10:11 a.m.
------=_Part_10315973_1426242418.1390979518044
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
From: "Yedidyah Bar David" <didi(a)redhat.com>
To: "Andrew Lau" <andrew(a)andrewklau.com>
Cc: "users" <users(a)ovirt.org>
Sent: Wednesday, January 29, 2014 9:05:06 AM
Subject: Re: [Users] Hosted Engine adding host SSL Failure (w/ engine custom
cert)
> From: "Andrew Lau" <andrew(a)andrewklau.com>
> To: "users" <users(a)ovirt.org>
> Sent: Wednesday, January 29, 2014 8:38:33 AM
> Subject: [Users] Hosted Engine adding host SSL Failure (w/ engine custom
> cert)
> Hi,
> After running through the new patch posted in BZ 1055153 I'm
adding a
> second
> host to the hosted-engine cluster but it seems to fail right before the
> finish:
> [ ERROR ] Failed to execute stage 'Closing up':
[ERROR]::oVirt API
> connection
> failure, [Errno 1] _ssl.c:492: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Couple Extra Notes:
> Engine has a custom SSL cert but the CA has been trusted by the new host.
> When I temporarily return the engine's SSL back to the default generated
> one
> the install will succeed.
> Setup logs: http://www.fpaste.org/72624/13909770/
> What confuses me is:
> curl https://engine.example.net with the custom SSL cert will
succeed but
> with the original self-signed gives the expected "insecure" message. What
> criteria need to be met so the install will pass?
Seems like a bug (or a missing feature) - hosted-engine only supports
the
self-signed cert. Can you please open a bug for this?
You might manage to make it work by replacing
/etc/pki/ovirt-engine/ca.pem
with the certificate of your ca, but this will prevent adding hosts (because
it's needed to create a certificate for them). Perhaps other things will
break too, I didn't try that.
On a second thought, I don't think it will work. The engine will still sign certs for
hosts with its private key, but the hosts will try to verify that with the ca.pem you put
there and fail.
--
Didi
------=_Part_10315973_1426242418.1390979518044
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<html><body><div style=3D"font-family: times new roman, new york,
times, se=
rif; font-size: 12pt; color: #000000"><div></div><blockquote
style=3D"borde=
r-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-w=
eight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,A=
rial,sans-serif;font-size:12pt;"><b>From: </b>"Yedidyah Bar
David" <didi=
@redhat.com><br><b>To: </b>"Andrew Lau"
&lt;andrew(a)andrewklau.com&gt;<br=
<b>Cc: </b>"users"
&lt;users(a)ovirt.org&gt;<br><b>Sent: </b>Wednesday, Janu=
ary 29, 2014 9:05:06 AM<br><b>Subject: </b>Re: [Users] Hosted
Engine adding=
host SSL Failure (w/
engine  =
;custom cert)<br><div><br></=
div><div style=3D"font-family: times new roman, new york, times, serif; fon=
t-size: 12pt; color: #000000"><blockquote style=3D"border-left:2px solid
#1=
010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-s=
tyle:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;fon=
t-size:12pt;"><b>From: </b>"Andrew Lau"
&lt;andrew(a)andrewklau.com&gt;<br><b=
To: </b>"users"
&lt;users(a)ovirt.org&gt;<br><b>Sent: </b>Wednesday, January=
29, 2014 8:38:33 AM<br><b>Subject: </b>[Users] Hosted Engine
adding host S=
SL Failure (w/ engine
custom  =
;cert)<br><div><br></div><div dir=3D"ltr"><div
class=3D"gmail_default" styl=
e=3D"font-family:tahoma,sans-serif">Hi,</div><div
class=3D"gmail_default" s=
tyle=3D"font-family:tahoma,sans-serif"><br></div><div
class=3D"gmail_defaul=
t" style=3D"font-family:tahoma,sans-serif">
After running through the new patch posted in BZ 1055153 I'm adding a =
second host to the hosted-engine cluster but it seems to fail right before =
the finish:</div><div class=3D"gmail_default"
style=3D"font-family:tahoma,s=
ans-serif"><br></div><div
class=3D"gmail_default"><div class=3D"gmail_defau=
lt"><span style=3D"font-family: tahoma, sans-serif;">[ ERROR ]
Failed to ex=
ecute stage 'Closing up': [ERROR]::oVirt API connection failure, [Errno 1] =
_ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certifi=
cate verify failed</span></div><div
style=3D"font-family:tahoma,sans-serif"=
<br></div><div
style=3D"font-family:tahoma,sans-serif">Couple Extra Notes:=
</div><div style=3D"font-family:tahoma,sans-serif">Engine has
a custom SSL =
cert but the CA has been trusted by the new host. When I temporarily return=
the engine's SSL back to the default generated one the install will succee=
d.</div><div
style=3D"font-family:tahoma,sans-serif"><br></div><div style=
=3D"font-family:tahoma,sans-serif">Setup logs: <a
href=3D"http://www.f=
paste.org/72624/13909770/"
target=3D"_blank">http://www.fpaste.org/72624/13=
909770/</a><br></div><div
style=3D"font-family:tahoma,sans-serif"><br></div=
<div style=3D"font-family:tahoma,sans-serif">What
confuses me is:</div><di=
v
style=3D"font-family:tahoma,sans-serif"><br></div><div
style=3D"font-fami=
ly:tahoma,sans-serif">curl <a href=3D"https://engine.example.net"
target=3D=
"_blank">https://engine.example.net</a> with the custom SSL cert will
succe=
ed but with the original self-signed gives the expected "insecure" message.=
What criteria need to be met so the install will
pass?</div></div></div></=
blockquote><div><br></div><div>Seems like a bug (or a missing
feature) - ho=
sted-engine only supports the self-signed cert. Can you please open a bug f=
or this?</div><div><br></div><div>You might manage to make
it work by repla=
cing /etc/pki/ovirt-engine/ca.pem with the certificate of your ca, but=
this will prevent adding hosts (because it's needed to create a certificat=
e for them). Perhaps other things will break too, I didn't try that.</div><=
/div></blockquote><div><br></div><div>On a second
thought, I don't think it=
will work. The engine will still sign certs for hosts with its private key=
, but the hosts will try to verify that with the ca.pem you put there and f=
ail.</div><div><span style=3D"font-size:
12pt;">-- </span></div><div><=
span name=3D"x"></span>Didi<span
name=3D"x"></span><br></div><div><br></div=
</div></body></html>
------=_Part_10315973_1426242418.1390979518044--