On Fri, Aug 2, 2019 at 4:37 PM Dominik Holler <dholler@redhat.com> wrote:
On Thu, 1 Aug 2019 20:45:56 -0500
Chris Adams <cma@cmadams.net> wrote:

> I figured it out.  When ovirt-provider-ovn attempts to connect back to
> the engine via HTTPS, it tells the python requests module to use the
> specified CA cert file... but that won't work with most 3rd-party certs
> because they have an intermediate cert as well.  It appears that the
> requests module tries to validate both certs.
>
> Creating /etc/ovirt-provider-ovn/conf.d/99-custom-cert.conf that just
> has:
>
> [OVIRT]
> ovirt-ca-file=
>
> tells the module to use the regular system CA cert file(s), which works.


Thanks for your investigation!
Looks like the empty string is converted implicitly to Boolean in
https://github.com/psf/requests/blob/75bdc998e2d430a35d869b2abf1779bd0d34890e/requests/adapters.py#L215
Because bool('') is False in python, the certificate should be checked
at all.


Because bool('') is False in python, the certificate should be not checked at all.
 
Would
ovirt-ca-file=/etc/pki/tls/certs/ca-bundle.crt
work for you?
(It works for https://helloworld.letsencrypt.org)

> This should probably be added to the oVirt doc for using a 3rd-party
> cert.
>
> Once upon a time, Chris Adams <cma@cmadams.net> said:
> > Circling back to an old email...
> >
> > Once upon a time, Yedidyah Bar David <didi@redhat.com> said:
> > > On Wed, Jan 30, 2019 at 10:28 PM Chris Adams <cma@cmadams.net> wrote:
> > > > However, while digging, I also noticed that now the engine is not
> > > > communicating with ovirt-provider-ovn, possibly due to a similar issue?
> > > > It is having the reverse problem; it rejects the engine's cert.
> > >
> > > Didn't try this yet, adding Dominik.
> >
> > Was anybody able to look at this?  I had to use my dev hardware for
> > something else for a bit, so re-installed with 4.3.5 yesterday.  The
> > imageio SSL cert issue looks good, but I still can't figure out the
> > ovirt-provider-ovn CA usage.
> >
> > My little bit of digging seems to show that the engine connects to the
> > provider and is using an SSL client cert, and that cert is signed by
> > something... but I'm not sure what.  I think the provider side is trying
> > to validate with the following setting from
> > /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
> >
> > [OVIRT]
> > ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem
> >
> > Following the general "3rd-party SSL", that is now the Let's Encrypt CA.
> > I tried changing it to point to the original self-signed oVirt CA (same
> > directory, just "ca.pem"), but that didn't work either.
> >
> > Any suggestions?
>