[ovirt-users] Re: Use public-signed SSL certs?
I figured it out. When ovirt-provider-ovn attempts to connect back to
the engine via HTTPS, it tells the python requests module to use the
specified CA cert file... but that won't work with most 3rd-party certs
because they have an intermediate cert as well. It appears that the
requests module tries to validate both certs.
Creating /etc/ovirt-provider-ovn/conf.d/99-custom-cert.conf that just
has:
[OVIRT]
ovirt-ca-file=
tells the module to use the regular system CA cert file(s), which works.
This should probably be added to the oVirt doc for using a 3rd-party
cert.
Once upon a time, Chris Adams <cma(a)cmadams.net> said:
Circling back to an old email...
Once upon a time, Yedidyah Bar David <didi(a)redhat.com> said:
> On Wed, Jan 30, 2019 at 10:28 PM Chris Adams <cma(a)cmadams.net> wrote:
> > However, while digging, I also noticed that now the engine is not
> > communicating with ovirt-provider-ovn, possibly due to a similar issue?
> > It is having the reverse problem; it rejects the engine's cert.
>
> Didn't try this yet, adding Dominik.
Was anybody able to look at this? I had to use my dev hardware for
something else for a bit, so re-installed with 4.3.5 yesterday. The
imageio SSL cert issue looks good, but I still can't figure out the
ovirt-provider-ovn CA usage.
My little bit of digging seems to show that the engine connects to the
provider and is using an SSL client cert, and that cert is signed by
something... but I'm not sure what. I think the provider side is trying
to validate with the following setting from
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
[OVIRT]
ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem
Following the general "3rd-party SSL", that is now the Let's Encrypt CA.
I tried changing it to point to the original self-signed oVirt CA (same
directory, just "ca.pem"), but that didn't work either.
Any suggestions?
--
Chris Adams <cma(a)cmadams.net>