8:22 p.m.
I imported the certificate from my engine into chrome[1], but Chrome
refuses to use it because:
This server could not prove that it is ...; its security
certificate is from [missing_subjectAltName].
Same certificate used to work 2 weeks ago, looks like new Chrome
version changed the rules.
Without importing engine CA, there is no way to upload images
via engine.
Tested on engine 4.1.1 and 4.1.2 on Centos 7.3.
Is this known issue?
[1] from http://
<engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
Nir
8:27 p.m.
On Sun, May 7, 2017 at 8:22 PM, Nir Soffer <nsoffer(a)redhat.com> wrote:
I imported the certificate from my engine into chrome[1], but Chrome
refuses to use it because:
This server could not prove that it is ...; its security
certificate is from [missing_subjectAltName].
Same certificate used to work 2 weeks ago, looks like new Chrome
version changed the rules.
Without importing engine CA, there is no way to upload images
via engine.
Tested on engine 4.1.1 and 4.1.2 on Centos 7.3.
Is this known issue?
[1] from
http://<engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
Nir
https://gerrit.ovirt.org/#/c/74614/
"This patch is not yet working, but can be used for discussion."
8:37 p.m.
On Sun, May 7, 2017 at 8:27 PM Dan Kenigsberg <danken(a)redhat.com> wrote:
On Sun, May 7, 2017 at 8:22 PM, Nir Soffer <nsoffer(a)redhat.com>
wrote:
> I imported the certificate from my engine into chrome[1], but Chrome
> refuses to use it because:
>
> This server could not prove that it is ...; its security
> certificate is from [missing_subjectAltName].
>
> Same certificate used to work 2 weeks ago, looks like new Chrome
> version changed the rules.
>
> Without importing engine CA, there is no way to upload images
> via engine.
>
> Tested on engine 4.1.1 and 4.1.2 on Centos 7.3.
>
> Is this known issue?
>
> [1] from
> http://
<engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
>
> Nir
https://gerrit.ovirt.org/#/c/74614/
"This patch is not yet working, but can be used for discussion."
Thanks!
Do you know how to manually fix engine certificates until we have a working
patch?
Nir
9:35 a.m.
Does this mean that we need to create new CA for all existing oVirt
installations which are not using custom HTTPS certificate signed by
external CA?
On Sun, May 7, 2017 at 7:37 PM, Nir Soffer <nsoffer(a)redhat.com> wrote:
On Sun, May 7, 2017 at 8:27 PM Dan Kenigsberg
<danken(a)redhat.com> wrote:
> On Sun, May 7, 2017 at 8:22 PM, Nir Soffer <nsoffer(a)redhat.com> wrote:
> > I imported the certificate from my engine into chrome[1], but Chrome
> > refuses to use it because:
> >
> > This server could not prove that it is ...; its security
> > certificate is from [missing_subjectAltName].
> >
> > Same certificate used to work 2 weeks ago, looks like new Chrome
> > version changed the rules.
> >
> > Without importing engine CA, there is no way to upload images
> > via engine.
> >
> > Tested on engine 4.1.1 and 4.1.2 on Centos 7.3.
> >
> > Is this known issue?
> >
> > [1] from
> > http://<engine_url>/ovirt-engine/services/pki-resource?
> resource=ca-certificate&format=X509-PEM-CA
> >
> > Nir
>
> https://gerrit.ovirt.org/#/c/74614/
>
> "This patch is not yet working, but can be used for discussion."
>
Thanks!
Do you know how to manually fix engine certificates until we have a working
patch?
Nir
_______________________________________________
Devel mailing list
Devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel
9:42 a.m.
On Wed, May 10, 2017 at 9:35 AM Martin Perina <mperina(a)redhat.com> wrote:
Does this mean that we need to create new CA for all existing oVirt
installations which are not using custom HTTPS certificate signed by
external CA?
This seems to be the case, Chrome is rejecting the old certificate.
