On Wed, Jul 4, 2018 at 6:50 PM, Nir Soffer <nsoffer@redhat.com> wrote:

On Wed, Jul 4, 2018 at 11:08 AM Etienne Charlier <Etienne.Charlier@reduspaceservices.eu> wrote:

Thanks for getting back to me.

I wanted to "protect" my ovirt installation with letsencrypt certificates ( to have a "green" bar in my chrome browser.)
I think there is a misconception here. Using the engine builtin CA is more secure than any other
CA, not less secure. You don't protect anything by using another CA.

Well, not sure I agree, but not sure that's the point...

The engine-internal CA is only protected by a unix ACL, on the engine machine. So if you manage to get root on it, you can do anything with the engine CA.

Most reasonable CAs (including hopefully most organization-internal ones) have more than one level in the authority chain, with the root cert's key being kept offline in some safe, so it's harder to break.

What you really need to do is to import the engine CA certificate to your browser, and this is also
required for communicating with the proxy.

Unless you know what you are doing, replacing the certificates with your own is going to be
hard.

Should not be - we have this doc, and should update it as needed:

[1] https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/

Actually it's indeed somewhat out-of-date. See also:

[2] https://bugzilla.redhat.com/show_bug.cgi?id=1385617

which should be the only thing missing in:

[3] https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl

which is somewhat more up-to-date than [1] (has websocket-proxy).

I set up a bastion host where I configured letsencrypt.

I copied the certificates over the ovirt engine machine and ran the script "convert.sh" ( see attachement). ( still need to automate it to handle certificate renew..)

Once this was in place, the test connection button ( in upload image UI) gave me "green" "Connection to ovirt-imageio-proxy was successful."
This means that the proxy is configured to use the new CA, but this is not enough
to upload. The proxy has its own certificates, and they must be signed by the new
CA.

So to use your own certificates, you have to regenerate both the engine certificates,
and the proxy certificates, and this process is not easy or documented yet.

Isn't this what above bug [2] is about? You wrote there that it's ok to configure the proxy to use same key/cert as apache.

Thanks,

If you created everything correctly, you need to configure the proxy to use the new
certificates.

Finally, you need to restart ovirt-imgaeio-proxy, since it does not support reloading
certificates or configuration changes yet.

I think the best solution for you is to use engine builtin PKI, managed by engine-setup.

To "protect" your ovirt installation, add the engine CA to your browser using this link:
https://my.engine/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA

You save this file locally, and then you import this certificate into your browser.

Using Chrome, you do:
1. go to: Settings > Advanced > Manage Certificates > Authorities
2. click "Import"
3. select the certificate
4. check "Trust this certificate for identifying web sites"
5. confirm
6. restart the browser

Here a copy of engine.log and ovirt-imageio-proxy log files. The ssl paths are dumped in the log file

Thanks for your support

Etienne

De : Nir Soffer <nsoffer@redhat.com>
Envoyé : mardi 3 juillet 2018 23:31
À : Etienne Charlier
Cc : users@ovirt.org; Daniel Erez
Objet : Re: [ovirt-users] Cannot import a qcow2 image

On Tue, Jul 3, 2018 at 11:47 PM Nir Soffer <nsoffer@redhat.com> wrote:

On Tue, 3 Jul 2018, 15:44 , <etienne.charlier@reduspaceservices.eu> wrote:

Hello,

I' m trying without success to import a qcow2 file into ovirt. I tried on a ISCSI datadomain and an nfs datadomain.

I struggled quite a lot to have the "test connection" succed ( I write a small shell script to "deploy" letsencryt certificates into ovirt engine)

Doc is not clear on the fact that certificates for imageio-proxy are different than for main engine…

Now, the upload fails with

Transfer was stopped by system. Reason: failed to add image ticket to ovirt-imageio-proxy.
Image gets stuck in "transfer paused by system"

Any idea ?

you probably have bad cretificate configuration in the proxy. Why not use the default certificates generated by engine setup? This is how we test the proxy.

Can you share the contents of:

/etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf

And the proxy log at

/var/log/ovirt-imageio-proxy/image-proxy.log

Showing the time of the error (failed to add image ticket to ovirt-imageio-proxy.)

Nir

ovrit is up to date: 4.2.4 on both engine and hosts.
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/FTC3PBZCRRTI2LBADOPOS2EYRCZ6EQA3/

Didi