<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 31, 2015 at 6:08 PM, Alon Bar-Lev <span dir="ltr"><<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
----- Original Message -----<br>
> From: "Baptiste Agasse" <<a href="mailto:baptiste.agasse@lyra-network.com">baptiste.agasse@lyra-network.com</a>><br>
> To: "users" <<a href="mailto:users@ovirt.org">users@ovirt.org</a>><br>
> Sent: Monday, August 31, 2015 6:54:28 PM<br>
> Subject: [ovirt-users] ovirt 3.5 engine web certificate<br>
><br>
> Hi all,<br>
><br>
> I've followed the procedure to replace self signed certificate to one issued<br>
> by our internal PKI to avoid security failure when users access to the webui<br>
> (<a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https" rel="noreferrer" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https</a>).<br>
> The connection to the webui now works fine without any security warning (the<br>
> internal PKI CA is in the trusted CA of our clients OS). But on the other<br>
> hand, i've some troubles:<br>
><br>
> * I've to specify the --ca-file option for ovirt-shell and<br>
> engine-iso-uploader (i didn't test the engine-image-upload command), it will<br>
> be nice if the documentation provide a way to replace this by default (or<br>
> use the trusted ca store of the OS ?). This is not a bug just some feedback<br>
> on the certificate change procedure that don't cover these side effects.<br>
<br>
</span>This is [1], probably you want to modify the configuration files of these tools at /etc so you will have proper defaults.<br>
<br>
[1] <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1146710" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1146710</a><br>
<span class=""><br>
> * I can't add new ovirt-node anymore.<br>
<br>
</span>If ovirt-node was added using previous certificate it "Remembers" that certificate.<br>
You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to register again.<br>
<br>
> * The ovirt-hosted-engine --deploy fails<br>
<span class="">> on new nodes with an SSL error. To workaround this i've to modify the file<br>
> "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around line<br>
> 233 to make an insecure connection to the engine and add the new node. I<br>
> didn't have tested to add a new node from the ovirt engine cli/webui but i<br>
> think it will be the same issue because the error occurs on the vdsm<br>
> activation that is common to the 'new hosted engine node' and 'new node'<br>
> deployment. I've seen <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1059952" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1059952</a><br>
> but the workaround noted in the comment #8 didn't work for me.<br>
<br>
</span>CC sandro for this.<br></blockquote><div><br></div><div>Can you please share full sos report?</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb"><div class="h5"><br>
><br>
> Someone have more info on this issue or have the same problem ?<br>
><br>
> This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes).<br>
><br>
> Have a nice day.<br>
><br>
> Regards.<br>
><br>
> --<br>
> Baptiste<br>
> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
> <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr">Sandro Bonazzola<br>Better technology. Faster innovation. Powered by community collaboration.<br>See how it works at <a href="http://redhat.com" target="_blank">redhat.com</a><br></div></div></div></div>
</div></div>