On Thu, Jul 5, 2018 at 5:20 PM, Nir Soffer <nsoffer@redhat.com> wrote:

On Thu, Jul 5, 2018 at 4:55 PM <etienne.charlier@reduspaceservices.eu> wrote:
Thanks a lot for your support!

A reinstalled a fresh ovirt-engine and managed to import the certificate.

A managed to upload an image even with the self signed certificates configured.

I think a "simple" way to allow letsencrypt certificates to be used for "external access" web UI, API..; could be useful

I agree.

Didi, can we integrate with letsencrypt to have engine/imageio certificates
respected by browsers without additional configuration?

I never looked specifically at this. We do have these open bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=1336873
https://bugzilla.redhat.com/show_bug.cgi?id=1134219

If we want to specifically handle LE, please open a bug. Not sure we should.

The need to import the CA into your browser is to upload images is a big user
experience issue. We see users failing to do it again and again.

I guess we have here two different issues:

1. By default, we (by default) generate a different key/cert pair for imageio,
rather than use the one for httpd. So a user accepting the cert for httpd still

fails to use the cert for imageio, until it's accepted as well. Perhaps we should

use by default the same pair? No idea why we decided to use a separate pair.

Please open an RFE to use the same pair as httpd.

2. The procedure to use a 3rd-party CA does not mention imageio. That's already

discussed earlier in this thread.

Best regards,

Didi