<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div>Hi,<br></div><div><br></div><div><span id="zwchr" data-marker="__DIVIDER__">----- Le 1 Sep 15, à 9:43, Sandro Bonazzola <sbonazzo@redhat.com> a écrit :<br></span></div><div data-marker="__QUOTED_TEXT__"><blockquote style="border-left: 2px solid #1010FF; margin-left: 5px; padding-left: 5px; color: #000; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;" data-mce-style="border-left: 2px solid #1010FF; margin-left: 5px; padding-left: 5px; color: #000; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 31, 2015 at 6:08 PM, Alon Bar-Lev <span dir="ltr"><<a href="mailto:alonbl@redhat.com" target="_blank" data-mce-href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;" data-mce-style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;"><span class=""><br> <br> ----- Original Message -----<br> > From: "Baptiste Agasse" <<a href="mailto:baptiste.agasse@lyra-network.com" target="_blank" data-mce-href="mailto:baptiste.agasse@lyra-network.com">baptiste.agasse@lyra-network.com</a>><br> > To: "users" <<a href="mailto:users@ovirt.org" target="_blank" data-mce-href="mailto:users@ovirt.org">users@ovirt.org</a>><br> > Sent: Monday, August 31, 2015 6:54:28 PM<br> > Subject: [ovirt-users] ovirt 3.5 engine web certificate<br> ><br> > Hi all,<br> ><br> > I've followed the procedure to replace self signed certificate to one issued<br> > by our internal PKI to avoid security failure when users access to the webui<br> > (<a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https" rel="noreferrer" target="_blank" data-mce-href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https</a>).<br> > The connection to the webui now works fine without any security warning (the<br> > internal PKI CA is in the trusted CA of our clients OS). But on the other<br> > hand, i've some troubles:<br> ><br> > * I've to specify the --ca-file option for ovirt-shell and<br> > engine-iso-uploader (i didn't test the engine-image-upload command), it will<br> > be nice if the documentation provide a way to replace this by default (or<br> > use the trusted ca store of the OS ?). This is not a bug just some feedback<br> > on the certificate change procedure that don't cover these side effects.<br> <br> </span>This is [1], probably you want to modify the configuration files of these tools at /etc so you will have proper defaults.<br><br> [1] <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1146710" rel="noreferrer" target="_blank" data-mce-href="https://bugzilla.redhat.com/show_bug.cgi?id=1146710">https://bugzilla.redhat.com/show_bug.cgi?id=1146710</a><br data-mce-bogus="1"></blockquote></div></div></div></blockquote><div><br></div><div>Thank you for this link.<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><blockquote style="border-left: 2px solid #1010FF; margin-left: 5px; padding-left: 5px; color: #000; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;" data-mce-style="border-left: 2px solid #1010FF; margin-left: 5px; padding-left: 5px; color: #000; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;" data-mce-style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;"><span class=""><br> > * I can't add new ovirt-node anymore.<br> <br> </span>If ovirt-node was added using previous certificate it "Remembers" that certificate.<br> You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to register again.<br><br> > * The ovirt-hosted-engine --deploy fails<br><span class="">> on new nodes with an SSL error. To workaround this i've to modify the file<br> > "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around line<br> > 233 to make an insecure connection to the engine and add the new node. I<br> > didn't have tested to add a new node from the ovirt engine cli/webui but i<br> > think it will be the same issue because the error occurs on the vdsm<br> > activation that is common to the 'new hosted engine node' and 'new node'<br> > deployment. I've seen <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1059952" rel="noreferrer" target="_blank" data-mce-href="https://bugzilla.redhat.com/show_bug.cgi?id=1059952">https://bugzilla.redhat.com/show_bug.cgi?id=1059952</a><br> > but the workaround noted in the comment #8 didn't work for me.<br> <br> </span>CC sandro for this.<br></blockquote><br><div>Can you please share full sos report?</div></div></div></div></blockquote><div><br></div><div>The report is a little bit big (about 57MB) to be sent by mail, have you any procedure i can use to send it to you ?<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><blockquote style="border-left: 2px solid #1010FF; margin-left: 5px; padding-left: 5px; color: #000; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;" data-mce-style="border-left: 2px solid #1010FF; margin-left: 5px; padding-left: 5px; color: #000; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;" data-mce-style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;"><div class="HOEnZb"><div class="h5"><br> ><br> > Someone have more info on this issue or have the same problem ?<br> ><br> > This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes).<br> ><br> > Have a nice day.<br> ><br> > Regards.<br> ><br> > --<br> > Baptiste<br> > _______________________________________________<br> > Users mailing list<br> > <a href="mailto:Users@ovirt.org" target="_blank" data-mce-href="mailto:Users@ovirt.org">Users@ovirt.org</a><br> > <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank" data-mce-href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a><br> ><br></div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr">Sandro Bonazzola<br>Better technology. Faster innovation. Powered by community collaboration.<br>See how it works at <a href="http://redhat.com" target="_blank" data-mce-href="http://redhat.com">redhat.com</a><br></div></div></div></div></div></div><br></blockquote></div><div><br></div><div data-marker="__SIG_POST__">-- <br></div><div>Baptiste</div><mytubeelement data="{"bundle":{"label_delimitor":":","percentage":"%","smart_buffer":"Smart Buffer","start_playing_when_buffered":"Start playing when buffered","sound":"Sound","desktop_notification":"Desktop Notification","continuation_on_next_line":"-","loop":"Loop","only_notify":"Only Notify","estimated_time":"Estimated Time","global_preferences":"Global Preferences","no_notification_supported_on_your_browser":"No notification style supported on your browser version","video_buffered":"Video Buffered","buffered":"Buffered","hyphen":"-","buffered_message":"The video has been buffered as requested and is ready to play.","not_supported":"Not Supported","on":"On","off":"Off","click_to_enable_for_this_site":"Click to enable for this site","desktop_notification_denied":"You have denied permission for desktop notification for this site","notification_status_delimitor":";","error":"Error","adblock_interferance_message":"Adblock (or similar extension) is known to interfere with SmartVideo. Please add this url to adblock whitelist.","calculating":"Calculating","waiting":"Waiting","will_start_buffering_when_initialized":"Will start buffering when initialized","will_start_playing_when_initialized":"Will start playing when initialized","completed":"Completed","buffering_stalled":"Buffering is stalled. Will stop.","stopped":"Stopped","hr":"Hr","min":"Min","sec":"Sec","any_moment":"Any Moment","popup_donate_to":"Donate to","extension_id":null},"prefs":{"desktopNotification":true,"soundNotification":true,"logLevel":0,"enable":true,"loop":false,"hidePopup":false,"autoPlay":false,"autoBuffer":true,"autoPlayOnBuffer":true,"autoPlayOnBufferPercentage":42,"autoPlayOnSmartBuffer":true,"quality":"hd720","fshd":false,"onlyNotification":false,"enableFullScreen":true,"saveBandwidth":false,"hideAnnotations":false,"turnOffPagedBuffering":true}}" event="preferencesUpdated" id="myTubeRelayElementToPage"></mytubeelement><mytubeelement data="{"loadBundle":true}" event="relayPrefs" id="myTubeRelayElementToTab"></mytubeelement></div></body></html>