Hi all,

I think that I found a way to solve the problem from: http://lists.ovirt.org/pipermail/users/2018-January/086441.html and I'm trying to fix it.

But my servers are in Production(50%) and I found that are some errors with my SSL Certificates.

## What I need now? Fixes all certificates problems using my Freeipa generated certificates: vdsmclient* on hosts, ovirt-engine communication ssl certificates on  hosted-engine.

I made with Freeipa(internal) the certificates for ovirt-engine( only apache - self hosted) and Hosts(vsdmclient and vdsmkey....) and replaced using this howto:

https://gist.github.com/qrkourier/9c9ac3e8b190dcb91d3767179d5a39ea

## Now ovirt-engine can't contact a Host(Non Responsive) with the errors(Yes, I have a Backup from all old certificates):

VDSM host.domain.tld command GetCapabilitiesVDS failed: General SSLEngine problem

On engine.log:

2018-01-23 13:33:40,160+01 ERROR [org.ovirt.engine.core.vdsbroker.vdsbroker.GetAllVmStatsVDSCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-23) [] Command 'GetAllVmStatsVDSCommand(HostName = host.domain.tld, VdsIdVDSCommandParametersBase:{hostId='d6bc650b-7edd-4019-b316-54313217880f'})' execution failed: VDSGenericException: VDSNetworkException: General SSLEngine problem
2018-01-23 13:33:40,160+01 INFO  [org.ovirt.engine.core.vdsbroker.monitoring.PollVmStatsRefresher] (EE-ManagedThreadFactory-engineScheduled-Thread-23) [] Failed to fetch vms info for host 'host.domain.tld' - skipping VMs monitoring.


## I read, that ovirt-engine generates certificates for all hosts and it uses his own CA.


Questions:

- How can I fix the communication from hosted-engine and vsdm on hosts? Should I copy my Freeipa ca.crt and replace the ca.der file on /etc/pki/ovirt-engine/certs?

- Should I  change the engine.cer certificate from /etc/pki/ovirt-engine/certs with my Certificate made using Freeipa?

- How to do that properly?

- Where can I find a complete workflow from SSL Certificates from oVirt? What certificates should I change?

## I found some links that to me are confusing(or I'm just dumb), I will take my end solution and do a howto to all: 

https://www.ovirt.org/develop/release-management/features/infra/pki/ - how updated is that? I can't overwrite a ca from ovirt-engine? 

https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/ Note: Using a commercially issued certificate for HTTPS connections does not affect the certificate used for authentication between your Engine and hosts. They will continue to use the self-signed certificate generated by the Engine... 

... Well, why I keep receiving errors with the self-signed CA from ovirt-engine and the disk uploads?(Unable to upload image to disk a-b-c-d-e due to a network error. Make sure ovirt-imageio-proxy service is installed and configured, and ovirt-engine's certificate is registered as a valid CA in the browser. The certificate can be fetched from https://<engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA)

Thanks in Advance!

Best Regards,

Gabriel
PS: I would help with the oVirt Wiki if needed, I would follow the rhce path and do the rhcs certification too, will be nice to study a lot. 










Gabriel Stein
------------------------------
Gabriel Ferraz Stein
Tel.: +49 (0)  170 2881531