9:51 p.m.
On Tue, May 10, 2022 at 8:37 PM <louisb(a)ameritech.net> wrote:
I greatly appreciate the response, however, following you instructions I’m still not able
to upload an ISO via the GUI.
When try an upload using the GUI I follow the instruction below:
• In the pane on the left hand side of the screen, I select “Storage”.
• Select “Disks”.
• Where I get the screen “Storage > Disks”.
• On the top right hand side of the screen, I select “Upload”.
• From the pull down menu I select “Start”.
• I choose the file/ISO I want to upload, in this case its “CENTOS-Stream” version
9.
• At the bottom of the screen I click the “Test Connection” button.
• The following messages appears:
Connection to “ovirt-imageio-service” has failed. Ensure the “ovirt certificate” is
registered as a valid CA in the browser.
• I click/select the “ovirt certificate” which is highlighted in blue on my screen.
• It displays the option to save the certificate or view it in the browser. My
browser is Firefox 91.9.0.
• I save the certificate which I later import into my browser (following your
instruction). The certificate is accepted by the browser with no errors encountered.
• I then restart the upload process again and “Test Connection”. The same message
is displayed:
Connection to “ovirt-imageio-service” has failed. Ensure the “ovirt certificate” is
registered as a valid CA in the browser. The same message as earlier in the process.
Great, the issue is clear now - your browser cannot access ovirt-imageio service
since the browser likey does not have the certificate, or maybe ovirt-imageio is
misconfigured in some way.
To make sure you imported the certificate in the browser - when you
access the engine,
do you get a warning about an insecure site?
For example in my Firefox (100.0, Fedora 35) I see a secure
connection, see screenshots.
If you have the certificate, we need to understand why the browser
cannot connect
to imageio service.
One reason is installing ovirt on a single host, and adding the *same*
host to engine
a hypervisor. This setup was called "all-in-one" and was deprecated
few years ago
and is not officially supported - but it can work if you modify engine
configuration.
If you have this kind of installation, you need to disable the imageio
proxy in engine
configuration:
engine-config -s ImageTransferProxyEnabled=false
And restart ovirt-engine service. Upload should work after this change.
If your engine is not running on your single host, we need to understand why
the imageio service does not recognize the certificate.
Please share output of:
ovirt-imageio --show-config
ls -lh /etc/pki/ovirt-engine/apache-ca.pem
Here are example values from my system - regular engine install using defaults:
$ ovirt-imageio --show-config
...
"control": {
"port": 54324,
"prefer_ipv4": true,
"remove_timeout": 60,
"socket": "/run/ovirt-imageio/sock",
"transport": "tcp"
},
...
"remote": {
"host": "::",
"port": 54323
},
"tls": {
"ca_file": "/etc/pki/ovirt-engine/apache-ca.pem",
"cert_file": "/etc/pki/ovirt-engine/certs/apache.cer",
"enable": true,
"enable_tls1_1": false,
"key_file": "/etc/pki/ovirt-engine/keys/apache.key.nopass"
}
...
$ ls -lh /etc/pki/ovirt-engine/apache-ca.pem
lrwxrwxrwx. 1 root root 28 Apr 18 00:21
/etc/pki/ovirt-engine/apache-ca.pem -> /etc/pki/ovirt-engine/ca.pem
Nir
