On Wed, May 10, 2017 at 9:13 AM, Juan Hernández <jhernand@redhat.com> wrote:
On 05/10/2017 09:07 AM, Yaniv Kaul wrote:
>
>
> On Wed, May 10, 2017 at 9:35 AM, Martin Perina <mperina@redhat.com
> <mailto:mperina@redhat.com>> wrote:
>
>     Does this mean that we need to create new CA for all existing oVirt
>     installations which are not using custom HTTPS certificate signed by
>     external CA?
>
>
> No, just a new certificate for Engine, I believe.
> Y.
>

Probably not even for the engine, but just for the web server.

​@Sandro/@Didi: do we​
 
​have some documentation how to create new engine HTTPS certificate signed by oVirt internal CA​ with subjectAltName properly set?


>
>     On Sun, May 7, 2017 at 7:37 PM, Nir Soffer <nsoffer@redhat.com
>     <mailto:nsoffer@redhat.com>> wrote:
>
>         On Sun, May 7, 2017 at 8:27 PM Dan Kenigsberg <danken@redhat.com
>         <mailto:danken@redhat.com>> wrote:
>
>             On Sun, May 7, 2017 at 8:22 PM, Nir Soffer
>             <nsoffer@redhat.com <mailto:nsoffer@redhat.com>> wrote:
>             > I imported the certificate from my engine into chrome[1],
>             but Chrome
>             > refuses to use it because:
>             >
>             >     This server could not prove that it is ...; its security
>             >     certificate is from [missing_subjectAltName].
>             >
>             > Same certificate used to work 2 weeks ago, looks like new
>             Chrome
>             > version changed the rules.
>             >
>             > Without importing engine CA, there is no way to upload images
>             > via engine.
>             >
>             > Tested on engine 4.1.1 and 4.1.2 on Centos 7.3.
>             >
>             > Is this  known issue?
>             >
>             > [1] from
>             >
>             http://<engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
>             >
>             > Nir
>
>             https://gerrit.ovirt.org/#/c/74614/
>             <https://gerrit.ovirt.org/#/c/74614/>
>
>             "This patch is not yet working, but can be used for discussion."
>
>
>         Thanks!
>
>         Do you know how to manually fix engine certificates until we
>         have a working
>         patch?
>
>         Nir
>
>         _______________________________________________
>         Devel mailing list
>         Devel@ovirt.org <mailto:Devel@ovirt.org>
>         http://lists.ovirt.org/mailman/listinfo/devel
>         <http://lists.ovirt.org/mailman/listinfo/devel>
>
>
>
>     _______________________________________________
>     Devel mailing list
>     Devel@ovirt.org <mailto:Devel@ovirt.org>
>     http://lists.ovirt.org/mailman/listinfo/devel
>     <http://lists.ovirt.org/mailman/listinfo/devel>
>
>
>
>
> _______________________________________________
> Devel mailing list
> Devel@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/devel
>