On Mon, Aug 31, 2015 at 6:08 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:


----- Original Message -----
> From: "Baptiste Agasse" <baptiste.agasse@lyra-network.com>
> To: "users" <users@ovirt.org>
> Sent: Monday, August 31, 2015 6:54:28 PM
> Subject: [ovirt-users] ovirt 3.5 engine web certificate
>
> Hi all,
>
> I've followed the procedure to replace self signed certificate to one issued
> by our internal PKI to avoid security failure when users access to the webui
> (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https).
> The connection to the webui now works fine without any security warning (the
> internal PKI CA is in the trusted CA of our clients OS). But on the other
> hand, i've some troubles:
>
> * I've to specify the --ca-file option for ovirt-shell and
> engine-iso-uploader (i didn't test the engine-image-upload command), it will
> be nice if the documentation provide a way to replace this by default (or
> use the trusted ca store of the OS ?). This is not a bug just some feedback
> on the certificate change procedure that don't cover these side effects.

This is [1], probably you want to modify the configuration files of these tools at /etc so you will have proper defaults.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1146710

> * I can't add new ovirt-node anymore.

If ovirt-node was added using previous certificate it "Remembers" that certificate.
You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to register again.

> * The ovirt-hosted-engine --deploy fails
> on new nodes with an SSL error. To workaround this i've to modify the file
> "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around line
> 233 to make an insecure connection to the engine and add the new node. I
> didn't have tested to add a new node from the ovirt engine cli/webui but i
> think it will be the same issue because the error occurs on the vdsm
> activation that is common to the 'new hosted engine node' and 'new node'
> deployment. I've seen https://bugzilla.redhat.com/show_bug.cgi?id=1059952
> but the workaround noted in the comment #8 didn't work for me.

CC sandro for this.

Can you please share full sos report?
 

>
> Someone have more info on this issue or have the same problem ?
>
> This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes).
>
> Have a nice day.
>
> Regards.
>
> --
> Baptiste
> _______________________________________________
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>



--
Sandro Bonazzola
Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com