From didi at redhat.com Wed Jan 29 02:05:09 2014
Content-Type: multipart/mixed; boundary="===============8448567802909154067=="
MIME-Version: 1.0
From: Yedidyah Bar David <didi at redhat.com>
To: users at ovirt.org
Subject: Re: [Users] Hosted Engine adding host SSL Failure (w/ engine
 custom	cert)
Date: Wed, 29 Jan 2014 02:05:06 -0500
Message-ID: <1005561226.10313198.1390979106293.JavaMail.root@redhat.com>
In-Reply-To: CAD7dF9e=GpySy7_KktZcJZCeDN1mmDZ7qUmMNS9rHR3b1DzVcg@mail.gmail.com

--===============8448567802909154067==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

------=3D_Part_10313197_1475201063.1390979106292
Content-Type: text/plain; charset=3Dutf-8
Content-Transfer-Encoding: 7bit

> From: "Andrew Lau" <andrew(a)andrewklau.com>
> To: "users" <users(a)ovirt.org>
> Sent: Wednesday, January 29, 2014 8:38:33 AM
> Subject: [Users] Hosted Engine adding host SSL Failure (w/ engine custom
> cert)

> Hi,

> After running through the new patch posted in BZ 1055153 I'm adding a sec=
ond
> host to the hosted-engine cluster but it seems to fail right before the
> finish:

> [ ERROR ] Failed to execute stage 'Closing up': [ERROR]::oVirt API connec=
tion
> failure, [Errno 1] _ssl.c:492: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

> Couple Extra Notes:
> Engine has a custom SSL cert but the CA has been trusted by the new host.
> When I temporarily return the engine's SSL back to the default generated =
one
> the install will succeed.

> Setup logs: http://www.fpaste.org/72624/13909770/

> What confuses me is:

> curl https://engine.example.net with the custom SSL cert will succeed but
> with the original self-signed gives the expected "insecure" message. What
> criteria need to be met so the install will pass?

Seems like a bug (or a missing feature) - hosted-engine only supports the s=
elf-signed cert. Can you please open a bug for this? =


You might manage to make it work by replacing /etc/pki/ovirt-engine/ca.pem =
with the certificate of your ca, but this will prevent adding hosts (becaus=
e it's needed to create a certificate for them). Perhaps other things will =
break too, I didn't try that. =

-- =

Didi =


------=3D_Part_10313197_1475201063.1390979106292
Content-Type: text/html; charset=3Dutf-8
Content-Transfer-Encoding: quoted-printable

<html><body><div style=3D3D"font-family: times new roman, new york, times, =
se=3D
rif; font-size: 12pt; color: #000000"><div></div><blockquote style=3D3D"bor=
de=3D
r-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-w=
=3D
eight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,A=
=3D
rial,sans-serif;font-size:12pt;"><b>From: </b>"Andrew Lau" &lt;andrew(a)and=
re=3D
wklau.com&gt;<br><b>To: </b>"users" &lt;users(a)ovirt.org&gt;<br><b>Sent: <=
/b=3D
>Wednesday, January 29, 2014 8:38:33 AM<br><b>Subject: </b>[Users] Hosted E=
=3D
ngine adding host SSL Failure (w/ engine custom&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
=3D
p;&nbsp;&nbsp;&nbsp;cert)<br><div><br></div><div dir=3D3D"ltr"><div class=
=3D3D"=3D
gmail_default" style=3D3D"font-family:tahoma,sans-serif">Hi,</div><div clas=
s=3D
=3D3D"gmail_default" style=3D3D"font-family:tahoma,sans-serif"><br></div><d=
iv c=3D
lass=3D3D"gmail_default" style=3D3D"font-family:tahoma,sans-serif">

