On Wed, Jan 26, 2022 at 8:56 AM Guillaume Pavese <guillaume.pavese@interactiv-group.com> wrote:

Hello,
I too have a problem using custom cert with OCP provisioning on oVirt

Adding Evgeny and Janos for this.

I followed the following documentation to update the default cert with my letsencrypt one :
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl

This documentation is similar to the one linked by Yedidyah Bar David : https://www.ovirt.org/documentation/administration_guide/index.html#appe-Red_Hat_Enterprise_Virtualization_and_SSL

After following these steps, I can verify in my browser that the engine is now behind the new custom certificate from letsencrypt.

However, the old certificate is still served by the url : https://engine.fqdn/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA

Indeed - that's intentional. This certificate is still in use, internally.

When running openshift-install create install-config, the certificate that is automaticlly retrived from engine.fqdn:443 is the old one, not the new custom one.

Are there missing steps in the above procedures?

Not sure how OCP on oVirt does this, but it should not use the above URL.

For doing this safely, it should either use out-of-band means, or let the

user supply the cert(s). If safety is not an issue, you should be able to

get the certs right off the SSL connection, e.g. with 's_client --showcerts',

e.g.:

https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server

Good luck and best regards,

Didi