<p dir="ltr">I did install a server certificate from a private CA on the engine server for the oVirt 4 Manager GUI, but haven't figured out how to configure engine to trust the same CA which also issued the server certificate presented by vdsm. This is important for us because this is the same server certificate presented by the host when using the console (e.g. websocket console falls silently if the user agent doesn't trust the console server's certificate). </p>
<br><div class="gmail_quote"><div dir="ltr">On Wed, Oct 26, 2016, 16:58 Beckman, Daniel <<a href="mailto:Daniel.Beckman@ingramcontent.com">Daniel.Beckman@ingramcontent.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72" class="gmail_msg">
<div class="m_-5572924584366181038WordSection1 gmail_msg">
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg">We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release. I read the release notes (<a href="https://www.ovirt.org/release/4.0.4/)" class="gmail_msg" target="_blank">https://www.ovirt.org/release/4.0.4/)</a> and noted comment #4
under “Install / Upgrade from previous version”:<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><i class="gmail_msg"><span style="font-size:11.0pt" class="gmail_msg">If you are using HTTPS certificate signed by custom certificate authority, please take a look at <a href="https://bugzilla.redhat.com/1336838" class="gmail_msg" target="_blank">https://bugzilla.redhat.com/1336838</a> for steps which need to be done after migration to 4.0. Also please consult
<a href="https://bugzilla.redhat.com/1313379" class="gmail_msg" target="_blank">https://bugzilla.redhat.com/1313379</a> how to setup this custom CA for use with virt-viewer clients.<u class="gmail_msg"></u><u class="gmail_msg"></u></span></i></p>
<p class="MsoNormal gmail_msg"><i class="gmail_msg"><span style="font-size:11.0pt" class="gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></span></i></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg">So I referred to the first bugzilla (<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1336838)" class="gmail_msg" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1336838)</a>, where it states as follows:<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg">If customer wants to use custom HTTPS certificate signed by different CA, then he has to perform following steps:
<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg">1. Install custom CA (that signed HTTPS certificate) into host wide trustore (more info can be found in update-ca-trust man page)
<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg">2. Configure HTTPS certificate in Apache (this step is same as in previous versions)
<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg">3. Create new configuration file (for example /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with following content:
<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg">ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg">4. Restart ovirt-engine service<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg">I find it humorous that step # 1 suggests reading the “man page” which is only slightly better than suggesting to “google” it.
<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg">Has anyone using a custom CA for their HTTPS certificate successfully upgraded to oVirt 4? If so could you share your detailed steps? Or can anyone point me to an actual example of this procedure? I’m a little
nervous about the upgrade if you can’t already tell. <u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg">Thanks,<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>
<p class="MsoNormal gmail_msg"><span style="font-size:11.0pt" class="gmail_msg">Daniel<u class="gmail_msg"></u><u class="gmail_msg"></u></span></p>
</div>
</div>
_______________________________________________<br class="gmail_msg">
Users mailing list<br class="gmail_msg">
<a href="mailto:Users@ovirt.org" class="gmail_msg" target="_blank">Users@ovirt.org</a><br class="gmail_msg">
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br class="gmail_msg">
</blockquote></div>