11:38 a.m.
On Sun, Jul 19, 2020 at 5:22 PM <ramon(a)clematide.ch> wrote:
Hi
I did a fresh installation of version 4.4.0.3. After the engine setup I replaced the
apache certificate with a custom certificate. I used this article to do it:
https://myhomelab.gr/linux/2020/01/20/replacing_ovirt_ssl.html
To summarize, I replaced those files with my own authority and the signed custom
certificate
/etc/pki/ovirt-engine/keys/apache.key.nopass
/etc/pki/ovirt-engine/certs/apache.cer
/etc/pki/ovirt-engine/apache-ca.pem
That worked so far, apache uses now my certificate, login is possible. To setup a new
machine, I need to upload an iso image, which failed. I found this error in
/var/log/ovirt-imageio/daemon.log
2020-07-08 20:43:23,750 INFO (Thread-10) [http] OPEN client=192.168.1.228
2020-07-08 20:43:23,767 INFO (Thread-10) [backends.http] Open backend
netloc='the_secret_hostname:54322'
path='/images/ef60404c-dc69-4a3d-bfaa-8571f675f3e1'
cafile='/etc/pki/ovirt-engine/apache-ca.pem' secure=True
2020-07-08 20:43:23,770 ERROR (Thread-10) [http] Server error
Traceback (most recent call last):
File "/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/http.py",
line 699, in __call__
self.dispatch(req, resp)
File "/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/http.py",
line 744, in dispatch
return method(req, resp, *match.groups())
File "/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/cors.py",
line 84, in wrapper
return func(self, req, resp, *args)
File "/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/images.py",
line 66, in put
backends.get(req, ticket, self.config),
File
"/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/backends/__init__.py",
line 53, in get
cafile=config.tls.ca_file)
File
"/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/backends/http.py",
line 48, in open
secure=options.get("secure", True))
File
"/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/backends/http.py",
line 63, in __init__
options = self._options()
File
"/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/backends/http.py",
line 364, in _options
self._con.request("OPTIONS", self.url.path)
File "/usr/lib64/python3.6/http/client.py", line 1254, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib64/python3.6/http/client.py", line 1300, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib64/python3.6/http/client.py", line 1249, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib64/python3.6/http/client.py", line 1036, in _send_output
self.send(msg)
File "/usr/lib64/python3.6/http/client.py", line 974, in send
self.connect()
File "/usr/lib64/python3.6/http/client.py", line 1422, in connect
server_hostname=server_hostname)
File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket
_context=self, _session=session)
File "/usr/lib64/python3.6/ssl.py", line 776, in __init__
self.do_handshake()
File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
2020-07-08 20:43:23,770 INFO (Thread-10) [http] CLOSE client=192.168.1.228 [connection
1 ops, 0.019775 s] [dispatch 1 ops, 0.003114 s]
I'm a python developer so I had no problem reading the traceback.
The SSL handshake fails when image-io tries to connect to what I think is called an
ovn-provider. But it is using my new authority certificate
cafile='/etc/pki/ovirt-engine/apache-ca.pem' which does not validate the
certificate generated by the ovirt engine setup, which the ovn-provider probably uses.
I didn't exactly know where the parameter for the validation ca file is. Probably it
is the ca_file parameter in /etc/ovirt-imageio/conf.d/50-engine.conf.
Right
But that needs to be set to my own authority ca file.
Right, but you should not modify this file, it is owned by engine and
your changes will be lost
on the next upgrade.
As documented in the top of the file, you need to create a drop in file:
$ cat /etc/ovirt-imageio/cond.d/99-local.conf
[tls]
ca_file = ...
I think you need to change the key_file and cert_file, otherwise
clients connected
to imageio server may fail to verify the server certificate.
And restart the ovirt-imageio service.
I modified the python file to set the ca_file parameter to the engine
setups ca_file directly
/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/backends/__init__.py
So the function call around line 50 looks like this:
backend = module.open(
ticket.url,
mode,
sparse=ticket.sparse,
dirty=ticket.dirty,
cafile='/etc/pki/ovirt-engine/ca.pem' #config.tls.ca_file
)
Now the image upload works, but obviously this is not the way to fix things. Is there an
other way to make image-io accept the certificate from the engine setup, while using my
custom certificate? I don't want to replace the certificates of all ovirt components
with custom certificates. I only need the weblogin with my custom certificate.
This works but you will lose the change on the next update, and as you
know modifying
python code in production is risky.
Nir