[JIRA] (OVIRT-2809) imageio not working in PHX
[ https://ovirt-jira.atlassian.net/browse/OVIRT-2809?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=39885#comment-39885 ] Evgheni Dereveanchin edited comment on OVIRT-2809 at 10/4/19 12:33 PM: ----------------------------------------------------------------------- The error in engine.log seems to point to a certificate mismatch when engine connects to the proxy: 2019-10-04 05:37:45,533-04 ERROR \[org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-48) \[b643d084-99fb-4105-86c9-1e87b60349b6] Failed to add image ticket to ovirt-imageio-proxy: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target The following software versions are currently installed: ovirt-engine-4.3.5.4-1.el7.noarch ovirt-imageio-proxy-1.5.1-0.el7.noarch /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf contains the standard values: use_ssl = true ssl_key_file = /etc/pki/ovirt-engine/keys/imageio-proxy.key.nopass ssl_cert_file = /etc/pki/ovirt-engine/certs/imageio-proxy.cer engine_cert_file = /etc/pki/ovirt-engine/certs/engine.cer engine_ca_cert_file = /etc/pki/ovirt-engine/ca.pem verify_certificate = true On engine side, /etc/ovirt-engine/engine.conf.d/10-setup-pki.conf also looks standard: ENGINE_PKI="/etc/pki/ovirt-engine" ENGINE_PKI_CA="/etc/pki/ovirt-engine/ca.pem" ENGINE_PKI_ENGINE_CERT="/etc/pki/ovirt-engine/certs/engine.cer" ENGINE_PKI_TRUST_STORE="/etc/pki/ovirt-engine/.truststore" ENGINE_PKI_ENGINE_STORE="/etc/pki/ovirt-engine/keys/engine.p12" I also see that /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf has the following override: ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" We use Let’s Encrypt on the Apache front-end and this may be the reason as this step is described in the docs: [https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html|https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html] [https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl|https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl] I did have a certificate mismatch on the proxy itself so configuring {{ssl_key_file and ssl_cert_file}} values according to the docs may help in this situation. was (Author: ederevea): The error in engine.log seems to point to a certificate mismatch when engine connects to the proxy: 2019-10-04 05:37:45,533-04 ERROR \[org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-48) \[b643d084-99fb-4105-86c9-1e87b60349b6] Failed to add image ticket to ovirt-imageio-proxy: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target The following software versions are currently installed: ovirt-engine-4.3.5.4-1.el7.noarch ovirt-imageio-proxy-1.5.1-0.el7.noarch /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf contains the standard values: use_ssl = true ssl_key_file = /etc/pki/ovirt-engine/keys/imageio-proxy.key.nopass ssl_cert_file = /etc/pki/ovirt-engine/certs/imageio-proxy.cer engine_cert_file = /etc/pki/ovirt-engine/certs/engine.cer engine_ca_cert_file = /etc/pki/ovirt-engine/ca.pem verify_certificate = true On engine side, /etc/ovirt-engine/engine.conf.d/10-setup-pki.conf also looks standard: ENGINE_PKI="/etc/pki/ovirt-engine" ENGINE_PKI_CA="/etc/pki/ovirt-engine/ca.pem" ENGINE_PKI_ENGINE_CERT="/etc/pki/ovirt-engine/certs/engine.cer" ENGINE_PKI_TRUST_STORE="/etc/pki/ovirt-engine/.truststore" ENGINE_PKI_ENGINE_STORE="/etc/pki/ovirt-engine/keys/engine.p12" {{I also see that /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf has the following override:}} {{ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"}} We use Let’s Encrypt on the Apache front-end and this may be the reason as this step is described in the docs: [https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html|https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html] [https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl|https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl] I did have a certificate mismatch on the proxy itself so configuring {{ssl_key_file and ssl_cert_file}} values according to the docs may help in this situation.
