On Thu, May 24, 2018 at 11:49 PM, Peter Harman <pharman@homeyertool.com> wrote:

Ovirt is Hosted Engine and version 4.2 installed a week ago.

OS is Centos7.4 on hosted engine and hosts

 

Peter Harman – Systems and Safety Cordinator  | Homeyer Precision Manufacturing

 

Description: C:\Users\gruether\AppData\Local\Temp\Temp1_Homeyer Logo (2).zip\Homeyer Logo\Homeyer Logo.jpg

 

16051 State Hwy 47, Marthasville, MO 63357| E pharman@homeyertool.com | P 636.433.2244 | F 636.433.5257

 

From: Nir Soffer <nsoffer@redhat.com>
Sent: Thursday, May 24, 2018 3:39 PM
To: Peter Harman <pharman@homeyertool.com>; Yedidyah Bar David <didi@redhat.com>
Cc: users@ovirt.org; Daniel Erez <derez@redhat.com>
Subject: Re: [ovirt-users] Upload Image Error

 

On Thu, May 24, 2018 at 10:57 PM Peter Harman <pharman@homeyertool.com> wrote:

Ovirt Users,

 

What version are you running?

 

 

I am running into a strange problem with uploading images through the webUI. When I test the connection on an upload I get “Connection to ovirt-imageio-proxy service has failed. Make sure the service is installed, configured, and ovirt-engine certificate is registered as a valid CA in the browser.” I have conducted this operation on several computers using both chrome and firefox and ensuring the certs were loaded into the browsers.

 

Are you sure you import the certificate correctly info the browser?

 

 

I went to this page: https://ovirt.org/develop/release-management/features/infra/pki/ to find cert info and checked both the engine and hosts for the certificates and the identity of the certificates – everything seemed to match up.

 

This issue means that the browser refuse to communicate

with the proxy because the proxy certificate does not match

the browser certificates.

 

Is it possible that you changed engine fqdn and regenerated 

engine certificates?

 

Didi, how can we regenerate all certificates to make sure everything

is configured correctly?


I do not think we have a documented procedure directly aimed at "making
sure everything is configured correctly", but a similar one is:

https://www.ovirt.org/documentation/how-to/migrate-pki-to-sha256/

It keeps the internal CA cert (only changes it), but re-creates all the others.
 

 

Or verify that the certificates in a host are correct?

 

Next thing I looked at was the ovirt-imageio-proxy service. I checked it and restarted it below is a status output from one of the failed operations:

 

[root@hpm-engine ~]# systemctl status ovirt-imageio-proxy

● ovirt-imageio-proxy.service - oVirt ImageIO Proxy

   Loaded: loaded (/usr/lib/systemd/system/ovirt-imageio-proxy.service; enabled; vendor preset: disabled)

   Active: active (running) since Thu 2018-05-24 13:25:38 CDT; 1h 13min ago

Main PID: 21239 (ovirt-imageio-p)

    Tasks: 2

   CGroup: /system.slice/ovirt-imageio-proxy.service

           └─21239 /usr/bin/python /usr/bin/ovirt-imageio-proxy

 

May 24 13:25:38 hpm-engine.server.local systemd[1]: Starting oVirt ImageIO Proxy...

May 24 13:25:38 hpm-engine.server.local systemd[1]: Started oVirt ImageIO Proxy.

May 24 14:38:02 hpm-engine.server.local ovirt-imageio-proxy[21239]: 127.0.0.1 - - [24/May/2018 14:38:02] "PUT /tickets/ HTTP/1.1" 200 0

 

This means proxy is running, and engine is able to communicate

with it. Unfortunately, this does not mean that the browser is able to 

communicate with the proxy.

 

ovirt-imageio-proxy service seems to check out. So, next step was checking out VDSM process output is below (NOTE: I redacted a bunch of unrelated warnings):

...

Vdsm is not related to proxy connection errors.

 

Did you know that you can upload using the SDK? It is also much

faster since you can upload directly to the host, instead of via the proxy.

 

Here is an example:

 

Nir




--
Didi