After running through the new patch posted in BZ&nbsp;1055153 I'm adding a =
=3D
second host to the hosted-engine cluster but it seems to fail right before =
=3D
the finish:</div><div class=3D3D"gmail_default" style=3D3D"font-family:taho=
ma,s=3D
ans-serif"><br></div><div class=3D3D"gmail_default"><div class=3D3D"gmail_d=
efau=3D
lt"><span face=3D3D"tahoma, sans-serif" data-mce-style=3D3D"font-family: ta=
homa=3D
, sans-serif;" style=3D3D"font-family: tahoma, sans-serif;">[ ERROR ] Faile=
d =3D
to execute stage 'Closing up': [ERROR]::oVirt API connection failure, [Errn=
=3D
o 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ce=
=3D
rtificate verify failed</span></div><div style=3D3D"font-family:tahoma,sans=
-s=3D
erif"><br></div><div style=3D3D"font-family:tahoma,sans-serif">Couple Extra=
 N=3D
otes:</div><div style=3D3D"font-family:tahoma,sans-serif">Engine has a cust=
om=3D
 SSL cert but the CA has been trusted by the new host. When I temporarily r=
=3D
eturn the engine's SSL back to the default generated one the install will s=
=3D
ucceed.</div><div style=3D3D"font-family:tahoma,sans-serif"><br></div><div =
st=3D
yle=3D3D"font-family:tahoma,sans-serif">Setup logs:&nbsp;<a href=3D3D"http:=
//ww=3D
w.fpaste.org/72624/13909770/" target=3D3D"_blank">http://www.fpaste.org/726=
24=3D
/13909770/</a><br></div><div style=3D3D"font-family:tahoma,sans-serif"><br>=
</=3D
div><div style=3D3D"font-family:tahoma,sans-serif">What confuses me is:</di=
v>=3D
<div style=3D3D"font-family:tahoma,sans-serif"><br></div><div style=3D3D"fo=
nt-f=3D
amily:tahoma,sans-serif">curl <a href=3D3D"https://engine.example.net" targ=
et=3D
=3D3D"_blank">https://engine.example.net</a> with the custom SSL cert will =
su=3D
cceed but with the original self-signed gives the expected "insecure" messa=
=3D
ge. What criteria need to be met so the install will pass?</div></div></div=
=3D
></blockquote><div><br></div><div>Seems like a bug (or a missing feature) -=
=3D
 hosted-engine only supports the self-signed cert. Can you please open a bu=
=3D
g for this?</div><div><br></div><div>You might manage to make it work by re=
=3D
placing&nbsp;/etc/pki/ovirt-engine/ca.pem with the certificate of your ca, =
=3D
but this will prevent adding hosts (because it's needed to create a certifi=
=3D
cate for them). Perhaps other things will break too, I didn't try that.</di=
=3D
v><div>-- <br></div><div><span name=3D3D"x"></span>Didi<span name=3D3D"x"><=
/spa=3D
n><br></div><div><br></div></div></body></html>
------=3D_Part_10313197_1475201063.1390979106292--

--===============8448567802909154067==
Content-Type: multipart/alternative
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.bin"

