<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 1, 2015 at 1:36 PM, Baptiste Agasse <span dir="ltr"><<a href="mailto:baptiste.agasse@lyra-network.com" target="_blank">baptiste.agasse@lyra-network.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-family:arial,helvetica,sans-serif;font-size:12pt;color:#000000"><div>Hi,<br></div><div><br></div><div><span>----- Le 1 Sep 15, à 9:43, Sandro Bonazzola <<a href="mailto:sbonazzo@redhat.com" target="_blank">sbonazzo@redhat.com</a>> a écrit :<br></span></div><div><span class=""><blockquote style="border-left:2px solid #1010ff;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 31, 2015 at 6:08 PM, Alon Bar-Lev <span dir="ltr"><<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span><br> <br> ----- Original Message -----<br> > From: "Baptiste Agasse" <<a href="mailto:baptiste.agasse@lyra-network.com" target="_blank">baptiste.agasse@lyra-network.com</a>><br> > To: "users" <<a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a>><br> > Sent: Monday, August 31, 2015 6:54:28 PM<br> > Subject: [ovirt-users] ovirt 3.5 engine web certificate<br> ><br> > Hi all,<br> ><br> > I've followed the procedure to replace self signed certificate to one issued<br> > by our internal PKI to avoid security failure when users access to the webui<br> > (<a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https" rel="noreferrer" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https</a>).<br> > The connection to the webui now works fine without any security warning (the<br> > internal PKI CA is in the trusted CA of our clients OS). But on the other<br> > hand, i've some troubles:<br> ><br> > * I've to specify the --ca-file option for ovirt-shell and<br> > engine-iso-uploader (i didn't test the engine-image-upload command), it will<br> > be nice if the documentation provide a way to replace this by default (or<br> > use the trusted ca store of the OS ?). This is not a bug just some feedback<br> > on the certificate change procedure that don't cover these side effects.<br> <br> </span>This is [1], probably you want to modify the configuration files of these tools at /etc so you will have proper defaults.<br><br> [1] <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1146710" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1146710</a><br></blockquote></div></div></div></blockquote><div><br></div></span><div>Thank you for this link.<br></div><span class=""><div><br></div><blockquote style="border-left:2px solid #1010ff;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span><br> > * I can't add new ovirt-node anymore.<br> <br> </span>If ovirt-node was added using previous certificate it "Remembers" that certificate.<br> You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to register again.<br><br> > * The ovirt-hosted-engine --deploy fails<br><span>> on new nodes with an SSL error. To workaround this i've to modify the file<br> > "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around line<br> > 233 to make an insecure connection to the engine and add the new node. I<br> > didn't have tested to add a new node from the ovirt engine cli/webui but i<br> > think it will be the same issue because the error occurs on the vdsm<br> > activation that is common to the 'new hosted engine node' and 'new node'<br> > deployment. I've seen <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1059952" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1059952</a><br> > but the workaround noted in the comment #8 didn't work for me.<br> <br> </span>CC sandro for this.<br></blockquote><br><div>Can you please share full sos report?</div></div></div></div></blockquote><div><br></div></span><div>The report is a little bit big (about 57MB) to be sent by mail, have you any procedure i can use to send it to you ?<br></div></div></div></div></blockquote><div><br></div><div><br></div><div>Can you share it on google drive / dropbox any other file sharing service?</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-family:arial,helvetica,sans-serif;font-size:12pt;color:#000000"><div><div></div><span class=""><div><br></div><blockquote style="border-left:2px solid #1010ff;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><br> ><br> > Someone have more info on this issue or have the same problem ?<br> ><br> > This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes).<br> ><br> > Have a nice day.<br> ><br> > Regards.<br> ><br> > --<br> > Baptiste<br> > _______________________________________________<br> > Users mailing list<br> > <a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br> > <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br> ><br></div></div></blockquote></div><br><br clear="all"><br>-- <br><div><div dir="ltr"><div><div dir="ltr">Sandro Bonazzola<br>Better technology. Faster innovation. Powered by community collaboration.<br>See how it works at <a href="http://redhat.com" target="_blank">redhat.com</a><br></div></div></div></div></div></div><br></blockquote></span></div><span class="HOEnZb"><font color="#888888"><div><br></div><div>-- <br></div><div>Baptiste</div><u></u><u></u><u></u><u></u></font></span></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr">Sandro Bonazzola<br>Better technology. Faster innovation. Powered by community collaboration.<br>See how it works at <a href="http://redhat.com" target="_blank">redhat.com</a><br></div></div></div></div>
</div></div>