Re: [ovirt-users] Replacing engine SSL cert
On Sat, Sep 9, 2017 at 9:48 PM, Chris Adams <cma(a)cmadams.net> wrote:
I'm writing a script to install a new SSL key/cert pair (from
Let's
Encrypt) for the engine web UI on oVirt 4.1. I'm looking at this, but
it's a little confusing.
https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/
You might want to check recent RHV docs:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/...
ovirt.org is still not updated, sorry. Patches are welcome :-)
It sounds like steps 1 and 3 are referring to the CA-supplied
intermediate cert(s), not the actual issue cert for the server. Is that
right?
Correct.
Does anything actually use the PCKS12 format file referred to in step 4?
Currently, AFAIK, no.
I don't normally see that format from regular CAs; they usually
provide
cert+intermediate(s) in PEM format.
Indeed, that's why in above rhv docs we split it up to two procedures.
With Apache 2.4, it is normal to just put the cert+intermediate(s) chain
in one file and configure Apache with SSLCertificateFile. You aren't
supposed to put the CA-supplied cert in the SSLCACertificateFile like
oVirt appears to do; that's intended to be used for validating client
certs, not the intermediate(s) for the server cert.
Searching the net I also find:
https://stackoverflow.com/questions/1899983/difference-between-sslcacerti...
Seems like this was changed in:
https://gerrit.ovirt.org/15837
But no idea why. Perhaps we wanted the option to allow authentication
by client certs? See e.g.:
http://machacekondra.blogspot.co.il/2016/02/client-certificate-authentica...
If you think that's a problem, please open a bug. Thanks!
It really just looks like the cert+intermediate(s) should go in
/etc/pki/ovirt-engine/certs/apache.cer, the corresponding key put in
/etc/pki/ovirt-engine/keys/apache.key.nopass, and then Apache needs to
be restarted. Since oVirt doesn't use the engine web UI cert for
anything internally (right?),
Mostly right
do any of the other steps on the above
page matter?
For step 8, you can searching for 'site:bugzilla.redhat.com
ENGINE_HTTPS_PKI_TRUST_STORE'.
There were several bugs about this.
The log collector always _does_ use the https interface, even on local machine.
Best,
--
Didi