------=_Part_10313197_1475201063.1390979106292 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit
From: "Andrew Lau" <andrew@andrewklau.com> To: "users" <users@ovirt.org> Sent: Wednesday, January 29, 2014 8:38:33 AM Subject: [Users] Hosted Engine adding host SSL Failure (w/ engine custom cert)
Hi,
After running through the new patch posted in BZ 1055153 I'm adding a second host to the hosted-engine cluster but it seems to fail right before the finish:
[ ERROR ] Failed to execute stage 'Closing up': [ERROR]::oVirt API connection failure, [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Couple Extra Notes: Engine has a custom SSL cert but the CA has been trusted by the new host. When I temporarily return the engine's SSL back to the default generated one the install will succeed.
Setup logs: http://www.fpaste.org/72624/13909770/
What confuses me is:
curl https://engine.example.net with the custom SSL cert will succeed but with the original self-signed gives the expected "insecure" message. What criteria need to be met so the install will pass?
Wednesday, January 29, 2014 8:38:33 AM<br><b>Subject: </b>[Users] Hosted E= ngine adding host SSL Failure (w/ engine custom &nbs=
</blockquote><div><br></div><div>Seems like a bug (or a missing feature) -= hosted-engine only supports the self-signed cert. Can you please open a bu= g for this?</div><div><br></div><div>You might manage to make it work by re=
Seems like a bug (or a missing feature) - hosted-engine only supports the self-signed cert. Can you please open a bug for this? You might manage to make it work by replacing /etc/pki/ovirt-engine/ca.pem with the certificate of your ca, but this will prevent adding hosts (because it's needed to create a certificate for them). Perhaps other things will break too, I didn't try that. -- Didi ------=_Part_10313197_1475201063.1390979106292 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><body><div style=3D"font-family: times new roman, new york, times, se= rif; font-size: 12pt; color: #000000"><div></div><blockquote style=3D"borde= r-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-w= eight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,A= rial,sans-serif;font-size:12pt;"><b>From: </b>"Andrew Lau" <andrew@andre= wklau.com><br><b>To: </b>"users" <users@ovirt.org><br><b>Sent: </b= p; cert)<br><div><br></div><div dir=3D"ltr"><div class=3D"= gmail_default" style=3D"font-family:tahoma,sans-serif">Hi,</div><div class= =3D"gmail_default" style=3D"font-family:tahoma,sans-serif"><br></div><div c= lass=3D"gmail_default" style=3D"font-family:tahoma,sans-serif"> After running through the new patch posted in BZ 1055153 I'm adding a = second host to the hosted-engine cluster but it seems to fail right before = the finish:</div><div class=3D"gmail_default" style=3D"font-family:tahoma,s= ans-serif"><br></div><div class=3D"gmail_default"><div class=3D"gmail_defau= lt"><span face=3D"tahoma, sans-serif" data-mce-style=3D"font-family: tahoma= , sans-serif;" style=3D"font-family: tahoma, sans-serif;">[ ERROR ] Failed = to execute stage 'Closing up': [ERROR]::oVirt API connection failure, [Errn= o 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ce= rtificate verify failed</span></div><div style=3D"font-family:tahoma,sans-s= erif"><br></div><div style=3D"font-family:tahoma,sans-serif">Couple Extra N= otes:</div><div style=3D"font-family:tahoma,sans-serif">Engine has a custom= SSL cert but the CA has been trusted by the new host. When I temporarily r= eturn the engine's SSL back to the default generated one the install will s= ucceed.</div><div style=3D"font-family:tahoma,sans-serif"><br></div><div st= yle=3D"font-family:tahoma,sans-serif">Setup logs: <a href=3D"http://ww= w.fpaste.org/72624/13909770/" target=3D"_blank">http://www.fpaste.org/72624= /13909770/</a><br></div><div style=3D"font-family:tahoma,sans-serif"><br></= div><div style=3D"font-family:tahoma,sans-serif">What confuses me is:</div>= <div style=3D"font-family:tahoma,sans-serif"><br></div><div style=3D"font-f= amily:tahoma,sans-serif">curl <a href=3D"https://engine.example.net" target= =3D"_blank">https://engine.example.net</a> with the custom SSL cert will su= cceed but with the original self-signed gives the expected "insecure" messa= ge. What criteria need to be met so the install will pass?</div></div></div= placing /etc/pki/ovirt-engine/ca.pem with the certificate of your ca, = but this will prevent adding hosts (because it's needed to create a certifi= cate for them). Perhaps other things will break too, I didn't try that.</di= v><div>-- <br></div><div><span name=3D"x"></span>Didi<span name=3D"x"></spa= n><br></div><div><br></div></div></body></html> ------=_Part_10313197_1475201063.1390979106292--