[ovirt-users] Re: Failed to upload ISO oVirt 4.4.0 - imageio unable to verify certificate

On Fri, Jul 10, 2020 at 10:56 AM Erez Zarum <erezz(a)nanosek.com&gt; wrote: > > Replying to myself again, i managed to "solve" this. You actually solved it, no quotes required :-) > in /etc/ovirt-imageio/conf.d/50-engine.conf it uses the key_file and cert_file of the apache by default. > For the CA cert it is indeed using the apache-ca.pem as expected (?), it seems to use the same CA when trying to reach the VDSM imageio daemon running on each host for obvious reasons those are two different CA, the apache-ca.pem is used by the Engine "frontend". > Changing the ca_file to /etc/pki/ovirt-engine/ca.pem and restart the imageio daemon on the ovirt-engine solved this issue. Right, you need to change the ovirt-imgeio configuration to replace the CA. But note that you should not touch: /etc/ovirt-imageio/conf.d/50-engine.conf This file is owned by engine and your changes will be dropped silently on the next upgrade. You need to add your own configuration file, maybe: /etc/ovirt-imageio/99-local.conf Where you can override what you need: [tls] ca_file = ... This is documented in the top of 50-vdsm.conf: # Configuration overrides for vdsm. # # WARNING: This file owned by vdsm. If you modify this file your changes will # be overwritten in the next vdsm upgrade. # # To change the configuration create a new drop-in file with a higher prefix, # so your setting will override vdsm and builtin configuration: # # $ cat /etc/ovirt-imageio/conf.d/99-locl.conf # [logger_root] # level = DEBUG # # This example overrides ovirt-imageio service log level to DEBUG. But the documentation is missing on engine side. Please file engine bug for this.

> The information here: http://ovirt.github.io/ovirt-imageio/overview.html is misleading. Please file ovirt-imageio Documentation bug for this. Nir