[ovirt-users] Re: [ovirt-devel] Re: how to UI/API certificates with a valid one (ex: let's encrypt) ? ( as open shift required one )
On Wed, Jan 26, 2022 at 8:56 AM Guillaume Pavese <
guillaume.pavese(a)interactiv-group.com> wrote:
Hello,
I too have a problem using custom cert with OCP provisioning on oVirt
Adding Evgeny and Janos for this.
I followed the following documentation to update the default cert with my
letsencrypt one :
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/...
This documentation is similar to the one linked by Yedidyah Bar David :
https://www.ovirt.org/documentation/administration_guide/index.html#appe-...
After following these steps, I can verify in my browser that the engine is
now behind the new custom certificate from letsencrypt.
However, the old certificate is still served by the url :
https://engine.fqdn/ovirt-engine/services/pki-resource?resource=ca-certif...
Indeed - that's intentional. This certificate is still in use, internally.
When running openshift-install create install-config, the certificate that
is automaticlly retrived from engine.fqdn:443 is the old one, not the new
custom one.
Are there missing steps in the above procedures?
Not sure how OCP on oVirt does this, but it should not use the above URL.
For doing this safely, it should either use out-of-band means, or let the
user supply the cert(s). If safety is not an issue, you should be able to
get the certs right off the SSL connection, e.g. with 's_client
--showcerts',
e.g.:
https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-cert...
Good luck and best regards,
--
Didi
Attachments:
- attachment.html (text/html — 4.0 KB)