<div dir="ltr"><div>Since you replace ca.pem you need to replace the private key of ca.pem<br><br></div>Please copy the private key of /etc/pki/ovirt-engine/ca.pem to /etc/pki/ovirt-engine/private/ca.pem and let me know if everything works<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham <span dir="ltr"><<a href="mailto:w@qrk.us" target="_blank">w@qrk.us</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div>Thanks Ravi, that's helpful and I appreciate the precision and attention to detail. I performed similar steps to install a custom certificate for the oVirt Manager GUI. But what about configuring ovirt-engine to trust a certificate issued by the same CA and presented by the VDSM host? On the hypervisor host, I used the existing private key to generate the CSR, issued the server certificate, and installed in three locations before bouncing vdsmd.</div><div><br></div><div>On the hypervisor Host server (not the Manager/engine server):</div><div>/etc/pki/vdsm/certs/vdsmcert.<wbr>pem</div><div>/etc/pki/vdsm/libvirt-spice/<wbr>server-cert.pem</div><div>/etc/pki/libvirt/clientcert.<wbr>pem</div><div><br></div><div>Now, that host is "non responsive" in Manager because ovirt-engine does not trust the new certificate even though I already performed all of the steps that you describe above except that I installed the issuer's CA certificate as the trusted entity. I've documented all of the steps I took <a href="https://gist.github.com/qrkourier/9c9ac3e8b190dcb91d3767179d5a39ea" target="_blank">in this Gist</a>.</div><div><br></div><div><br></div></div><div class="HOEnZb"><div class="h5"><br><div class="gmail_quote"><div dir="ltr">On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori <<a href="mailto:rnori@redhat.com" target="_blank">rnori@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="m_-980879755636344940gmail_msg"><div class="m_-980879755636344940gmail_msg">Here is a complete set of instructions that works for me<br class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg"></div><div class="m_-980879755636344940gmail_msg">You can skip the first few steps of generating the certificate.<br class="m_-980879755636344940gmail_msg"></div><div class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg"></div>Ravi<br class="m_-980879755636344940gmail_msg"><div class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">Generate a self-signed certificate using openssl<br class="m_-980879755636344940gmail_msg">==============================<wbr>========<br class="m_-980879755636344940gmail_msg">openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.pem<br class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">Convert a PEM certificate file and a private key to PKCS#12 (.p12)<br class="m_-980879755636344940gmail_msg">==============================<wbr>=======================<br class="m_-980879755636344940gmail_msg">openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.pem<br class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">Extract the key from the bundle <br class="m_-980879755636344940gmail_msg">=========================<br class="m_-980879755636344940gmail_msg">openssl pkcs12 -in certificate.p12 -nocerts -nodes > apache.key.nopass<br class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">Extract the certificate from the bundle<br class="m_-980879755636344940gmail_msg">==============================<br class="m_-980879755636344940gmail_msg">openssl pkcs12 -in certificate.p12 -nokeys > apache.cer<br class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">Create a new Keystore for testing<br class="m_-980879755636344940gmail_msg">==========================<br class="m_-980879755636344940gmail_msg">keytool -keystore clientkeystore -genkey -alias client<br class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">Convert .pem to .der<br class="m_-980879755636344940gmail_msg">================<br class="m_-980879755636344940gmail_msg">openssl x509 -outform der -in certificate.pem -out certificate.der<br class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">Import certificates to keystore<br class="m_-980879755636344940gmail_msg">=======================<br class="m_-980879755636344940gmail_msg">keytool -import -alias apache -keystore ./clientkeystore -file ./certificate.der<br class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">Create Custom conf for ovirt<br class="m_-980879755636344940gmail_msg">======================<br class="m_-980879755636344940gmail_msg">vi /etc/ovirt-engine/engine.conf.