9:46 a.m.
On Mon, Jun 18, 2018 at 9:19 AM, Tomas Jelinek <tjelinek(a)redhat.com> wrote:
On Mon, Jun 18, 2018 at 8:01 AM, Yedidyah Bar David <didi(a)redhat.com> wrote:
>
> On Sun, Jun 17, 2018 at 6:11 PM, John Florian <jflorian(a)doubledog.org>
> wrote:
> > I followed the docs at
> > https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/ and
> > all
> > works well from the usual web portal. Went to test moVirt and ran into
> > a
> > snag. It wants to download the CA using
> >
> >
http://fqdn/ovirt-engine/services/pki-resource?resource=ca-certificate&am...,
>
> I never tried movirt, but the user's guide [1] says it can import
> user-supplied certs, so you can supply your own CA's cert, no?
correct, you can supply your own certificate, movirt just by default grabs
the one which is provided by engine at:
http://fqdn/ovirt-engine/services/pki-resource?resource=ca-certificate&am...
@Ravi: is it correct that after you provide your own CA that the
http://fqdn/ovirt-engine/services/pki-resource?resource=ca-certificate&am...
is still pointing to the old one?
Yes - check this:
https://ovirt.org/develop/release-management/features/infra/pki/#services
It does not have a resource "apache-certificate" or anything like that.
The assumption is that user that changes httpd's conf to use a 3rd-party CA,
is in control of it, not the engine - so the engine can't handle it. This is
even if the user followed the documentation, because in principle, the user
can do other things - e.g. point SSLCACertificateFile at a different file
instead of replacing the content of the existing apache-ca.pem (which defaults
to a symlink to ca.pem, which _is_ controlled by the engine (as in "we do not
have any documentation about how to replace it, and doing that will break many
flows").
>
>
> Anyway, patches (to either that web page or movirt, or both) are most
> welcome!
>
> Best regards,
>
> [1] https://github.com/oVirt/moVirt/wiki/User%27s-guide
>
> > but that's grabbing the old CA issued by the engine rather than my
> > custom
> > CA. What else needs to be changed? I'm sure I can finagle my way to a
> > fix
> > here by telling moVirt to use a custom URL or file, but this looks like
> > a
> > bug in the docs that would probably best be fixed.
> >
> > --
> > John Florian
> >
> >
> > _______________________________________________
> > Users mailing list -- users(a)ovirt.org
> > To unsubscribe send an email to users-leave(a)ovirt.org
> > Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> > oVirt Code of Conduct:
> > https://www.ovirt.org/community/about/community-guidelines/
> > List Archives:
> >
> >
https://lists.ovirt.org/archives/list/users@ovirt.org/message/2DUNW4Y24HW...
> >
>
>
>
> --
> Didi
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/EXKTGCRWIYI...
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BP74SDAVQNA...
--
Didi