------=_Part_1393437_616811997.1441107378725 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi,=20 ----- Le 1 Sep 15, =C3=A0 9:43, Sandro Bonazzola <sbonazzo@redhat.com> a = =C3=A9crit :=20
On Mon, Aug 31, 2015 at 6:08 PM, Alon Bar-Lev < alonbl@redhat.com > wrote= :
----- Original Message -----
From: "Baptiste Agasse" < baptiste.agasse@lyra-network.com > To: "users" < users@ovirt.org > Sent: Monday, August 31, 2015 6:54:28 PM Subject: [ovirt-users] ovirt 3.5 engine web certificate
Hi all,
I've followed the procedure to replace self signed certificate to one = issued by our internal PKI to avoid security failure when users access to the= webui ( https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtua= lization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualizati= on_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Vi= rtualization_Manager_to_identify_itself_to_users_connecting_over_https ). The connection to the webui now works fine without any security warnin= g (the internal PKI CA is in the trusted CA of our clients OS). But on the ot= her hand, i've some troubles:
* I've to specify the --ca-file option for ovirt-shell and engine-iso-uploader (i didn't test the engine-image-upload command), i= t will be nice if the documentation provide a way to replace this by default = (or use the trusted ca store of the OS ?). This is not a bug just some fee= dback on the certificate change procedure that don't cover these side effect= s.
This is [1], probably you want to modify the configuration files of thes= e tools at /etc so you will have proper defaults.
Thank you for this link.=20
* I can't add new ovirt-node anymore.
If ovirt-node was added using previous certificate it "Remembers" that certificate. You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to regist= er again.
* The ovirt-hosted-engine --deploy fails on new nodes with an SSL error. To workaround this i've to modify the = file "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around l= ine 233 to make an insecure connection to the engine and add the new node.= I didn't have tested to add a new node from the ovirt engine cli/webui b= ut i think it will be the same issue because the error occurs on the vdsm activation that is common to the 'new hosted engine node' and 'new nod= e' deployment. I've seen https://bugzilla.redhat.com/show_bug.cgi?id=3D10= 59952 but the workaround noted in the comment #8 didn't work for me.
CC sandro for this.
Can you please share full sos report?
The report is a little bit big (about 57MB) to be sent by mail, have you an= y procedure i can use to send it to you ?=20
Someone have more info on this issue or have the same problem ?
This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes).
Have a nice day.
Regards.
-- Baptiste _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
></span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin: 0= 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;" data-mce-style= =3D"margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;"><s=
You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to registe= r again.<br><br> > * The ovirt-hosted-engine --deploy fails<br><span cla= ss=3D"">> on new nodes with an SSL error. To workaround this i've to mod= ify the file<br> > "/usr/lib/python2.7/site-packages/ovirtsdk/web/connec= tion.py" around line<br> > 233 to make an insecure connection to the eng= ine and add the new node. I<br> > didn't have tested to add a new node f= rom the ovirt engine cli/webui but i<br> > think it will be the same iss= ue because the error occurs on the vdsm<br> > activation that is common = to the 'new hosted engine node' and 'new node'<br> > deployment. I've se= en <a href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D1059952" rel=3D= "noreferrer" target=3D"_blank" data-mce-href=3D"https://bugzilla.redhat.com= /show_bug.cgi?id=3D1059952">https://bugzilla.redhat.com/show_bug.cgi?id=3D1= 059952</a><br> > but the workaround noted in the comment #8 didn't work = for me.<br> <br> </span>CC sandro for this.<br></blockquote><br><div>Can yo= u please share full sos report?</div></div></div></div></blockquote><div><b= r></div><div>The report is a little bit big (about 57MB) to be sent by mail= , have you any procedure i can use to send it to you ?<br data-mce-bogus=3D= "1"></div><div><br data-mce-bogus=3D"1"></div><blockquote style=3D"border-l= eft: 2px solid #1010FF; margin-left: 5px; padding-left: 5px; color: #000; f= ont-weight: normal; font-style: normal; text-decoration: none; font-family:= Helvetica,Arial,sans-serif; font-size: 12pt;" data-mce-style=3D"border-lef= t: 2px solid #1010FF; margin-left: 5px; padding-left: 5px; color: #000; fon= t-weight: normal; font-style: normal; text-decoration: none; font-family: H= elvetica,Arial,sans-serif; font-size: 12pt;"><div dir=3D"ltr"><div class=3D= "gmail_extra"><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" =
