That makes sense, but it is also disappointing to realize that oVirt
Manager will only trust certificates that itself has issued, and that there
is no support for Manager to trust VDSM server certificates issued by
another authority.
If I understand you correctly, then the *only* way to install a VDSM host
certificate is by registering with Manager at which time a certificate is
automatically issued and installed by Manager's built-in certificate
authority.
On Thu, Oct 27, 2016 at 3:27 PM Ravi Nori <rnori(a)redhat.com> wrote:
Since you replace ca.pem you need to replace the private key of ca.pem
Please copy the private key of /etc/pki/ovirt-engine/ca.pem to
/etc/pki/ovirt-engine/private/ca.pem and let me know if everything works
On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham <w(a)qrk.us> wrote:
Thanks Ravi, that's helpful and I appreciate the precision and attention to
detail. I performed similar steps to install a custom certificate for the
oVirt Manager GUI. But what about configuring ovirt-engine to trust a
certificate issued by the same CA and presented by the VDSM host? On the
hypervisor host, I used the existing private key to generate the CSR,
issued the server certificate, and installed in three locations before
bouncing vdsmd.
On the hypervisor Host server (not the Manager/engine server):
/etc/pki/vdsm/certs/vdsmcert.pem
/etc/pki/vdsm/libvirt-spice/server-cert.pem
/etc/pki/libvirt/clientcert.pem
Now, that host is "non responsive" in Manager because ovirt-engine does not
trust the new certificate even though I already performed all of the steps
that you describe above except that I installed the issuer's CA certificate
as the trusted entity. I've documented all of the steps I took in this Gist
<
https://gist.github.com/qrkourier/9c9ac3e8b190dcb91d3767179d5a39ea>.
On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori <rnori(a)redhat.com> wrote:
Here is a complete set of instructions that works for me
You can skip the first few steps of generating the certificate.
Ravi
Generate a self-signed certificate using openssl
======================================
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout
privateKey.key -out certificate.pem
Convert a PEM certificate file and a private key to PKCS#12 (.p12)
=====================================================
openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in
certificate.pem
Extract the key from the bundle
=========================
openssl pkcs12 -in certificate.p12 -nocerts -nodes > apache.key.nopass
Extract the certificate from the bundle
==============================
openssl pkcs12 -in certificate.p12 -nokeys > apache.cer
Create a new Keystore for testing
==========================
keytool -keystore clientkeystore -genkey -alias client
Convert .pem to .der
================
openssl x509 -outform der -in certificate.pem -out certificate.der
Import certificates to keystore
=======================
keytool -import -alias apache -keystore ./clientkeystore -file
./certificate.der
Create Custom conf for ovirt
======================
vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
Set location of truststore and its password
=================================
ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456"
Copy the custom certificates
======================
rm /etc/pki/ovirt-engine/apache-ca.pem
cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem
cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12
cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer
cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass
Restart engine and httpd
===================
service httpd restart
service ovirt-engine restart
On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot <nicolas(a)ecarnot.net>
wrote:
Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :
I did install a server certificate from a private CA on the engine
server for the oVirt 4 Manager GUI, but haven't figured out how to
configure engine to trust the same CA which also issued the server
certificate presented by vdsm. This is important for us because this is
the same server certificate presented by the host when using the console
(e.g. websocket console falls silently if the user agent doesn't trust
the console server's certificate).
Hello,
Maybe related bug : on an oVirt 4, I followed the same procedure below to
install a custom CA, with *SUCCESS*.
Today, I had to reinstall one of the hosts, and it is failing with :
"CA certificate and CA private key do not match" :
http://pastebin.com/9JS05JtJ
Which certificate did we (Kenneth and I) did we mis-used?
What did we do wrong?
Regards,
Nicolas ECARNOT
On Wed, Oct 26, 2016, 16:58 Beckman, Daniel
<Daniel.Beckman(a)ingramcontent.com
<mailto:Daniel.Beckman@ingramcontent.com>> wrote:
We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release.
I read the release notes (
https://www.ovirt.org/release/4.0.4/) and
noted comment #4 under “Install / Upgrade from previous version”:____
__ __
/If you are using HTTPS certificate signed by custom certificate
authority, please take a look at
https://bugzilla.redhat.com/1336838
for steps which need to be done after migration to 4.0. Also please
consult
https://bugzilla.redhat.com/1313379 how to setup this custom
CA for use with virt-viewer clients.____/
/__ __/
So I referred to the first bugzilla
(
https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it
states as follows:____
__ __
If customer wants to use custom HTTPS certificate signed by
different CA, then he has to perform following steps: ____
__ __
1. Install custom CA (that signed HTTPS certificate) into host wide
trustore (more info can be found in update-ca-trust man page) ____
__ __
2. Configure HTTPS certificate in Apache (this step is same as in
previous versions) ____
__ __
3. Create new configuration file (for example
/etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with
following content: ____
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" ____
__ __
4. Restart ovirt-engine service____
__ __
I find it humorous that step # 1 suggests reading the “man page”
which is only slightly better than suggesting to “google” it. ____
__ __
Has anyone using a custom CA for their HTTPS certificate
successfully upgraded to oVirt 4? If so could you share your
detailed steps? Or can anyone point me to an actual example of this
procedure? I’m a little nervous about the upgrade if you can’t
already tell. ____
__ __
Thanks,____
Daniel____
_______________________________________________
Users mailing list
Users(a)ovirt.org <mailto:Users@ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
--
Nicolas ECARNOT
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users