<div dir="ltr"><div>Here is a complete set of instructions that works for me<br><br></div><div>You can skip the first few steps of generating the certificate.<br></div><div><br></div>Ravi<br><div><br><br>Generate a self-signed certificate using openssl<br>======================================<br>openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.pem<br><br>Convert a PEM certificate file and a private key to PKCS#12 (.p12)<br>=====================================================<br>openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.pem<br><br>Extract the key from the bundle <br>=========================<br>openssl pkcs12 -in certificate.p12 -nocerts -nodes > apache.key.nopass<br><br>Extract the certificate from the bundle<br>==============================<br>openssl pkcs12 -in certificate.p12 -nokeys > apache.cer<br><br>Create a new Keystore for testing<br>==========================<br>keytool -keystore clientkeystore -genkey -alias client<br><br>Convert .pem to .der<br>================<br>openssl x509 -outform der -in certificate.pem -out certificate.der<br><br>Import certificates to keystore<br>=======================<br>keytool -import -alias apache -keystore ./clientkeystore -file ./certificate.der<br><br>Create Custom conf for ovirt<br>======================<br>vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf<br><br>Set location of truststore and its password<br>=================================<br>ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore"<br>ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456"<br><br>Copy the custom certificates<br>======================<br>rm /etc/pki/ovirt-engine/apache-ca.pem<br>cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem<br>cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12<br>cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer<br>cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass<br><br>Restart engine and httpd<br>===================<br>service httpd restart<br>service ovirt-engine restart<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot <span dir="ltr"><<a href="mailto:nicolas@ecarnot.net" target="_blank">nicolas@ecarnot.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I did install a server certificate from a private CA on the engine<br>
server for the oVirt 4 Manager GUI, but haven't figured out how to<br>
configure engine to trust the same CA which also issued the server<br>
certificate presented by vdsm. This is important for us because this is<br>
the same server certificate presented by the host when using the console<br>
(e.g. websocket console falls silently if the user agent doesn't trust<br>
the console server's certificate).<br>
</blockquote>
<br></span>
Hello,<br>
<br>
Maybe related bug : on an oVirt 4, I followed the same procedure below to install a custom CA, with *SUCCESS*.<br>
<br>
Today, I had to reinstall one of the hosts, and it is failing with :<br>
"CA certificate and CA private key do not match" :<br>
<br>
<a href="http://pastebin.com/9JS05JtJ" rel="noreferrer" target="_blank">http://pastebin.com/9JS05JtJ</a><br>
<br>
Which certificate did we (Kenneth and I) did we mis-used?<br>
What did we do wrong?<br>
<br>
Regards,<br>
<br>
Nicolas ECARNOT<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
<br>
<br>
On Wed, Oct 26, 2016, 16:58 Beckman, Daniel<br>
<<a href="mailto:Daniel.Beckman@ingramcontent.com" target="_blank">Daniel.Beckman@ingramcontent.<wbr>com</a><br></span><span class="">
<mailto:<a href="mailto:Daniel.Beckman@ingramcontent.com" target="_blank">Daniel.Beckman@ingramc<wbr>ontent.com</a>>> wrote:<br>
<br>
We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release.<br>
I read the release notes (<a href="https://www.ovirt.org/release/4.0.4/" rel="noreferrer" target="_blank">https://www.ovirt.org/release<wbr>/4.0.4/</a>) and<br></span>
noted comment #4 under “Install / Upgrade from previous version”:____<br>
<br>
__ __<br>
<br>
/If you are using HTTPS certificate signed by custom certificate<span class=""><br>
authority, please take a look at <a href="https://bugzilla.redhat.com/1336838" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/13<wbr>36838</a><br>
for steps which need to be done after migration to 4.0. Also please<br>
consult <a href="https://bugzilla.redhat.com/1313379" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/13<wbr>13379</a> how to setup this custom<br></span>
CA for use with virt-viewer clients.____/<br>
<br>
/__ __/<span class=""><br>
<br>
So I referred to the first bugzilla<br>
(<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1336838" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/s<wbr>how_bug.cgi?id=1336838</a>), where it<br></span>
states as follows:____<br>
<br>
__ __<span class=""><br>
<br>
If customer wants to use custom HTTPS certificate signed by<br></span>
different CA, then he has to perform following steps: ____<br>
<br>
__ __<span class=""><br>
<br>
1. Install custom CA (that signed HTTPS certificate) into host wide<br></span>
trustore (more info can be found in update-ca-trust man page) ____<br>
<br>
__ __<span class=""><br>
<br>
2. Configure HTTPS certificate in Apache (this step is same as in<br></span>
previous versions) ____<br>
<br>
__ __<span class=""><br>
<br>
3. Create new configuration file (for example<br>
/etc/ovirt-engine/engine.conf.<wbr>d/99-custom-truststore.conf) with<br></span>
following content: ____<br>
<br>
ENGINE_HTTPS_PKI_TRUST_STORE="<wbr>/etc/pki/java/cacerts"<br>
ENGINE_HTTPS_PKI_TRUST_STORE_P<wbr>ASSWORD="" ____<br>
<br>
__ __<br>
<br>
4. Restart ovirt-engine service____<br>
<br>
__ __<span class=""><br>
<br>
I find it humorous that step # 1 suggests reading the “man page”<br></span>
which is only slightly better than suggesting to “google” it. ____<br>
<br>
__ __<span class=""><br>
<br>
Has anyone using a custom CA for their HTTPS certificate<br>
successfully upgraded to oVirt 4? If so could you share your<br>
detailed steps? Or can anyone point me to an actual example of this<br>
procedure? I’m a little nervous about the upgrade if you can’t<br></span>
already tell. ____<br>
<br>
__ __<br>
<br>
Thanks,____<br>
<br>
Daniel____<br>
<br>
______________________________<wbr>_________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a> <mailto:<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a>><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman<wbr>/listinfo/users</a><span class=""><br>
<br>
<br>
<br>
______________________________<wbr>_________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman<wbr>/listinfo/users</a><br>
<br>
</span></blockquote><span class="HOEnZb"><font color="#888888">
<br>
<br>
-- <br>
Nicolas ECARNOT</font></span><div class="HOEnZb"><div class="h5"><br>
______________________________<wbr>_________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman<wbr>/listinfo/users</a><br>
</div></div></blockquote></div><br></div>