<wbr>d/99-custom-truststore.conf<br class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">Set location of truststore and its password<br class="m_-980879755636344940gmail_msg">==============================<wbr>===<br class="m_-980879755636344940gmail_msg">ENGINE_HTTPS_PKI_TRUST_STORE="<wbr>/home/rnori/Downloads/Cert/<wbr>clientkeystore"<br class="m_-980879755636344940gmail_msg">ENGINE_HTTPS_PKI_TRUST_STORE_<wbr>PASSWORD="123456"<br class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">Copy the custom certificates<br class="m_-980879755636344940gmail_msg">======================<br class="m_-980879755636344940gmail_msg">rm /etc/pki/ovirt-engine/apache-<wbr>ca.pem<br class="m_-980879755636344940gmail_msg">cp certificate.pem /etc/pki/ovirt-engine/apache-<wbr>ca.pem<br class="m_-980879755636344940gmail_msg">cp certificate.p12 /etc/pki/ovirt-engine/keys/<wbr>apache.p12<br class="m_-980879755636344940gmail_msg">cp apache.cer /etc/pki/ovirt-engine/certs/<wbr>apache.cer<br class="m_-980879755636344940gmail_msg">cp apache.key.nopass /etc/pki/ovirt-engine/keys/<wbr>apache.key.nopass<br class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">Restart engine and httpd<br class="m_-980879755636344940gmail_msg">===================<br class="m_-980879755636344940gmail_msg">service httpd restart<br class="m_-980879755636344940gmail_msg">service ovirt-engine restart<br class="m_-980879755636344940gmail_msg"></div></div><div class="gmail_extra m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg"><div class="gmail_quote m_-980879755636344940gmail_msg">On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot <span dir="ltr" class="m_-980879755636344940gmail_msg"><<a href="mailto:nicolas@ecarnot.net" class="m_-980879755636344940gmail_msg" target="_blank">nicolas@ecarnot.net</a>></span> wrote:<br class="m_-980879755636344940gmail_msg"><blockquote class="gmail_quote m_-980879755636344940gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="m_-980879755636344940gmail_msg">Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :<br class="m_-980879755636344940gmail_msg">
<blockquote class="gmail_quote m_-980879755636344940gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I did install a server certificate from a private CA on the engine<br class="m_-980879755636344940gmail_msg">
server for the oVirt 4 Manager GUI, but haven't figured out how to<br class="m_-980879755636344940gmail_msg">
configure engine to trust the same CA which also issued the server<br class="m_-980879755636344940gmail_msg">
certificate presented by vdsm. This is important for us because this is<br class="m_-980879755636344940gmail_msg">
the same server certificate presented by the host when using the console<br class="m_-980879755636344940gmail_msg">
(e.g. websocket console falls silently if the user agent doesn't trust<br class="m_-980879755636344940gmail_msg">
the console server's certificate).<br class="m_-980879755636344940gmail_msg">
</blockquote>
<br class="m_-980879755636344940gmail_msg"></span>
Hello,<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
Maybe related bug : on an oVirt 4, I followed the same procedure below to install a custom CA, with *SUCCESS*.<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
Today, I had to reinstall one of the hosts, and it is failing with :<br class="m_-980879755636344940gmail_msg">
"CA certificate and CA private key do not match" :<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
<a href="http://pastebin.com/9JS05JtJ" rel="noreferrer" class="m_-980879755636344940gmail_msg" target="_blank">http://pastebin.com/9JS05JtJ</a><br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
Which certificate did we (Kenneth and I) did we mis-used?<br class="m_-980879755636344940gmail_msg">
What did we do wrong?<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
Regards,<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
Nicolas ECARNOT<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
<blockquote class="gmail_quote m_-980879755636344940gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
On Wed, Oct 26, 2016, 16:58 Beckman, Daniel<br class="m_-980879755636344940gmail_msg">
<<a href="mailto:Daniel.Beckman@ingramcontent.com" class="m_-980879755636344940gmail_msg" target="_blank">Daniel.Beckman@ingramcontent.<wbr>com</a><br class="m_-980879755636344940gmail_msg"></span><span class="m_-980879755636344940gmail_msg">
<mailto:<a href="mailto:Daniel.Beckman@ingramcontent.com" class="m_-980879755636344940gmail_msg" target="_blank">Daniel.Beckman@<wbr>ingramcontent.com</a>>> wrote:<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release.<br class="m_-980879755636344940gmail_msg">
I read the release notes (<a href="https://www.ovirt.org/release/4.0.4/" rel="noreferrer" class="m_-980879755636344940gmail_msg" target="_blank">https://www.ovirt.org/<wbr>release/4.0.4/</a>) and<br class="m_-980879755636344940gmail_msg"></span>
noted comment #4 under “Install / Upgrade from previous version”:____<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
__ __<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
/If you are using HTTPS certificate signed by custom certificate<span class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">
authority, please take a look at <a href="https://bugzilla.redhat.com/1336838" rel="noreferrer" class="m_-980879755636344940gmail_msg" target="_blank">https://bugzilla.redhat.com/<wbr>1336838</a><br class="m_-980879755636344940gmail_msg">
for steps which need to be done after migration to 4.0. Also please<br class="m_-980879755636344940gmail_msg">
consult <a href="https://bugzilla.redhat.com/1313379" rel="noreferrer" class="m_-980879755636344940gmail_msg" target="_blank">https://bugzilla.redhat.com/<wbr>1313379</a> how to setup this custom<br class="m_-980879755636344940gmail_msg"></span>
CA for use with virt-viewer clients.____/<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
/__ __/<span class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
So I referred to the first bugzilla<br class="m_-980879755636344940gmail_msg">
