On Tue, May 8, 2018 at 7:11 PM, Sandro Bonazzola <sbonazzo(a)redhat.com> wrote:
Il mar 8 mag 2018, 10:32 Jiří Sléžka <jiri.slezka(a)slu.cz> ha scritto:
> solution was obvious. Upgrade process modified apache's ssl.conf and
> reverted my customization.
> for example - my custom cert...
> SSLCertificateFile /etc/pki/tls/certs/ovirt.crt.pem
> ...was replaced by this
> SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer
> the same for SSLCertificateKeyFile and SSLCACertificateFile
Actually that was intended, see . But I admit I didn't specifically
think about 3rd-party CAs, sorry.
You were notified about this by engine-setup, right?
"Apache httpd SSL was already configured in the past,
but some needed changes are missing there.
Configure again? (Automatic, Manual) [Automatic]:"
Please open a bug about this. Not sure exactly what the bug
should say - perhaps that on upgrade, engine-setup should only
touch specific values there, which do not include SSL*File,
perhaps show to the user what we are actually going to change,
perhaps default to 'No' - not sure about this - and change to
> After reverting this changes everything works as usual but it makes me
> unsure if I have my 3rd party certificate configured the right way...
You are welcome to review other changes we did and decide for yourself.
> On 05/07/2018 05:41 PM, Jiří Sléžka wrote:
> > Hi,
> > after upgrade ovirt from 4.2.2 to 184.108.40.206-1.el7.centos I cannot login
> > into admin portal because
> > sun.security.validator.ValidatorException: PKIX path building failed:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to
> > find valid certification path to requested target
> > I am using custom 3rd party certificate
> > Any hints how to resolve this issue?
I am not sure this should have happened.
If engine-setup replaced all relevant SSL*File options, it should have
worked, and at most you should have received a pop-up in your browser.
Please also check/share engine-setup log from /var/log/ovirt-engine/setup
and the actual changes to ssl.conf.
> > Thanks in advance,
> > Jiri Slezka
> > _______________________________________________
> > Users mailing list
> > Users(a)ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org