[ovirt-users] Re: Failed to upload ISO oVirt 4.4.0 - imageio unable to verify certificate
On Fri, Jul 10, 2020 at 10:56 AM Erez Zarum <erezz(a)nanosek.com> wrote:
Replying to myself again, i managed to "solve" this.
You actually solved it, no quotes required :-)
in /etc/ovirt-imageio/conf.d/50-engine.conf it uses the key_file and
cert_file of the apache by default.
For the CA cert it is indeed using the apache-ca.pem as expected (?), it seems to use the
same CA when trying to reach the VDSM imageio daemon running on each host for obvious
reasons those are two different CA, the apache-ca.pem is used by the Engine
"frontend".
Changing the ca_file to /etc/pki/ovirt-engine/ca.pem and restart the imageio daemon on
the ovirt-engine solved this issue.
Right, you need to change the ovirt-imgeio configuration to replace the CA.
But note that you should not touch:
/etc/ovirt-imageio/conf.d/50-engine.conf
This file is owned by engine and your changes will be dropped silently
on the next
upgrade.
You need to add your own configuration file, maybe:
/etc/ovirt-imageio/99-local.conf
Where you can override what you need:
[tls]
ca_file = ...
This is documented in the top of 50-vdsm.conf:
# Configuration overrides for vdsm.
#
# WARNING: This file owned by vdsm. If you modify this file your changes will
# be overwritten in the next vdsm upgrade.
#
# To change the configuration create a new drop-in file with a higher prefix,
# so your setting will override vdsm and builtin configuration:
#
# $ cat /etc/ovirt-imageio/conf.d/99-locl.conf
# [logger_root]
# level = DEBUG
#
# This example overrides ovirt-imageio service log level to DEBUG.
But the documentation is missing on engine side.
Please file engine bug for this.
The information here:
http://ovirt.github.io/ovirt-imageio/overview.html is misleading.
Please file ovirt-imageio Documentation bug for this.
Nir