Re: [ovirt-users] 3.6 to 4.0 upgrade cert issue
So I switched back to the original self-signed certs that I had luckily saved and was able to get in without error. Is there a new process for using non-self-signed certs with ovirt 4.0? Thanks, -- Matt Haught On Fri, Jun 24, 2016 at 11:19 AM, Matt Haught <dmhaught@ncsu.edu> wrote:
I just attempted an upgrade from 3.6 to 4.0 hosted engine and ran into an problem. The hosted engine vm updated without issue, but when I go to login to the web interface to continue the process I get:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at every page load and I can't login. I have a feeling that the issue comes from where I replaced the self-signed certs with trusted ca signed certs a year ago. Is there a work around?
CentOS 7.2
Thanks,
-- Matt Haught
You need to import your intermediate certificate and possibly your CA certificate into the ovirt-engine keystore. This is the command I used: sudo keytool -importcert -trustcacerts -keystore /etc/pki/ovirt-engine/.truststore -storepass mypass -file /etc/pki/tls/certs/startcom.class1.server.ca.pem The password is actually "mypass". Scott On Fri, Jun 24, 2016 at 11:33 AM Matt Haught <dmhaught@ncsu.edu> wrote:
So I switched back to the original self-signed certs that I had luckily saved and was able to get in without error. Is there a new process for using non-self-signed certs with ovirt 4.0?
Thanks, -- Matt Haught
On Fri, Jun 24, 2016 at 11:19 AM, Matt Haught <dmhaught@ncsu.edu> wrote:
I just attempted an upgrade from 3.6 to 4.0 hosted engine and ran into an problem. The hosted engine vm updated without issue, but when I go to login to the web interface to continue the process I get:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at every page load and I can't login. I have a feeling that the issue comes from where I replaced the self-signed certs with trusted ca signed certs a year ago. Is there a work around?
CentOS 7.2
Thanks,
-- Matt Haught
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Fri, Jun 24, 2016 at 7:43 PM, Scott <romracer@gmail.com> wrote:
You need to import your intermediate certificate and possibly your CA certificate into the ovirt-engine keystore. This is the command I used:
sudo keytool -importcert -trustcacerts -keystore /etc/pki/ovirt-engine/.truststore -storepass mypass -file /etc/pki/tls/certs/startcom.class1.server.ca.pem
The password is actually "mypass".
This is not a correct solution although it's working for now. Correct steps are described at [1]. Thanks Martin Perina [1] https://bugzilla.redhat.com/show_bug.cgi?id=1336838
Scott
On Fri, Jun 24, 2016 at 11:33 AM Matt Haught <dmhaught@ncsu.edu> wrote:
So I switched back to the original self-signed certs that I had luckily saved and was able to get in without error. Is there a new process for using non-self-signed certs with ovirt 4.0?
Thanks, -- Matt Haught
On Fri, Jun 24, 2016 at 11:19 AM, Matt Haught <dmhaught@ncsu.edu> wrote:
I just attempted an upgrade from 3.6 to 4.0 hosted engine and ran into an problem. The hosted engine vm updated without issue, but when I go to login to the web interface to continue the process I get:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at every page load and I can't login. I have a feeling that the issue comes from where I replaced the self-signed certs with trusted ca signed certs a year ago. Is there a work around?
CentOS 7.2
Thanks,
-- Matt Haught
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Fri, Jun 24, 2016 at 2:58 PM, Martin Perina <mperina@redhat.com> wrote:
This is not a correct solution although it's working for now. Correct steps are described at [1].
Thanks
Martin Perina
So I followed the bug report and put my CA cert into /etc/pki/ca-trust/source/anchors/ and ran update-ca-trust. I created a /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf as shown, but after restarting ovirt-engine I got Keystore was tampered with, or password was incorrect when trying to log in. So I ended up doing a keytool -storepasswd -keystore /etc/pki/ca-trust/extracted/java/cacerts using "changeit" and set a password and put that in 99-custom-truststore.conf . Things appear to be working now. Thanks, Matt Haught
On Mon, Jun 27, 2016 at 1:16 AM, Matt Haught <dmhaught@ncsu.edu> wrote:
On Fri, Jun 24, 2016 at 2:58 PM, Martin Perina <mperina@redhat.com> wrote:
This is not a correct solution although it's working for now. Correct
steps are described at [1].
Thanks
Martin Perina
So I followed the bug report and put my CA cert into /etc/pki/ca-trust/source/anchors/ and ran update-ca-trust. I created a /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf as shown, but after restarting ovirt-engine I got
Keystore was tampered with, or password was incorrect
when trying to log in. So I ended up doing a
keytool -storepasswd -keystore /etc/pki/ca-trust/extracted/java/cacerts
using "changeit" and set a password and put that in 99-custom-truststore.conf . Things appear to be working now.
Unfortunately we have a bug there and it will be fixed in oVirt 4.0.1. Until then we support only truststores with password. Sorry for your troubles. Martin Perina
Thanks,
Matt Haught _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Hi, if you are using HTTPS certificate signed by custom CA, manual action is required after upgrade to 4.0 due to introduction of oVirt engine SSO feature. More info about the manual steps can be found at [1]. Thanks Martin Perina [1] https://bugzilla.redhat.com/show_bug.cgi?id=1336838 On Fri, Jun 24, 2016 at 6:32 PM, Matt Haught <dmhaught@ncsu.edu> wrote:
So I switched back to the original self-signed certs that I had luckily saved and was able to get in without error. Is there a new process for using non-self-signed certs with ovirt 4.0?
Thanks, -- Matt Haught
On Fri, Jun 24, 2016 at 11:19 AM, Matt Haught <dmhaught@ncsu.edu> wrote:
I just attempted an upgrade from 3.6 to 4.0 hosted engine and ran into an problem. The hosted engine vm updated without issue, but when I go to login to the web interface to continue the process I get:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at every page load and I can't login. I have a feeling that the issue comes from where I replaced the self-signed certs with trusted ca signed certs a year ago. Is there a work around?
CentOS 7.2
Thanks,
-- Matt Haught
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (3)
-
Martin Perina -
Matt Haught -
Scott