On Sun, May 7, 2017 at 7:37 PM, Nir Soffer <nsoffer(a)redhat.com> wrote:
> On Sun, May 7, 2017 at 8:27 PM Dan Kenigsberg <danken(a)redhat.com> wrote:
>
>> On Sun, May 7, 2017 at 8:22 PM, Nir Soffer <nsoffer(a)redhat.com> wrote:
>> > I imported the certificate from my engine into chrome[1], but Chrome
>> > refuses to use it because:
>> >
>> > This server could not prove that it is ...; its security
>> > certificate is from [missing_subjectAltName].
>> >
>> > Same certificate used to work 2 weeks ago, looks like new Chrome
>> > version changed the rules.
>> >
>> > Without importing engine CA, there is no way to upload images
>> > via engine.
>> >
>> > Tested on engine 4.1.1 and 4.1.2 on Centos 7.3.
>> >
>> > Is this known issue?
>> >
>> > [1] from
>> > http://
>>
<engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
>> >
>> > Nir
>>
>> https://gerrit.ovirt.org/#/c/74614/
>>
>> "This patch is not yet working, but can be used for discussion."
>>
>
> Thanks!
>
> Do you know how to manually fix engine certificates until we have a
> working
> patch?
>
> Nir
>
> _______________________________________________
> Devel mailing list
> Devel(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/devel
>
10:07 a.m.
On Wed, May 10, 2017 at 9:35 AM, Martin Perina <mperina(a)redhat.com> wrote:
Does this mean that we need to create new CA for all existing oVirt
installations which are not using custom HTTPS certificate signed by
external CA?
No, just a new certificate for Engine, I believe.
Y.
On Sun, May 7, 2017 at 7:37 PM, Nir Soffer <nsoffer(a)redhat.com>
wrote:
> On Sun, May 7, 2017 at 8:27 PM Dan Kenigsberg <danken(a)redhat.com> wrote:
>
>> On Sun, May 7, 2017 at 8:22 PM, Nir Soffer <nsoffer(a)redhat.com> wrote:
>> > I imported the certificate from my engine into chrome[1], but Chrome
>> > refuses to use it because:
>> >
>> > This server could not prove that it is ...; its security
>> > certificate is from [missing_subjectAltName].
>> >
>> > Same certificate used to work 2 weeks ago, looks like new Chrome
>> > version changed the rules.
>> >
>> > Without importing engine CA, there is no way to upload images
>> > via engine.
>> >
>> > Tested on engine 4.1.1 and 4.1.2 on Centos 7.3.
>> >
>> > Is this known issue?
>> >
>> > [1] from
>> > http://<engine_url>/ovirt-engine/services/pki-resource?resou
>> rce=ca-certificate&format=X509-PEM-CA
>> >
>> > Nir
>>
>> https://gerrit.ovirt.org/#/c/74614/
>>
>> "This patch is not yet working, but can be used for discussion."
>>
>
> Thanks!
>
> Do you know how to manually fix engine certificates until we have a
> working
> patch?
>
> Nir
>
> _______________________________________________
> Devel mailing list
> Devel(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/devel
>
_______________________________________________
Devel mailing list
Devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel
10:13 a.m.
On 05/10/2017 09:07 AM, Yaniv Kaul wrote:
On Wed, May 10, 2017 at 9:35 AM, Martin Perina <mperina(a)redhat.com
<mailto:mperina@redhat.com>> wrote:
Does this mean that we need to create new CA for all existing oVirt
installations which are not using custom HTTPS certificate signed by
external CA?
No, just a new certificate for Engine, I believe.
Y.
Probably not even for the engine, but just for the web server.
On Sun, May 7, 2017 at 7:37 PM, Nir Soffer <nsoffer(a)redhat.com
<mailto:nsoffer@redhat.com>> wrote:
On Sun, May 7, 2017 at 8:27 PM Dan Kenigsberg <danken(a)redhat.com
<mailto:danken@redhat.com>> wrote:
On Sun, May 7, 2017 at 8:22 PM, Nir Soffer
<nsoffer(a)redhat.com <mailto:nsoffer@redhat.com>> wrote:
> I imported the certificate from my engine into chrome[1],
but Chrome
> refuses to use it because:
>
> This server could not prove that it is ...; its security
> certificate is from [missing_subjectAltName].
