I was setting up a new oVirt cluster yesterday, and deployed a Let's
Encrypt SSL cert on it for the website. After that, I noticed that
oVirt was getting errors synchronizing networks with ovirt-provider-ovn.
It appears that the python library used for SSL by ovirt-provider-ovn
has the same issue as older OpenSSL versions, and can't handle the
default Let's Encrypt root cert path; the path used for old Android
compatibility can end with an expired cert that's still in the CA store
(even though there's another verification path that doesn't end with an
expired cert).
The solution was to switch the Let's Encrypt cert to the "ISRG Root X1"
chain (which is fine, since I don't log in to oVirt from Android 7
devices).
Just an FYI for anyone else using a Let's Encrypt cert (or other cert
with a similar expired root path, they aren't the only one).
--
Chris Adams <cma(a)cmadams.net>