><br></div></div></blockquote></div><br><br clear=3D"all"><br>-- <br><=
--=20 Baptiste=20 ------=_Part_1393437_616811997.1441107378725 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><body><div style=3D"font-family: arial, helvetica, sans-serif; font-s= ize: 12pt; color: #000000"><div>Hi,<br></div><div><br></div><div><span id= =3D"zwchr" data-marker=3D"__DIVIDER__">----- Le 1 Sep 15, =C3=A0 9:43, Sand= ro Bonazzola <sbonazzo@redhat.com> a =C3=A9crit :<br></span></div><di= v data-marker=3D"__QUOTED_TEXT__"><blockquote style=3D"border-left: 2px sol= id #1010FF; margin-left: 5px; padding-left: 5px; color: #000; font-weight: = normal; font-style: normal; text-decoration: none; font-family: Helvetica,A= rial,sans-serif; font-size: 12pt;" data-mce-style=3D"border-left: 2px solid= #1010FF; margin-left: 5px; padding-left: 5px; color: #000; font-weight: no= rmal; font-style: normal; text-decoration: none; font-family: Helvetica,Ari= al,sans-serif; font-size: 12pt;"><div dir=3D"ltr"><br><div class=3D"gmail_e= xtra"><br><div class=3D"gmail_quote">On Mon, Aug 31, 2015 at 6:08 PM, Alon = Bar-Lev <span dir=3D"ltr"><<a href=3D"mailto:alonbl@redhat.com" target= =3D"_blank" data-mce-href=3D"mailto:alonbl@redhat.com">alonbl@redhat.com</a= pan class=3D""><br> <br> ----- Original Message -----<br> > From: "Bapti= ste Agasse" <<a href=3D"mailto:baptiste.agasse@lyra-network.com" target= =3D"_blank" data-mce-href=3D"mailto:baptiste.agasse@lyra-network.com">bapti= ste.agasse@lyra-network.com</a>><br> > To: "users" <<a href=3D"mai= lto:users@ovirt.org" target=3D"_blank" data-mce-href=3D"mailto:users@ovirt.= org">users@ovirt.org</a>><br> > Sent: Monday, August 31, 2015 6:54:28= PM<br> > Subject: [ovirt-users] ovirt 3.5 engine web certificate<br> &g= t;<br> > Hi all,<br> ><br> > I've followed the procedure to replac= e self signed certificate to one issued<br> > by our internal PKI to avo= id security failure when users access to the webui<br> > (<a href=3D"htt= ps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualizatio= n/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_= SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualiz= ation_Manager_to_identify_itself_to_users_connecting_over_https" rel=3D"nor= eferrer" target=3D"_blank" data-mce-href=3D"https://access.redhat.com/docum= entation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Gu= ide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_c= ertificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_it= self_to_users_connecting_over_https">https://access.redhat.com/documentatio= n/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/app= e-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certific= ate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to= _users_connecting_over_https</a>).<br> > The connection to the webui now= works fine without any security warning (the<br> > internal PKI CA is i= n the trusted CA of our clients OS). But on the other<br> > hand, i've s= ome troubles:<br> ><br> > * I've to specify the --ca-file option for = ovirt-shell and<br> > engine-iso-uploader (i didn't test the engine-imag= e-upload command), it will<br> > be nice if the documentation provide a = way to replace this by default (or<br> > use the trusted ca store of the= OS ?). This is not a bug just some feedback<br> > on the certificate ch= ange procedure that don't cover these side effects.<br> <br> </span>This is= [1], probably you want to modify the configuration files of these tools at= /etc so you will have proper defaults.<br><br> [1] <a href=3D"https://bugz= illa.redhat.com/show_bug.cgi?id=3D1146710" rel=3D"noreferrer" target=3D"_bl= ank" data-mce-href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D1146710= ">https://bugzilla.redhat.com/show_bug.cgi?id=3D1146710</a><br data-mce-bog= us=3D"1"></blockquote></div></div></div></blockquote><div><br></div><div>Th= ank you for this link.