>
> Same certificate used to work 2 weeks ago, looks like new
Chrome
> version changed the rules.
>
> Without importing engine CA, there is no way to upload images
> via engine.
>
> Tested on engine 4.1.1 and 4.1.2 on Centos 7.3.
>
> Is this known issue?
>
> [1] from
>
http://<engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
>
> Nir
https://gerrit.ovirt.org/#/c/74614/
<https://gerrit.ovirt.org/#/c/74614/>
"This patch is not yet working, but can be used for discussion."
Thanks!
Do you know how to manually fix engine certificates until we
have a working
patch?
Nir
_______________________________________________
Devel mailing list
Devel(a)ovirt.org <mailto:Devel@ovirt.org>
http://lists.ovirt.org/mailman/listinfo/devel
<http://lists.ovirt.org/mailman/listinfo/devel>
_______________________________________________
Devel mailing list
Devel(a)ovirt.org <mailto:Devel@ovirt.org>
http://lists.ovirt.org/mailman/listinfo/devel
<http://lists.ovirt.org/mailman/listinfo/devel>
_______________________________________________
Devel mailing list
Devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel
2:06 p.m.
On Wed, May 10, 2017 at 9:13 AM, Juan Hernández <jhernand(a)redhat.com> wrote:
On 05/10/2017 09:07 AM, Yaniv Kaul wrote:
>
>
> On Wed, May 10, 2017 at 9:35 AM, Martin Perina <mperina(a)redhat.com
> <mailto:mperina@redhat.com>> wrote:
>
> Does this mean that we need to create new CA for all existing oVirt
> installations which are not using custom HTTPS certificate signed by
> external CA?
>
>
> No, just a new certificate for Engine, I believe.
> Y.
>
Probably not even for the engine, but just for the web server.
@Sandro/@Didi: do we
have some documentation how to create new engine HTTPS certificate signed
by oVirt internal CA with subjectAltName properly set?
>
> On Sun, May 7, 2017 at 7:37 PM, Nir Soffer <nsoffer(a)redhat.com
> <mailto:nsoffer@redhat.com>> wrote:
>
> On Sun, May 7, 2017 at 8:27 PM Dan Kenigsberg <danken(a)redhat.com
> <mailto:danken@redhat.com>> wrote:
>
> On Sun, May 7, 2017 at 8:22 PM, Nir Soffer
> <nsoffer(a)redhat.com <mailto:nsoffer@redhat.com>> wrote:
> > I imported the certificate from my engine into chrome[1],
> but Chrome
> > refuses to use it because:
> >
> > This server could not prove that it is ...; its
security
> > certificate is from [missing_subjectAltName].
> >
> > Same certificate used to work 2 weeks ago, looks like new
> Chrome
> > version changed the rules.
> >
> > Without importing engine CA, there is no way to upload
images
> > via engine.
> >
> > Tested on engine 4.1.1 and 4.1.2 on Centos 7.3.
> >
> > Is this known issue?
> >
> > [1] from
> >
> http://<engine_url>/ovirt-engine/services/pki-resource?
resource=ca-certificate&format=X509-PEM-CA
> >
> > Nir
>
> https://gerrit.ovirt.org/#/c/74614/
> <https://gerrit.ovirt.org/#/c/74614/>
>
> "This patch is not yet working, but can be used for
discussion."
>
>
> Thanks!
>
> Do you know how to manually fix engine certificates until we
> have a working
> patch?
>
> Nir
>
> _______________________________________________
> Devel mailing list
> Devel(a)ovirt.org <mailto:Devel@ovirt.org>
> http://lists.ovirt.org/mailman/listinfo/devel
> <http://lists.ovirt.org/mailman/listinfo/devel>
>
>
>
> _______________________________________________
> Devel mailing list
> Devel(a)ovirt.org <mailto:Devel@ovirt.org>
> http://lists.ovirt.org/mailman/listinfo/devel
> <http://lists.ovirt.org/mailman/listinfo/devel>
>
>
>
>
> _______________________________________________
> Devel mailing list
> Devel(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/devel
>
2:24 p.m.
