12:55 a.m.
On Fri, Oct 4, 2019 at 3:34 PM Evgheni Dereveanchin (oVirt JIRA)
<jira(a)ovirt-jira.atlassian.net> wrote:
[
https://ovirt-jira.atlassian.net/browse/OVIRT-2809?page=com.atlassian.jir...
]
Evgheni Dereveanchin edited comment on OVIRT-2809 at 10/4/19 12:33 PM:
-----------------------------------------------------------------------
The error in engine.log seems to point to a certificate mismatch when engine connects to
the proxy:
2019-10-04 05:37:45,533-04 ERROR
\[org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand]
(EE-ManagedThreadFactory-engineScheduled-Thread-48)
\[b643d084-99fb-4105-86c9-1e87b60349b6] Failed to add image ticket to ovirt-imageio-proxy:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path
building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
The following software versions are currently installed:
ovirt-engine-4.3.5.4-1.el7.noarch
ovirt-imageio-proxy-1.5.1-0.el7.noarch
/etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf contains the standard values:
use_ssl = true
ssl_key_file = /etc/pki/ovirt-engine/keys/imageio-proxy.key.nopass
ssl_cert_file = /etc/pki/ovirt-engine/certs/imageio-proxy.cer
engine_cert_file = /etc/pki/ovirt-engine/certs/engine.cer
engine_ca_cert_file = /etc/pki/ovirt-engine/ca.pem
verify_certificate = true
On engine side, /etc/ovirt-engine/engine.conf.d/10-setup-pki.conf also looks standard:
ENGINE_PKI="/etc/pki/ovirt-engine"
ENGINE_PKI_CA="/etc/pki/ovirt-engine/ca.pem"
ENGINE_PKI_ENGINE_CERT="/etc/pki/ovirt-engine/certs/engine.cer"
ENGINE_PKI_TRUST_STORE="/etc/pki/ovirt-engine/.truststore"
ENGINE_PKI_ENGINE_STORE="/etc/pki/ovirt-engine/keys/engine.p12"
I also see that /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf has the
following override:
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
We use Let’s Encrypt on the Apache front-end and this may be the reason as this step is
described in the docs:
[https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html|h...]
[https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/...]
I did have a certificate mismatch on the proxy itself so configuring {{ssl_key_file and
ssl_cert_file}} values according to the docs may help in this situation.
was (Author: ederevea):
The error in engine.log seems to point to a certificate mismatch when engine connects to
the proxy:
2019-10-04 05:37:45,533-04 ERROR
\[org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand]
(EE-ManagedThreadFactory-engineScheduled-Thread-48)
\[b643d084-99fb-4105-86c9-1e87b60349b6] Failed to add image ticket to ovirt-imageio-proxy:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path
building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
The following software versions are currently installed:
ovirt-engine-4.3.5.4-1.el7.noarch
ovirt-imageio-proxy-1.5.1-0.el7.noarch
/etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf contains the standard values:
use_ssl = true
ssl_key_file = /etc/pki/ovirt-engine/keys/imageio-proxy.key.nopass
ssl_cert_file = /etc/pki/ovirt-engine/certs/imageio-proxy.cer
engine_cert_file = /etc/pki/ovirt-engine/certs/engine.cer
engine_ca_cert_file = /etc/pki/ovirt-engine/ca.pem
verify_certificate = true
On engine side, /etc/ovirt-engine/engine.conf.d/10-setup-pki.conf also looks standard:
ENGINE_PKI="/etc/pki/ovirt-engine"
ENGINE_PKI_CA="/etc/pki/ovirt-engine/ca.pem"
ENGINE_PKI_ENGINE_CERT="/etc/pki/ovirt-engine/certs/engine.cer"
ENGINE_PKI_TRUST_STORE="/etc/pki/ovirt-engine/.truststore"
ENGINE_PKI_ENGINE_STORE="/etc/pki/ovirt-engine/keys/engine.p12"
{{I also see that /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf has the
following override:}}
{{ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"}}
We use Let’s Encrypt on the Apache front-end and this may be the reason as this step is
described in the docs:
[https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html|h...]
[https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/...]
I did have a certificate mismatch on the proxy itself so configuring {{ssl_key_file and
ssl_cert_file}} values according to the docs may help in this situation.
Indeed.
Or try to upgrade to 4.3.6, engine-setup should do that for you:
https://bugzilla.redhat.com/show_bug.cgi?id=1637809
Please ping me if needed.
Good luck and best regards,
> imageio not working in PHX
> --------------------------
>
> Key: OVIRT-2809
> URL: https://ovirt-jira.atlassian.net/browse/OVIRT-2809
> Project: oVirt - virtualization made easy
> Issue Type: Bug
> Reporter: Evgheni Dereveanchin
> Assignee: infra
>
> I tried to import an image into the PHX oVirt instance and this fails with a
"paused by system" message in UI. Logging a ticket to see if it's a bug in
oVirt or a misconfiguration in our particular deployment
--
This message was sent by Atlassian Jira
(v1001.0.0-SNAPSHOT#100111)
_______________________________________________
Infra mailing list -- infra(a)ovirt.org
To unsubscribe send an email to infra-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/infra@ovirt.org/message/WRZGLRTL43S...
--
Didi