On Fri, Jul 6, 2018 at 9:35 AM, <etienne.charlier@reduspaceservices.eu> wrote:
From a user point of view ...
Letsencrypt or another certificate authority ... it should not matter...
Just having one set of files ( cer/key/ca-chain) with a clear name referenced from "all config files" would be the easiest...
Please realize that the engine CA is _mainly_ used to sign hosts' keys. We do not want to let the user do this with a 3rd party (well, until we fix bz 1134219 <https://bugzilla.redhat.com/show_bug.cgi?id=1134219>, see my other reply). Signing all the other keys is only done "because we can" :-), to simplify things by default.
Once you get the certs from you provider, you just overwrite the files with your own , restart the services and "that's it" ;-)
That's the one-line summary of: https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/ <https://bugzilla.redhat.com/show_bug.cgi?id=1134219> or at least that's the intention.
Letsencrypt renewing does not have to be handled on ovirt host (on a bastion host where LE is configured, a simple script can be run to update the certs and restart the services...)
Indeed.
My 0.02€ Etienne _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community- guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/ message/QJIAZ25JQYO76OI5T3CAS2E4CKLS2LMU/
-- Didi