[ovirt-users] Re: How to recreate Ovirt CA from scratch

On 2/20/19 7:47 AM, Yedidyah Bar David wrote: > On Tue, Feb 19, 2019 at 3:18 PM Giorgio Biacchi <giorgio(a)di.unimi.it&gt; wrote: >> >> Hi list, >> during our datacenter lifetime many things changed. We moved the engine >> twice on different hosts with, of course, different FQDNs, and many >> other changes. Now we are stuck with an error when we try to upload an >> image to a data domain. The error is somehow bound to a failure to >> validate the ovirt-imageio-proxy certificate and, since the current root >> CA certificate is still signed with sha1WithRSAEncryption we'd like to >> regenerate the whole CA. > > Is "sha1" all your problem? You might want to check: > > https://www.ovirt.org/develop/migrate-pki-to-sha256.html Today I repeated the procedure described in the link here above and finally I was successful. Maybe yesterday I was too quick to fall back to the original state but my enviroment is in production and I was scared... I had some problems while enrolling the new certificate on the hypervisors, but removing/rebooting/readding did the trick.

Our engine have an SSO_ALTERNATE_ENGINE_FQDN (before it was the real engine FQDN) so I found that ImageProxyAddress was still pointing to the old name.

I'm now able (as before) to access the admin portal with both names but only one (the one with the green lock in the browser) is the FQDN in the certificate, so I did: engine-config --set ImageProxyAddress=realFQDN:54323 and now I have sha256 certs and ovirt-imageio-proxy working as expected. :)