On Wed, May 10, 2017 at 2:06 PM, Martin Perina <mperina(a)redhat.com> wrote:
On Wed, May 10, 2017 at 9:13 AM, Juan Hernández <jhernand(a)redhat.com> wrote:
>
> On 05/10/2017 09:07 AM, Yaniv Kaul wrote:
> >
> >
> > On Wed, May 10, 2017 at 9:35 AM, Martin Perina <mperina(a)redhat.com
> > <mailto:mperina@redhat.com>> wrote:
> >
> > Does this mean that we need to create new CA for all existing oVirt
> > installations which are not using custom HTTPS certificate signed by
> > external CA?
> >
> >
> > No, just a new certificate for Engine, I believe.
> > Y.
> >
>
> Probably not even for the engine, but just for the web server.
@Sandro/@Didi: do we
have some documentation how to create new engine HTTPS certificate signed by
oVirt internal CA with subjectAltName properly set?
I don't think so, and didn't try that myself. Adding Dominik.
The doc will likely be a(n almost?) subset of bz 1420577.
I suggest to open a bug for this, and make 1449503 depend on it.
Also it might be not-very-hard to do by engine-setup instead of doc.
Perhaps open another bug for that if you want.
>
> >
> > On Sun, May 7, 2017 at 7:37 PM, Nir Soffer <nsoffer(a)redhat.com
> > <mailto:nsoffer@redhat.com>> wrote:
> >
> > On Sun, May 7, 2017 at 8:27 PM Dan Kenigsberg <danken(a)redhat.com
> > <mailto:danken@redhat.com>> wrote:
> >
> > On Sun, May 7, 2017 at 8:22 PM, Nir Soffer
> > <nsoffer(a)redhat.com <mailto:nsoffer@redhat.com>> wrote:
> > > I imported the certificate from my engine into chrome[1],
> > but Chrome
> > > refuses to use it because:
> > >
> > > This server could not prove that it is ...; its
> > security
> > > certificate is from [missing_subjectAltName].
> > >
> > > Same certificate used to work 2 weeks ago, looks like new
> > Chrome
> > > version changed the rules.
> > >
> > > Without importing engine CA, there is no way to upload
> > images
> > > via engine.
> > >
> > > Tested on engine 4.1.1 and 4.1.2 on Centos 7.3.
> > >
> > > Is this known issue?
> > >
> > > [1] from
> > >
> >
> >
http://<engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
> > >
> > > Nir
> >
> > https://gerrit.ovirt.org/#/c/74614/
> > <https://gerrit.ovirt.org/#/c/74614/>
> >
> > "This patch is not yet working, but can be used for
> > discussion."
> >
> >
> > Thanks!
> >
> > Do you know how to manually fix engine certificates until we
> > have a working
> > patch?
> >
> > Nir
> >
> > _______________________________________________
> > Devel mailing list
> > Devel(a)ovirt.org <mailto:Devel@ovirt.org>
> > http://lists.ovirt.org/mailman/listinfo/devel
> > <http://lists.ovirt.org/mailman/listinfo/devel>
> >
> >
> >
> > _______________________________________________
> > Devel mailing list
> > Devel(a)ovirt.org <mailto:Devel@ovirt.org>
> > http://lists.ovirt.org/mailman/listinfo/devel
> > <http://lists.ovirt.org/mailman/listinfo/devel>
> >
> >
> >
> >
> > _______________________________________________
> > Devel mailing list
> > Devel(a)ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/devel
> >
>
--
Didi
2753
days inactive
2756
days old
8 comments
6 participants
participants (6)
-
Dan Kenigsberg -
Juan Hernández -
Martin Perina -
Nir Soffer -
Yaniv Kaul -
Yedidyah Bar David