On Tue, May 8, 2018 at 7:11 PM, Sandro Bonazzola <sbonazzo@redhat.com> wrote:
Adding Didi
Il mar 8 mag 2018, 10:32 Jiří Sléžka <jiri.slezka@slu.cz> ha scritto:
Hi,
solution was obvious. Upgrade process modified apache's ssl.conf and reverted my customization.
for example - my custom cert...
SSLCertificateFile /etc/pki/tls/certs/ovirt.crt.pem
...was replaced by this
SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer
the same for SSLCertificateKeyFile and SSLCACertificateFile
Actually that was intended, see [1]. But I admit I didn't specifically think about 3rd-party CAs, sorry. You were notified about this by engine-setup, right? "Apache httpd SSL was already configured in the past, but some needed changes are missing there. Configure again? (Automatic, Manual) [Automatic]:" Please open a bug about this. Not sure exactly what the bug should say - perhaps that on upgrade, engine-setup should only touch specific values there, which do not include SSL*File, perhaps show to the user what we are actually going to change, perhaps default to 'No' - not sure about this - and change to 'Yes, No'. [1] https://bugzilla.redhat.com/1558500
After reverting this changes everything works as usual but it makes me unsure if I have my 3rd party certificate configured the right way...
You are welcome to review other changes we did and decide for yourself. See also: https://www.ovirt.org/develop/release-management/features/infra/pki-renew/ https://www.ovirt.org/documentation/how-to/migrate-pki-to-sha256/
Cheers,
Jiri
On 05/07/2018 05:41 PM, Jiří Sléžka wrote:
Hi,
after upgrade ovirt from 4.2.2 to 4.2.3.5-1.el7.centos I cannot login into admin portal because
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I am using custom 3rd party certificate
Any hints how to resolve this issue?
I am not sure this should have happened. If engine-setup replaced all relevant SSL*File options, it should have worked, and at most you should have received a pop-up in your browser. Please also check/share engine-setup log from /var/log/ovirt-engine/setup and the actual changes to ssl.conf. Thanks! Best regards,
Thanks in advance,
Jiri Slezka
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org
-- Didi