On Fri, Jul 6, 2018 at 9:35 AM, <etienne.charlier@reduspaceservices.eu> wrote:

From a user point of view ...

Letsencrypt or another certificate authority ... it should not matter...

Just having one set of files ( cer/key/ca-chain) with a clear name referenced from "all config files" would be the easiest...

Please realize that the engine CA is _mainly_ used to sign hosts' keys.

We do not want to let the user do this with a 3rd party (well, until we

fix bz 1134219, see my other reply). Signing all the other keys is only

done "because we can" :-), to simplify things by default.

Once you get the certs from you provider, you just overwrite the files with your own , restart the services and "that's it" ;-)

That's the one-line summary of:

https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/

or at least that's the intention.

Letsencrypt renewing does not have to be handled on ovirt host (on a bastion host where LE is configured, a simple script can be run to update the certs and restart the services...)

Indeed.

My 0.02€
Etienne
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/QJIAZ25JQYO76OI5T3CAS2E4CKLS2LMU/

Didi