1:02 p.m.
On Mon, Feb 4, 2019 at 1:21 PM Yedidyah Bar David <didi(a)redhat.com> wrote:
On Wed, Jan 30, 2019 at 10:28 PM Chris Adams <cma(a)cmadams.net> wrote:
>
> Digging a little deeper... if I add the Let's Encrypt CA to
> /etc/pki/ovirt-engine/.truststore, imageio-proxy works (I can
> successfully upload an ISO), so I guess the issue is that imageio-proxy
> uses the same cert for web and engine communication and the engine
> wasn't happy with the public-CA-signed cert.
I think I agree with your analysis.
I now reproduced this on a test env.
I started with ovirt-system-tests basic suite deploy, made sure I
can upload an image.
Then I followed the docs about replacing certs, using a temporarily-
created CA for testing (using openssl, actually using a copy of the
engine's pki scripts), including adding 99-custom-truststore.conf,
imported the CA's cert to the browser, and:
1. Connecting with the browser worked, all is green.
2. Logged in, pressed "Disks -> Upload -> Start -> Test Connection",
and it failed.
3. Edited the ovirt-imageio-proxy conf to point key and cert to a
key and cert I created and signed using my temp ca, restarted it,
"Test Connection" worked.
4. Actually uploading the image failed as you describe.
5. Imported my CA's cert to /etc/pki/ovirt-engine/.truststore,
using:
keytool -importcert -trustcacerts -keystore
/etc/pki/ovirt-engine/.truststore -storepass mypass -file
/etc/pki/ovirt-engine/apache-ca.pem
and restarted the engine, and then upload works.
Adding Martin and Nir.
>
> So, rather than point part of the engine at a separate trust store (as
> the docs recommend), maybe just add the public CA to the engine's
> existing trust store?
I admit I still didn't try to fully analyze this myself, but I tend
to agree with you. Or rather: Our docs should probably support both
options - tell the engine to trust (and use?) the system-wide store,
or manually add a specific cert. Because I guess you can find people
that will prefer either option.
Decided that only the first makes sense, opened this bug, should be
fixed in 4.3.2:
https://bugzilla.redhat.com/1687301
This is obviously just one step. The next will be:
https://bugzilla.redhat.com/show_bug.cgi?id=1637809
Then, hopefully, following the existing doc to use 3rd-party CA
will "just work" also for imageio.
BTW, of course you can also create another custom truststore
only for https access to the engine, and point
ENGINE_HTTPS_PKI_TRUST_STORE at it - but I wouldn't add this to
the docs before we have automated testing that makes sure this
does not break in the future.
Best regards,
>
> However, while digging, I also noticed that now the engine is not
> communicating with ovirt-provider-ovn, possibly due to a similar issue?
> It is having the reverse problem; it rejects the engine's cert.
Didn't try this yet, adding Dominik.
>
> This is all on 4.2.8 BTW.
I personally tried this on:
ovirt-engine-4.3.0-0.8.master.20190122121624.git9a8a519.el7.noarch
I guess the behavior didn't change much between them.
Thanks for your debugging and report!
Best regards,
--
Didi
--
Didi