<br data-mce-bogus=3D"1"></div><div><br data-mce-bogu= s=3D"1"></div><blockquote style=3D"border-left: 2px solid #1010FF; margin-l= eft: 5px; padding-left: 5px; color: #000; font-weight: normal; font-style: = normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; fon= t-size: 12pt;" data-mce-style=3D"border-left: 2px solid #1010FF; margin-lef= t: 5px; padding-left: 5px; color: #000; font-weight: normal; font-style: no= rmal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-= size: 12pt;"><div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmai= l_quote"><blockquote class=3D"gmail_quote" style=3D"margin: 0 0 0 .8ex; bor= der-left: 1px #ccc solid; padding-left: 1ex;" data-mce-style=3D"margin: 0 0= 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;"><span class=3D"">= <br> > * I can't add new ovirt-node anymore.<br> <br> </span>If ovirt-no= de was added using previous certificate it "Remembers" that certificate.<br= style=3D"margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex= ;" data-mce-style=3D"margin: 0 0 0 .8ex; border-left: 1px #ccc solid; paddi= ng-left: 1ex;"><div class=3D"HOEnZb"><div class=3D"h5"><br> ><br> > S= omeone have more info on this issue or have the same problem ?<br> ><br>= > This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes).<br> &= gt;<br> > Have a nice day.<br> ><br> > Regards.<br> ><br> > = --<br> > Baptiste<br> > _____________________________________________= __<br> > Users mailing list<br> > <a href=3D"mailto:Users@ovirt.org" = target=3D"_blank" data-mce-href=3D"mailto:Users@ovirt.org">Users@ovirt.org<= /a><br> > <a href=3D"http://lists.ovirt.org/mailman/listinfo/users" rel= =3D"noreferrer" target=3D"_blank" data-mce-href=3D"http://lists.ovirt.org/m= ailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a><br= div class=3D"gmail_signature"><div dir=3D"ltr"><div><div dir=3D"ltr">Sandro= Bonazzola<br>Better technology. Faster innovation. Powered by community co= llaboration.<br>See how it works at <a href=3D"http://redhat.com" target=3D= "_blank" data-mce-href=3D"http://redhat.com">redhat.com</a><br></div></div>= </div></div></div></div><br></blockquote></div><div><br></div><div data-mar= ker=3D"__SIG_POST__">-- <br></div><div>Baptiste</div><mytubeelement data=3D= "{"bundle":{"label_delimitor":":","perce= ntage":"%","smart_buffer":"Smart Buffer"= ,"start_playing_when_buffered":"Start playing when buffered&= quot;,"sound":"Sound","desktop_notification":= "Desktop Notification","continuation_on_next_line":&quo= t;-","loop":"Loop","only_notify":"O= nly Notify","estimated_time":"Estimated Time",&quo= t;global_preferences":"Global Preferences","no_notifica= tion_supported_on_your_browser":"No notification style supported = on your browser version","video_buffered":"Video Buffer= ed","buffered":"Buffered","hyphen":"= ;-","buffered_message":"The video has been buffered as = requested and is ready to play.","not_supported":"Not S= upported","on":"On","off":"Off"= ;,"click_to_enable_for_this_site":"Click to enable for this = site","desktop_notification_denied":"You have denied pe= rmission for desktop notification for this site","notification_st= atus_delimitor":";","error":"Error",&quo= t;adblock_interferance_message":"Adblock (or similar extension) i= s known to interfere with SmartVideo. Please add this url to adblock whitel= ist.","calculating":"Calculating","waiting&qu= ot;:"Waiting","will_start_buffering_when_initialized":&= quot;Will start buffering when initialized","will_start_playing_w= hen_initialized":"Will start playing when initialized","= ;completed":"Completed","buffering_stalled":"= Buffering is stalled. Will stop.","stopped":"Stopped&qu= ot;,"hr":"Hr","min":"Min","sec= ":"Sec","any_moment":"Any Moment","= popup_donate_to":"Donate to","extension_id":null},= "prefs":{"desktopNotification":true,"soundNotifica= tion":true,"logLevel":0,"enable":true,"loop&q= uot;:false,"hidePopup":false,"autoPlay":false,"aut= oBuffer":true,"autoPlayOnBuffer":true,"autoPlayOnBuffer= Percentage":42,"autoPlayOnSmartBuffer":true,"quality&qu= ot;:"hd720","fshd":false,"onlyNotification":f= alse,"enableFullScreen":true,"saveBandwidth":false,&quo= t;hideAnnotations":false,"turnOffPagedBuffering":true}}" eve= nt=3D"preferencesUpdated" id=3D"myTubeRelayElementToPage"></mytubeelement><= mytubeelement data=3D"{"loadBundle":true}" event=3D"relayPrefs" i= d=3D"myTubeRelayElementToTab"></mytubeelement></div></body></html> ------=_Part_1393437_616811997.1441107378725--