="font-family:tahoma,sans-serif"><br></div><div style="font-family:tahoma,sans-serif">Couple Extra Notes:</div><div style="font-family:tahoma,sans-serif">Engine has a custom SSL cert but the CA has been trusted by the new host. When I temporarily return the engine's SSL back to the default generated one the install will succeed.</div><div style="font-family:tahoma,sans-serif"><br></div><div style="font-family:tahoma,sans-serif">Setup logs: <a href="http://www.fpaste.org/72624/13909770/" target="_blank">http://www.fpaste.org/72624/13909770/</a><br></div><div style="font-family:tahoma,sans-serif"><br></div><div style="font-family:tahoma,sans-serif">What confuses me is:</div><div style="font-family:tahoma,sans-serif"><br></div><div style="font-family:tahoma,sans-serif">curl <a href="https://engine.example.net" target="_blank">https://engine.example.net</a> with the custom SSL cert will succeed but with the original self-signed gives the expected "insecure" message. What criteria need to be met so the install will pass?</div></div></div></blockquote><div><br></div><div>Seems like a bug (or a missing feature) - hosted-engine only supports the self-signed cert. Can you please open a bug for this?</div><div><br></div><div>You might manage to make it work by replacing /etc/pki/ovirt-engine/ca.pem with the certificate of your ca, but this will prevent adding hosts (because it's needed to create a certificate for them). Perhaps other things will break too, I didn't try that.</div><div>-- <br></div><div><span name="x"></span>Didi<span name="x"></span><br></div><div><br></div></div></body></html>