9:14 a.m.
On Wed, Jul 4, 2018 at 6:50 PM, Nir Soffer <nsoffer(a)redhat.com> wrote:
On Wed, Jul 4, 2018 at 11:08 AM Etienne Charlier
<Etienne.Charlier@
reduspaceservices.eu> wrote:
> Thanks for getting back to me.
>
>
> I wanted to "protect" my ovirt installation with letsencrypt certificates
> ( to have a "green" bar in my chrome browser.)
>
I think there is a misconception here. Using the engine builtin CA is more
secure than any other
CA, not less secure. You don't protect anything by using another CA.
Well, not sure I agree, but not sure that's the point...
The engine-internal CA is only protected by a unix ACL, on the engine
machine. So if you manage to get root on it, you can do anything with the
engine CA.
Most reasonable CAs (including hopefully most organization-internal ones)
have more than one level in the authority chain, with the root cert's key
being kept offline in some safe, so it's harder to break.
What you really need to do is to import the engine CA certificate to your
browser, and this is also
required for communicating with the proxy.
Unless you know what you are doing, replacing the certificates with your
own is going to be
hard.
Should not be - we have this doc, and should update it as needed:
[1] https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/
Actually it's indeed somewhat out-of-date. See also:
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1385617
which should be the only thing missing in:
[3]
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/...
which is somewhat more up-to-date than [1] (has websocket-proxy).
> I set up a bastion host where I configured letsencrypt.
>
>
> I copied the certificates over the ovirt engine machine and ran the
> script "convert.sh" ( see attachement). ( still need to automate it to
> handle certificate renew..)
>
>
> Once this was in place, the test connection button ( in upload image UI)
> gave me "green" "Connection to ovirt-imageio-proxy was
successful."
>
This means that the proxy is configured to use the new CA, but this is not
enough
to upload. The proxy has its own certificates, and they must be signed by
the new
CA.
So to use your own certificates, you have to regenerate both the engine
certificates,
and the proxy certificates, and this process is not easy or documented yet.
Isn't this what above bug [2] is about? You wrote there that it's ok to
configure the proxy to use same key/cert as apache.
Thanks,
If you created everything correctly, you need to configure the proxy to
use the new
certificates.
Finally, you need to restart ovirt-imgaeio-proxy, since it does not
support reloading
certificates or configuration changes yet.
I think the best solution for you is to use engine builtin PKI, managed by
engine-setup.
To "protect" your ovirt installation, add the engine CA to your browser
using this link:
https://my.engine/ovirt-engine/services/pki-resource?
resource=ca-certificate&format=X509-PEM-CA
You save this file locally, and then you import this certificate into your
browser.
Using Chrome, you do:
1. go to: Settings > Advanced > Manage Certificates > Authorities
2. click "Import"
3. select the certificate
4. check "Trust this certificate for identifying web sites"
5. confirm
6. restart the browser
> Here a copy of engine.log and ovirt-imageio-proxy log files. The ssl
> paths are dumped in the log file
>
> Thanks for your support
> Etienne
>
> ------------------------------
> *De :* Nir Soffer <nsoffer(a)redhat.com>
> *Envoyé :* mardi 3 juillet 2018 23:31
> *À :* Etienne Charlier
> *Cc :* users(a)ovirt.org; Daniel Erez
> *Objet :* Re: [ovirt-users] Cannot import a qcow2 image
>
>
>
> On Tue, Jul 3, 2018 at 11:47 PM Nir Soffer <nsoffer(a)redhat.com> wrote:
>
>> On Tue, 3 Jul 2018, 15:44 , <etienne.charlier(a)reduspaceservices.eu>
>> wrote:
>>
>>> Hello,
>>>
>>> I' m trying without success to import a qcow2 file into ovirt. I tried
>>> on a ISCSI datadomain and an nfs datadomain.
>>>
>>> I struggled quite a lot to have the "test connection" succed ( I
write
>>> a small shell script to "deploy" letsencryt certificates into ovirt
engine)
>>>
>>> Doc is not clear on the fact that certificates for imageio-proxy are
>>> different than for main engine…
>>>
>>>
>>> Now, the upload fails with
>>>
>>> Transfer was stopped by system. Reason: failed to add image ticket to
>>> ovirt-imageio-proxy.
>>> Image gets stuck in "transfer paused by system"
>>>
>>> Any idea ?
>>>
>>
>> you probably have bad cretificate configuration in the proxy. Why not
>> use the default certificates generated by engine setup? This is how we test
>> the proxy.
>>
>
> Can you share the contents of:
> /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf
>
> And the proxy log at
> /var/log/ovirt-imageio-proxy/image-proxy.log
> Showing the time of the error (failed to add image ticket to
> ovirt-imageio-proxy.)
>
> Nir
>
>
>>
>>
>>> ovrit is up to date: 4.2.4 on both engine and hosts.
>>> _______________________________________________
>>> Users mailing list -- users(a)ovirt.org
>>> To unsubscribe send an email to users-leave(a)ovirt.org
>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>>> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
>>> guidelines/
>>> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
>>> message/FTC3PBZCRRTI2LBADOPOS2EYRCZ6EQA3/
>>>
>>
--
Didi