LS0tLS0tPV9QYXJ0XzEwMzEzMTk3XzE0NzUyMDEwNjMuMTM5MDk3OTEwNjI5MgpDb250ZW50LVR5
cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9dXRmLTgKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzog
N2JpdAoKPiBGcm9tOiAiQW5kcmV3IExhdSIgPGFuZHJld0BhbmRyZXdrbGF1LmNvbT4KPiBUbzog
InVzZXJzIiA8dXNlcnNAb3ZpcnQub3JnPgo+IFNlbnQ6IFdlZG5lc2RheSwgSmFudWFyeSAyOSwg
MjAxNCA4OjM4OjMzIEFNCj4gU3ViamVjdDogW1VzZXJzXSBIb3N0ZWQgRW5naW5lIGFkZGluZyBo
b3N0IFNTTCBGYWlsdXJlICh3LyBlbmdpbmUgY3VzdG9tCj4gY2VydCkKCj4gSGksCgo+IEFmdGVy
IHJ1bm5pbmcgdGhyb3VnaCB0aGUgbmV3IHBhdGNoIHBvc3RlZCBpbiBCWiAxMDU1MTUzIEknbSBh
ZGRpbmcgYSBzZWNvbmQKPiBob3N0IHRvIHRoZSBob3N0ZWQtZW5naW5lIGNsdXN0ZXIgYnV0IGl0
IHNlZW1zIHRvIGZhaWwgcmlnaHQgYmVmb3JlIHRoZQo+IGZpbmlzaDoKCj4gWyBFUlJPUiBdIEZh
aWxlZCB0byBleGVjdXRlIHN0YWdlICdDbG9zaW5nIHVwJzogW0VSUk9SXTo6b1ZpcnQgQVBJIGNv
bm5lY3Rpb24KPiBmYWlsdXJlLCBbRXJybm8gMV0gX3NzbC5jOjQ5MjogZXJyb3I6MTQwOTAwODY6
U1NMCj4gcm91dGluZXM6U1NMM19HRVRfU0VSVkVSX0NFUlRJRklDQVRFOmNlcnRpZmljYXRlIHZl
cmlmeSBmYWlsZWQKCj4gQ291cGxlIEV4dHJhIE5vdGVzOgo+IEVuZ2luZSBoYXMgYSBjdXN0b20g
U1NMIGNlcnQgYnV0IHRoZSBDQSBoYXMgYmVlbiB0cnVzdGVkIGJ5IHRoZSBuZXcgaG9zdC4KPiBX
aGVuIEkgdGVtcG9yYXJpbHkgcmV0dXJuIHRoZSBlbmdpbmUncyBTU0wgYmFjayB0byB0aGUgZGVm
YXVsdCBnZW5lcmF0ZWQgb25lCj4gdGhlIGluc3RhbGwgd2lsbCBzdWNjZWVkLgoKPiBTZXR1cCBs
b2dzOiBodHRwOi8vd3d3LmZwYXN0ZS5vcmcvNzI2MjQvMTM5MDk3NzAvCgo+IFdoYXQgY29uZnVz
ZXMgbWUgaXM6Cgo+IGN1cmwgaHR0cHM6Ly9lbmdpbmUuZXhhbXBsZS5uZXQgd2l0aCB0aGUgY3Vz
dG9tIFNTTCBjZXJ0IHdpbGwgc3VjY2VlZCBidXQKPiB3aXRoIHRoZSBvcmlnaW5hbCBzZWxmLXNp
Z25lZCBnaXZlcyB0aGUgZXhwZWN0ZWQgImluc2VjdXJlIiBtZXNzYWdlLiBXaGF0Cj4gY3JpdGVy
aWEgbmVlZCB0byBiZSBtZXQgc28gdGhlIGluc3RhbGwgd2lsbCBwYXNzPwoKU2VlbXMgbGlrZSBh
IGJ1ZyAob3IgYSBtaXNzaW5nIGZlYXR1cmUpIC0gaG9zdGVkLWVuZ2luZSBvbmx5IHN1cHBvcnRz
IHRoZSBzZWxmLXNpZ25lZCBjZXJ0LiBDYW4geW91IHBsZWFzZSBvcGVuIGEgYnVnIGZvciB0aGlz
PyAKCllvdSBtaWdodCBtYW5hZ2UgdG8gbWFrZSBpdCB3b3JrIGJ5IHJlcGxhY2luZyAvZXRjL3Br
aS9vdmlydC1lbmdpbmUvY2EucGVtIHdpdGggdGhlIGNlcnRpZmljYXRlIG9mIHlvdXIgY2EsIGJ1
dCB0aGlzIHdpbGwgcHJldmVudCBhZGRpbmcgaG9zdHMgKGJlY2F1c2UgaXQncyBuZWVkZWQgdG8g
Y3JlYXRlIGEgY2VydGlmaWNhdGUgZm9yIHRoZW0pLiBQZXJoYXBzIG90aGVyIHRoaW5ncyB3aWxs
IGJyZWFrIHRvbywgSSBkaWRuJ3QgdHJ5IHRoYXQuIAotLSAKRGlkaSAKCi0tLS0tLT1fUGFydF8x
MDMxMzE5N18xNDc1MjAxMDYzLjEzOTA5NzkxMDYyOTIKQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7
