[ovirt-users] Re: sun.security.validator.ValidatorException after update to 4.2.3

On Tue, May 8, 2018 at 7:11 PM, Sandro Bonazzola <sbonazzo(a)redhat.com&gt; wrote: > Adding Didi > > Il mar 8 mag 2018, 10:32 Jiří Sléžka <jiri.slezka(a)slu.cz&gt; ha scritto: >> >> Hi, >> >> solution was obvious. Upgrade process modified apache's ssl.conf and >> reverted my customization. >> >> for example - my custom cert... >> >> SSLCertificateFile /etc/pki/tls/certs/ovirt.crt.pem >> >> ...was replaced by this >> >> SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer >> >> the same for SSLCertificateKeyFile and SSLCACertificateFile Actually that was intended, see [1]. But I admit I didn't specifically think about 3rd-party CAs, sorry. You were notified about this by engine-setup, right? "Apache httpd SSL was already configured in the past, but some needed changes are missing there. Configure again? (Automatic, Manual) [Automatic]:" Please open a bug about this. Not sure exactly what the bug should say - perhaps that on upgrade, engine-setup should only touch specific values there, which do not include SSL*File, perhaps show to the user what we are actually going to change, perhaps default to 'No' - not sure about this - and change to 'Yes, No'.

[1] https://bugzilla.redhat.com/1558500 >> >> After reverting this changes everything works as usual but it makes me >> unsure if I have my 3rd party certificate configured the right way... You are welcome to review other changes we did and decide for yourself. See also: https://www.ovirt.org/develop/release-management/features/infra/pki-renew/ https://www.ovirt.org/documentation/how-to/migrate-pki-to-sha256/ >> >> Cheers, >> >> Jiri >> >> >> On 05/07/2018 05:41 PM, Jiří Sléžka wrote: >> > Hi, >> > >> > after upgrade ovirt from 4.2.2 to 4.2.3.5-1.el7.centos I cannot login >> > into admin portal because >> > >> > sun.security.validator.ValidatorException: PKIX path building failed: >> > sun.security.provider.certpath.SunCertPathBuilderException: unable to >> > find valid certification path to requested target >> > >> > I am using custom 3rd party certificate >> > >> > Any hints how to resolve this issue? I am not sure this should have happened. If engine-setup replaced all relevant SSL*File options, it should have worked, and at most you should have received a pop-up in your browser. Please also check/share engine-setup log from /var/log/ovirt-engine/setup and the actual changes to ssl.conf. Thanks! Best regards, >> > >> > Thanks in advance, >> > >> > Jiri Slezka >> > >> > >> > >> > >> > _______________________________________________ >> > Users mailing list >> > Users(a)ovirt.org >> > http://lists.ovirt.org/mailman/listinfo/users >> > >> >> _______________________________________________ >> Users mailing list -- users(a)ovirt.org >> To unsubscribe send an email to users-leave(a)ovirt.org -- Didi