<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">Shame about the way the CA works, may be worth putting a reverse proxy in front as unsigned SSL can be a deal breaker. </div><div class="gmail_default" style="font-family:tahoma,sans-serif">
<br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">Anyway, my vdsm.log is here <a href="http://www.fpaste.org/72643/98338713/">http://www.fpaste.org/72643/98338713/</a></div><div class="gmail_default" style="font-family:tahoma,sans-serif">
<br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">When it's "Still waiting for VDSM host to become operational.." there is no output in vdsm.log </div><div class="gmail_extra">
<br><div class="gmail_quote">On Wed, Jan 29, 2014 at 6:11 PM, Yedidyah Bar David <span dir="ltr"><<a href="mailto:didi@redhat.com" target="_blank">didi@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div><div style="font-size:12pt;font-family:'times new roman','new york',times,serif"><div></div><blockquote style="padding-left:5px;font-size:12pt;font-style:normal;margin-left:5px;font-family:Helvetica,Arial,sans-serif;text-decoration:none;font-weight:normal;border-left-width:2px;border-left-style:solid;border-left-color:rgb(16,16,255)">
<b>From: </b>"Yedidyah Bar David" <<a href="mailto:didi@redhat.com" target="_blank">didi@redhat.com</a>><br><b>To: </b>"Andrew Lau" <<a href="mailto:andrew@andrewklau.com" target="_blank">andrew@andrewklau.com</a>><br>
<b>Cc: </b>"users" <<a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a>><br><b>Sent: </b>Wednesday, January 29, 2014 9:05:06 AM<br><b>Subject: </b>Re: [Users] Hosted Engine adding host SSL Failure (w/ engine custom cert)<div>
<div><br><div><br></div><div style="font-size:12pt;font-family:'times new roman','new york',times,serif"><blockquote style="padding-left:5px;font-size:12pt;font-style:normal;margin-left:5px;font-family:Helvetica,Arial,sans-serif;text-decoration:none;font-weight:normal;border-left-width:2px;border-left-style:solid;border-left-color:rgb(16,16,255)">
<b>From: </b>"Andrew Lau" <<a href="mailto:andrew@andrewklau.com" target="_blank">andrew@andrewklau.com</a>><br><b>To: </b>"users" <<a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a>><br>
<b>Sent: </b>Wednesday, January 29, 2014 8:38:33 AM<br><b>Subject: </b>[Users] Hosted Engine adding host SSL Failure (w/ engine custom cert)<br><div><br></div><div dir="ltr"><div style="font-family:tahoma,sans-serif">
Hi,</div><div style="font-family:tahoma,sans-serif"><br></div><div style="font-family:tahoma,sans-serif">
After running through the new patch posted in BZ 1055153 I'm adding a second host to the hosted-engine cluster but it seems to fail right before the finish:</div><div style="font-family:tahoma,sans-serif"><br></div><div>
<div><span style="font-family:tahoma,sans-serif">[ ERROR ] Failed to execute stage 'Closing up': [ERROR]::oVirt API connection failure, [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed</span></div>
<div style="font-family:tahoma,sans-serif"><br></div><div style="font-family:tahoma,sans-serif">Couple Extra Notes:</div><div style="font-family:tahoma,sans-serif">Engine has a custom SSL cert but the CA has been trusted by the new host. When I temporarily return the engine's SSL back to the default generated one the install will succeed.</div>
<div style="font-family:tahoma,sans-serif"><br></div><div style="font-family:tahoma,sans-serif">Setup logs: <a href="http://www.fpaste.org/72624/13909770/" target="_blank">http://www.fpaste.org/72624/13909770/</a><br></div>
<div style="font-family:tahoma,sans-serif"><br></div><div style="font-family:tahoma,sans-serif">What confuses me is:</div><div style="font-family:tahoma,sans-serif"><br></div><div style="font-family:tahoma,sans-serif">curl <a href="https://engine.example.net" target="_blank">https://engine.example.net</a> with the custom SSL cert will succeed but with the original self-signed gives the expected "insecure" message. What criteria need to be met so the install will pass?</div>
</div></div></blockquote><div><br></div><div>Seems like a bug (or a missing feature) - hosted-engine only supports the self-signed cert. Can you please open a bug for this?</div><div><br></div><div>You might manage to make it work by replacing /etc/pki/ovirt-engine/ca.pem with the certificate of your ca, but this will prevent adding hosts (because it's needed to create a certificate for them). Perhaps other things will break too, I didn't try that.</div>
</div></div></div></blockquote><div><br></div><div>On a second thought, I don't think it will work. The engine will still sign certs for hosts with its private key, but the hosts will try to verify that with the ca.pem you put there and fail.</div>
<span><font color="#888888"><div><span style="font-size:12pt">-- </span></div><div><span name="x"></span>Didi<span name="x"></span><br></div><div><br></div></font></span></div></div></blockquote></div><br></div>
</div>