IGNoYXJzZXQ9dXRmLTgKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogcXVvdGVkLXByaW50YWJs
ZQoKPGh0bWw+PGJvZHk+PGRpdiBzdHlsZT0zRCJmb250LWZhbWlseTogdGltZXMgbmV3IHJvbWFu
LCBuZXcgeW9yaywgdGltZXMsIHNlPQpyaWY7IGZvbnQtc2l6ZTogMTJwdDsgY29sb3I6ICMwMDAw
MDAiPjxkaXY+PC9kaXY+PGJsb2NrcXVvdGUgc3R5bGU9M0QiYm9yZGU9CnItbGVmdDoycHggc29s
aWQgIzEwMTBGRjttYXJnaW4tbGVmdDo1cHg7cGFkZGluZy1sZWZ0OjVweDtjb2xvcjojMDAwO2Zv
bnQtdz0KZWlnaHQ6bm9ybWFsO2ZvbnQtc3R5bGU6bm9ybWFsO3RleHQtZGVjb3JhdGlvbjpub25l
O2ZvbnQtZmFtaWx5OkhlbHZldGljYSxBPQpyaWFsLHNhbnMtc2VyaWY7Zm9udC1zaXplOjEycHQ7
Ij48Yj5Gcm9tOiA8L2I+IkFuZHJldyBMYXUiICZsdDthbmRyZXdAYW5kcmU9CndrbGF1LmNvbSZn
dDs8YnI+PGI+VG86IDwvYj4idXNlcnMiICZsdDt1c2Vyc0BvdmlydC5vcmcmZ3Q7PGJyPjxiPlNl
bnQ6IDwvYj0KPldlZG5lc2RheSwgSmFudWFyeSAyOSwgMjAxNCA4OjM4OjMzIEFNPGJyPjxiPlN1
YmplY3Q6IDwvYj5bVXNlcnNdIEhvc3RlZCBFPQpuZ2luZSBhZGRpbmcgaG9zdCBTU0wgRmFpbHVy
ZSAody8gZW5naW5lIGN1c3RvbSZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnM9CnA7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Y2VydCk8YnI+PGRpdj48YnI+PC9kaXY+PGRpdiBkaXI9M0QibHRyIj48ZGl2
IGNsYXNzPTNEIj0KZ21haWxfZGVmYXVsdCIgc3R5bGU9M0QiZm9udC1mYW1pbHk6dGFob21hLHNh
bnMtc2VyaWYiPkhpLDwvZGl2PjxkaXYgY2xhc3M9Cj0zRCJnbWFpbF9kZWZhdWx0IiBzdHlsZT0z
RCJmb250LWZhbWlseTp0YWhvbWEsc2Fucy1zZXJpZiI+PGJyPjwvZGl2PjxkaXYgYz0KbGFzcz0z
RCJnbWFpbF9kZWZhdWx0IiBzdHlsZT0zRCJmb250LWZhbWlseTp0YWhvbWEsc2Fucy1zZXJpZiI+
CgpBZnRlciBydW5uaW5nIHRocm91Z2ggdGhlIG5ldyBwYXRjaCBwb3N0ZWQgaW4gQlombmJzcDsx
MDU1MTUzIEknbSBhZGRpbmcgYSA9CnNlY29uZCBob3N0IHRvIHRoZSBob3N0ZWQtZW5naW5lIGNs
dXN0ZXIgYnV0IGl0IHNlZW1zIHRvIGZhaWwgcmlnaHQgYmVmb3JlID0KdGhlIGZpbmlzaDo8L2Rp
dj48ZGl2IGNsYXNzPTNEImdtYWlsX2RlZmF1bHQiIHN0eWxlPTNEImZvbnQtZmFtaWx5OnRhaG9t
YSxzPQphbnMtc2VyaWYiPjxicj48L2Rpdj48ZGl2IGNsYXNzPTNEImdtYWlsX2RlZmF1bHQiPjxk
aXYgY2xhc3M9M0QiZ21haWxfZGVmYXU9Cmx0Ij48c3BhbiBmYWNlPTNEInRhaG9tYSwgc2Fucy1z
ZXJpZiIgZGF0YS1tY2Utc3R5bGU9M0QiZm9udC1mYW1pbHk6IHRhaG9tYT0KLCBzYW5zLXNlcmlm
OyIgc3R5bGU9M0QiZm9udC1mYW1pbHk6IHRhaG9tYSwgc2Fucy1zZXJpZjsiPlsgRVJST1IgXSBG
YWlsZWQgPQp0byBleGVjdXRlIHN0YWdlICdDbG9zaW5nIHVwJzogW0VSUk9SXTo6b1ZpcnQgQVBJ
IGNvbm5lY3Rpb24gZmFpbHVyZSwgW0Vycm49Cm8gMV0gX3NzbC5jOjQ5MjogZXJyb3I6MTQwOTAw
ODY6U1NMIHJvdXRpbmVzOlNTTDNfR0VUX1NFUlZFUl9DRVJUSUZJQ0FURTpjZT0KcnRpZmljYXRl
IHZlcmlmeSBmYWlsZWQ8L3NwYW4+PC9kaXY+PGRpdiBzdHlsZT0zRCJmb250LWZhbWlseTp0YWhv
bWEsc2Fucy1zPQplcmlmIj48YnI+PC9kaXY+PGRpdiBzdHlsZT0zRCJmb250LWZhbWlseTp0YWhv
