Re: [ovirt-users] ovirt 3.5 engine web certificate

Hi, ----- Le 1 Sep 15, à 9:43, Sandro Bonazzola <sbonazzo(a)redhat.com&gt; a écrit : On Mon, Aug 31, 2015 at 6:08 PM, Alon Bar-Lev <alonbl(a)redhat.com&gt; wrote: > > > ----- Original Message ----- > > From: "Baptiste Agasse" <baptiste.agasse(a)lyra-network.com&gt; > > To: "users" <users(a)ovirt.org&gt; > > Sent: Monday, August 31, 2015 6:54:28 PM > > Subject: [ovirt-users] ovirt 3.5 engine web certificate > > > > Hi all, > > > > I've followed the procedure to replace self signed certificate to one > issued > > by our internal PKI to avoid security failure when users access to the > webui > > ( > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtuali... > ). > > The connection to the webui now works fine without any security warning > (the > > internal PKI CA is in the trusted CA of our clients OS). But on the > other > > hand, i've some troubles: > > > > * I've to specify the --ca-file option for ovirt-shell and > > engine-iso-uploader (i didn't test the engine-image-upload command), it > will > > be nice if the documentation provide a way to replace this by default > (or > > use the trusted ca store of the OS ?). This is not a bug just some > feedback > > on the certificate change procedure that don't cover these side effects. > > This is [1], probably you want to modify the configuration files of these > tools at /etc so you will have proper defaults. > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1146710 > Thank you for this link. > > * I can't add new ovirt-node anymore. > > If ovirt-node was added using previous certificate it "Remembers" that > certificate. > You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to > register again. > > > * The ovirt-hosted-engine --deploy fails > > on new nodes with an SSL error. To workaround this i've to modify the > file > > "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around > line > > 233 to make an insecure connection to the engine and add the new node. I > > didn't have tested to add a new node from the ovirt engine cli/webui > but i > > think it will be the same issue because the error occurs on the vdsm > > activation that is common to the 'new hosted engine node' and 'new node' > > deployment. I've seen > https://bugzilla.redhat.com/show_bug.cgi?id=1059952 > > but the workaround noted in the comment #8 didn't work for me. > > CC sandro for this. > Can you please share full sos report? The report is a little bit big (about 57MB) to be sent by mail, have you any procedure i can use to send it to you ?

> > > > Someone have more info on this issue or have the same problem ? > > > > This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes). > > > > Have a nice day. > > > > Regards. > > > > -- > > Baptiste > > _______________________________________________ > > Users mailing list > > Users(a)ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > > -- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com -- Baptiste