Seems that all services (imageio, ovn, web socket) are fine after following
the above and importing the new self signed CA certificate.
DId run also engine-setup as I was trying to fix the imageio cert issue,
though seems that that was only fixed after importing the CA cert at
browser and engine-setup might not be needed.
On Wed, Nov 18, 2020 at 3:07 PM Alex K <rightkicktech(a)gmail.com> wrote:
Seems I had a typo at
/etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf.
I will repeat the test to verify that all services are functional
following this process.
On Wed, Nov 18, 2020 at 10:24 AM Alex K <rightkicktech(a)gmail.com> wrote:
> Hi all,
>
> I am trying to replace the ovirt certificate at ovirt 4.3 following this:
>
>
>
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/...
>
> I am doing the following:
> I have engine FQDN: manager.lab.local
>
> 1. Create root CA private key:
> openssl genrsa -des3 -out root.key 2048
>
> 2. Generate root certificate: (enter passphrase of root key)
> openssl req -x509 -new -nodes -key root.key -sha256 -days 3650 -out
> root.pem
> cp root.pem /tmp
>
> 3. Create key and CSR for engine:
> openssl genrsa -out manager.lab.local.key 2048
> openssl req -new -out manager.lab.local.csr -key manager.lab.local.key
>
> 4. Generate a certificate for engine and sign with the root CA key:
>
> openssl x509 -req -in manager.lab.local.csr \
> -CA root.pem \
> -CAkey root.key \
> -CAcreateserial \
> -out manager.lab.local.crt \
> -days 3650 \
> -sha256 \
> -extensions v3_req
>
> 5. Verify the trust chain and check the certificate details:
> openssl verify -CAfile root.pem manager.lab.local.crt
> openssl x509 -text -noout -in manager.lab.local.crt | head -15
>
> 6. Generate a P12 container: (with empty password)
> openssl pkcs12 -export -out /tmp/apache.p12 \
> -inkey manager.lab.local.key \
> -in manager.lab.local.crt
>
> 8. Export key and cert:
> openssl pkcs12 -in apache.p12 -nocerts -nodes > /tmp/apache.key
> openssl pkcs12 -in apache.p12 -nokeys > /tmp/apache.cer
>
> From the above steps we should have the following:
>
> /tmp/root.pem
> /tmp/apache.p12
> /tmp/apache.key
> /tmp/apache.cer
>
> 9. Place the certificates:
> hosted-engine --set-maintenance --mode=global
> cp -p /etc/pki/ovirt-engine/keys/apache.p12 /tmp/apache.p12.bck
> cp /tmp/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12
> cp /tmp/root.pem /etc/pki/ca-trust/source/anchors
> update-ca-trust
> rm /etc/pki/ovirt-engine/apache-ca.pem
> cp /tmp/root.pem /etc/pki/ovirt-engine/apache-ca.pem
>
> Backup existing key and cert:
> cp /etc/pki/ovirt-engine/keys/apache.key.nopass
> /etc/pki/ovirt-engine/keys/apache.key.nopass.bck
> cp /etc/pki/ovirt-engine/certs/apache.cer
> /etc/pki/ovirt-engine/certs/apache.cer.bck
> cp /tmp/apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass
> cp /tmp/apache.cer /etc/pki/ovirt-engine/certs/apache.cer
> chown root:ovirt /etc/pki/ovirt-engine/keys/apache.key.nopass
> chmod 640 /etc/pki/ovirt-engine/keys/apache.key.nopass
> systemctl restart httpd.service
>
> 10. Create a new trust store configuration file:
> vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
>
> ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
>
> 11. Edit /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf :
> vi /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>
> 12. Edit /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf:
> vi /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf
>
> # Key file for SSL connections
> ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
> # Certificate file for SSL connections
> ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer
>
> 13. Import the certificate at system-wide java trust store
>
> update-ca-trust extract
> keytool -list -alias ovirt -keystore /etc/pki/java/cacerts
>
> 14. Restart services:
> systemctl restart httpd.service
> systemctl restart ovirt-provider-ovn.service
> systemctl restart ovirt-imageio-proxy
> systemctl restart ovirt-websocket-proxy
> systemctl restart ovirt-engine.service
>
> Following the above I get at engine GUI:
>
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
>
> I have tried also to run engine-setup in case it could fix anything (it
> renewed the cert due to missing subjectAltName), and the above error still
> persists.
> I have tried several other suggestions from similar issues reported at
> this list without any luck.
> I have run out of ideas. Am I missing anything?
> Thanx for any suggestions.
> Alex
>