(<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1336838" rel="noreferrer" class="m_-980879755636344940gmail_msg" target="_blank">https://bugzilla.redhat.com/<wbr>show_bug.cgi?id=1336838</a>), where it<br class="m_-980879755636344940gmail_msg"></span>
states as follows:____<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
__ __<span class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
If customer wants to use custom HTTPS certificate signed by<br class="m_-980879755636344940gmail_msg"></span>
different CA, then he has to perform following steps: ____<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
__ __<span class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
1. Install custom CA (that signed HTTPS certificate) into host wide<br class="m_-980879755636344940gmail_msg"></span>
trustore (more info can be found in update-ca-trust man page) ____<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
__ __<span class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
2. Configure HTTPS certificate in Apache (this step is same as in<br class="m_-980879755636344940gmail_msg"></span>
previous versions) ____<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
__ __<span class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
3. Create new configuration file (for example<br class="m_-980879755636344940gmail_msg">
/etc/ovirt-engine/engine.conf.<wbr>d/99-custom-truststore.conf) with<br class="m_-980879755636344940gmail_msg"></span>
following content: ____<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
ENGINE_HTTPS_PKI_TRUST_STORE="<wbr>/etc/pki/java/cacerts"<br class="m_-980879755636344940gmail_msg">
ENGINE_HTTPS_PKI_TRUST_STORE_<wbr>PASSWORD="" ____<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
__ __<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
4. Restart ovirt-engine service____<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
__ __<span class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
I find it humorous that step # 1 suggests reading the “man page”<br class="m_-980879755636344940gmail_msg"></span>
which is only slightly better than suggesting to “google” it. ____<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
__ __<span class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
Has anyone using a custom CA for their HTTPS certificate<br class="m_-980879755636344940gmail_msg">
successfully upgraded to oVirt 4? If so could you share your<br class="m_-980879755636344940gmail_msg">
detailed steps? Or can anyone point me to an actual example of this<br class="m_-980879755636344940gmail_msg">
procedure? I’m a little nervous about the upgrade if you can’t<br class="m_-980879755636344940gmail_msg"></span>
already tell. ____<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
__ __<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
Thanks,____<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
Daniel____<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
______________________________<wbr>_________________<br class="m_-980879755636344940gmail_msg">
Users mailing list<br class="m_-980879755636344940gmail_msg">
<a href="mailto:Users@ovirt.org" class="m_-980879755636344940gmail_msg" target="_blank">Users@ovirt.org</a> <mailto:<a href="mailto:Users@ovirt.org" class="m_-980879755636344940gmail_msg" target="_blank">Users@ovirt.org</a>><br class="m_-980879755636344940gmail_msg">
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" class="m_-980879755636344940gmail_msg" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><span class="m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
______________________________<wbr>_________________<br class="m_-980879755636344940gmail_msg">
Users mailing list<br class="m_-980879755636344940gmail_msg">
<a href="mailto:Users@ovirt.org" class="m_-980879755636344940gmail_msg" target="_blank">Users@ovirt.org</a><br class="m_-980879755636344940gmail_msg">
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" class="m_-980879755636344940gmail_msg" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
</span></blockquote><span class="m_-980879755636344940m_-4789423380628271279HOEnZb m_-980879755636344940gmail_msg"><font class="m_-980879755636344940gmail_msg" color="#888888">
<br class="m_-980879755636344940gmail_msg">
<br class="m_-980879755636344940gmail_msg">
-- <br class="m_-980879755636344940gmail_msg">
Nicolas ECARNOT</font></span><div class="m_-980879755636344940m_-4789423380628271279HOEnZb m_-980879755636344940gmail_msg"><div class="m_-980879755636344940m_-4789423380628271279h5 m_-980879755636344940gmail_msg"><br class="m_-980879755636344940gmail_msg">
______________________________<wbr>_________________<br class="m_-980879755636344940gmail_msg">
Users mailing list<br class="m_-980879755636344940gmail_msg">
<a href="mailto:Users@ovirt.org" class="m_-980879755636344940gmail_msg" target="_blank">Users@ovirt.org</a><br class="m_-980879755636344940gmail_msg">
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" class="m_-980879755636344940gmail_msg" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><br class="m_-980879755636344940gmail_msg">
</div></div></blockquote></div><br class="m_-980879755636344940gmail_msg"></div>
</blockquote></div>
</div></div></blockquote></div><br></div>