bWEsc2Fucy1zZXJpZiI+Q291cGxlIEV4dHJhIE49Cm90ZXM6PC9kaXY+PGRpdiBzdHlsZT0zRCJm
b250LWZhbWlseTp0YWhvbWEsc2Fucy1zZXJpZiI+RW5naW5lIGhhcyBhIGN1c3RvbT0KIFNTTCBj
ZXJ0IGJ1dCB0aGUgQ0EgaGFzIGJlZW4gdHJ1c3RlZCBieSB0aGUgbmV3IGhvc3QuIFdoZW4gSSB0
ZW1wb3JhcmlseSByPQpldHVybiB0aGUgZW5naW5lJ3MgU1NMIGJhY2sgdG8gdGhlIGRlZmF1bHQg
Z2VuZXJhdGVkIG9uZSB0aGUgaW5zdGFsbCB3aWxsIHM9CnVjY2VlZC48L2Rpdj48ZGl2IHN0eWxl
PTNEImZvbnQtZmFtaWx5OnRhaG9tYSxzYW5zLXNlcmlmIj48YnI+PC9kaXY+PGRpdiBzdD0KeWxl
PTNEImZvbnQtZmFtaWx5OnRhaG9tYSxzYW5zLXNlcmlmIj5TZXR1cCBsb2dzOiZuYnNwOzxhIGhy
ZWY9M0QiaHR0cDovL3d3PQp3LmZwYXN0ZS5vcmcvNzI2MjQvMTM5MDk3NzAvIiB0YXJnZXQ9M0Qi
X2JsYW5rIj5odHRwOi8vd3d3LmZwYXN0ZS5vcmcvNzI2MjQ9Ci8xMzkwOTc3MC88L2E+PGJyPjwv
ZGl2PjxkaXYgc3R5bGU9M0QiZm9udC1mYW1pbHk6dGFob21hLHNhbnMtc2VyaWYiPjxicj48Lz0K
ZGl2PjxkaXYgc3R5bGU9M0QiZm9udC1mYW1pbHk6dGFob21hLHNhbnMtc2VyaWYiPldoYXQgY29u
ZnVzZXMgbWUgaXM6PC9kaXY+PQo8ZGl2IHN0eWxlPTNEImZvbnQtZmFtaWx5OnRhaG9tYSxzYW5z
LXNlcmlmIj48YnI+PC9kaXY+PGRpdiBzdHlsZT0zRCJmb250LWY9CmFtaWx5OnRhaG9tYSxzYW5z
LXNlcmlmIj5jdXJsIDxhIGhyZWY9M0QiaHR0cHM6Ly9lbmdpbmUuZXhhbXBsZS5uZXQiIHRhcmdl
dD0KPTNEIl9ibGFuayI+aHR0cHM6Ly9lbmdpbmUuZXhhbXBsZS5uZXQ8L2E+IHdpdGggdGhlIGN1
c3RvbSBTU0wgY2VydCB3aWxsIHN1PQpjY2VlZCBidXQgd2l0aCB0aGUgb3JpZ2luYWwgc2VsZi1z
aWduZWQgZ2l2ZXMgdGhlIGV4cGVjdGVkICJpbnNlY3VyZSIgbWVzc2E9CmdlLiBXaGF0IGNyaXRl
cmlhIG5lZWQgdG8gYmUgbWV0IHNvIHRoZSBpbnN0YWxsIHdpbGwgcGFzcz88L2Rpdj48L2Rpdj48
L2Rpdj0KPjwvYmxvY2txdW90ZT48ZGl2Pjxicj48L2Rpdj48ZGl2PlNlZW1zIGxpa2UgYSBidWcg
KG9yIGEgbWlzc2luZyBmZWF0dXJlKSAtPQogaG9zdGVkLWVuZ2luZSBvbmx5IHN1cHBvcnRzIHRo
ZSBzZWxmLXNpZ25lZCBjZXJ0LiBDYW4geW91IHBsZWFzZSBvcGVuIGEgYnU9CmcgZm9yIHRoaXM/
PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5Zb3UgbWlnaHQgbWFuYWdlIHRvIG1ha2UgaXQgd29y
ayBieSByZT0KcGxhY2luZyZuYnNwOy9ldGMvcGtpL292aXJ0LWVuZ2luZS9jYS5wZW0gd2l0aCB0
aGUgY2VydGlmaWNhdGUgb2YgeW91ciBjYSwgPQpidXQgdGhpcyB3aWxsIHByZXZlbnQgYWRkaW5n
IGhvc3RzIChiZWNhdXNlIGl0J3MgbmVlZGVkIHRvIGNyZWF0ZSBhIGNlcnRpZmk9CmNhdGUgZm9y
IHRoZW0pLiBQZXJoYXBzIG90aGVyIHRoaW5ncyB3aWxsIGJyZWFrIHRvbywgSSBkaWRuJ3QgdHJ5
IHRoYXQuPC9kaT0Kdj48ZGl2Pi0tIDxicj48L2Rpdj48ZGl2PjxzcGFuIG5hbWU9M0QieCI+PC9z
cGFuPkRpZGk8c3BhbiBuYW1lPTNEIngiPjwvc3BhPQpuPjxicj48L2Rpdj48ZGl2Pjxicj48L2Rp
dj48L2Rpdj48L2JvZHk+PC9odG1sPgotLS0tLS09X1BhcnRfMTAzMTMxOTdfMTQ3NTIwMTA2My4x
MzkwOTc5MTA2MjkyLS0K

--===============8448567802909154067==--