imageio not working in PHX --------------------------
Key: OVIRT-2809 URL: https://ovirt-jira.atlassian.net/browse/OVIRT-2809 Project: oVirt - virtualization made easy Issue Type: Bug Reporter: Evgheni Dereveanchin Assignee: infra
I tried to import an image into the PHX oVirt instance and this fails with a "paused by system" message in UI. Logging a ticket to see if it's a bug in oVirt or a misconfiguration in our particular deployment
-- This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100111)
On Fri, Oct 4, 2019 at 3:34 PM Evgheni Dereveanchin (oVirt JIRA) <jira@ovirt-jira.atlassian.net> wrote:
Evgheni Dereveanchin edited comment on OVIRT-2809 at 10/4/19 12:33 PM: -----------------------------------------------------------------------
The error in engine.log seems to point to a certificate mismatch when engine connects to the proxy:
2019-10-04 05:37:45,533-04 ERROR \[org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-48) \[b643d084-99fb-4105-86c9-1e87b60349b6] Failed to add image ticket to ovirt-imageio-proxy: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The following software versions are currently installed: ovirt-engine-4.3.5.4-1.el7.noarch ovirt-imageio-proxy-1.5.1-0.el7.noarch
/etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf contains the standard values:
use_ssl = true ssl_key_file = /etc/pki/ovirt-engine/keys/imageio-proxy.key.nopass ssl_cert_file = /etc/pki/ovirt-engine/certs/imageio-proxy.cer engine_cert_file = /etc/pki/ovirt-engine/certs/engine.cer engine_ca_cert_file = /etc/pki/ovirt-engine/ca.pem verify_certificate = true
On engine side, /etc/ovirt-engine/engine.conf.d/10-setup-pki.conf also looks standard:
ENGINE_PKI="/etc/pki/ovirt-engine" ENGINE_PKI_CA="/etc/pki/ovirt-engine/ca.pem" ENGINE_PKI_ENGINE_CERT="/etc/pki/ovirt-engine/certs/engine.cer" ENGINE_PKI_TRUST_STORE="/etc/pki/ovirt-engine/.truststore" ENGINE_PKI_ENGINE_STORE="/etc/pki/ovirt-engine/keys/engine.p12"
I also see that /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf has the following override:
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
We use Let’s Encrypt on the Apache front-end and this may be the reason as this step is described in the docs:
I did have a certificate mismatch on the proxy itself so configuring {{ssl_key_file and ssl_cert_file}} values according to the docs may help in this situation.
was (Author: ederevea): The error in engine.log seems to point to a certificate mismatch when engine connects to the proxy:
2019-10-04 05:37:45,533-04 ERROR \[org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-48) \[b643d084-99fb-4105-86c9-1e87b60349b6] Failed to add image ticket to ovirt-imageio-proxy: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The following software versions are currently installed: ovirt-engine-4.3.5.4-1.el7.noarch ovirt-imageio-proxy-1.5.1-0.el7.noarch
/etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf contains the standard values:
use_ssl = true ssl_key_file = /etc/pki/ovirt-engine/keys/imageio-proxy.key.nopass ssl_cert_file = /etc/pki/ovirt-engine/certs/imageio-proxy.cer engine_cert_file = /etc/pki/ovirt-engine/certs/engine.cer engine_ca_cert_file = /etc/pki/ovirt-engine/ca.pem verify_certificate = true
On engine side, /etc/ovirt-engine/engine.conf.d/10-setup-pki.conf also looks standard:
ENGINE_PKI="/etc/pki/ovirt-engine" ENGINE_PKI_CA="/etc/pki/ovirt-engine/ca.pem" ENGINE_PKI_ENGINE_CERT="/etc/pki/ovirt-engine/certs/engine.cer" ENGINE_PKI_TRUST_STORE="/etc/pki/ovirt-engine/.truststore" ENGINE_PKI_ENGINE_STORE="/etc/pki/ovirt-engine/keys/engine.p12"
{{I also see that /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf has the following override:}}
{{ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"}}
We use Let’s Encrypt on the Apache front-end and this may be the reason as this step is described in the docs:
I did have a certificate mismatch on the proxy itself so configuring {{ssl_key_file and ssl_cert_file}} values according to the docs may help in this situation.
Indeed. Or try to upgrade to 4.3.6, engine-setup should do that for you: https://bugzilla.redhat.com/show_bug.cgi?id=1637809 Please ping me if needed. Good luck and best regards,
imageio not working in PHX --------------------------
Key: OVIRT-2809 URL: https://ovirt-jira.atlassian.net/browse/OVIRT-2809 Project: oVirt - virtualization made easy Issue Type: Bug Reporter: Evgheni Dereveanchin Assignee: infra
I tried to import an image into the PHX oVirt instance and this fails with a "paused by system" message in UI. Logging a ticket to see if it's a bug in oVirt or a misconfiguration in our particular deployment
-- This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100111) _______________________________________________ Infra mailing list -- infra@ovirt.org To unsubscribe send an email to infra-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/infra@ovirt.org/message/WRZGLRTL43SDLM...
-- Didi
participants (2)
-
Evgheni Dereveanchin (oVirt JIRA) -
Yedidyah Bar David