On May 14, 2017, at 3:35 AM, Yedidyah Bar David <didi@redhat.com> wrote:
In addition to Yaniv's explanation below, can you explain why it was bad? That is, what software/process was broken by it? Please note that this is the CN of the CA's cert, not of the individual certs its signs (such as the one for the web server for https) - these have the FQDN you supplied to engine-setup as their CN.
You're absolutely right; my apologies for that red herring. I confused myself after too long at the keyboard.
The 5 random digits are supposed to be OK, and are actually a feature - it ensures uniqueness if you re-generate (most likely reinstall your Engine), as otherwise some browsers fail miserably if a CA cert mismatches what they know.
SAN is being worked on - we are aware of Chrome 58 now requiring it. I sincerely hope to see it in 4.1.2 (see https://bugzilla.redhat.com/1449084 ).
Indeed, and see my comment 5 there for how to add SAN to an existing setup, _after_ you upgrade to 4.1.2 when it's out.
Great, that's handy.
See also:
https://www.ovirt.org/documentation/how-to/networking/changing-engine-hostna...
Thanks for the pointer! That was the missing piece for me; my Google-fu failed to uncover it. I think I have what I need. Thanks again to both of you, -j