Replacing engine SSL cert
I'm writing a script to install a new SSL key/cert pair (from Let's Encrypt) for the engine web UI on oVirt 4.1. I'm looking at this, but it's a little confusing. https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/ It sounds like steps 1 and 3 are referring to the CA-supplied intermediate cert(s), not the actual issue cert for the server. Is that right? Does anything actually use the PCKS12 format file referred to in step 4? I don't normally see that format from regular CAs; they usually provide cert+intermediate(s) in PEM format. With Apache 2.4, it is normal to just put the cert+intermediate(s) chain in one file and configure Apache with SSLCertificateFile. You aren't supposed to put the CA-supplied cert in the SSLCACertificateFile like oVirt appears to do; that's intended to be used for validating client certs, not the intermediate(s) for the server cert. It really just looks like the cert+intermediate(s) should go in /etc/pki/ovirt-engine/certs/apache.cer, the corresponding key put in /etc/pki/ovirt-engine/keys/apache.key.nopass, and then Apache needs to be restarted. Since oVirt doesn't use the engine web UI cert for anything internally (right?), do any of the other steps on the above page matter? -- Chris Adams <cma@cmadams.net>
On Sat, Sep 9, 2017 at 9:48 PM, Chris Adams <cma@cmadams.net> wrote:
I'm writing a script to install a new SSL key/cert pair (from Let's Encrypt) for the engine web UI on oVirt 4.1. I'm looking at this, but it's a little confusing.
https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/
You might want to check recent RHV docs: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/htm... ovirt.org is still not updated, sorry. Patches are welcome :-)
It sounds like steps 1 and 3 are referring to the CA-supplied intermediate cert(s), not the actual issue cert for the server. Is that right?
Correct.
Does anything actually use the PCKS12 format file referred to in step 4?
Currently, AFAIK, no.
I don't normally see that format from regular CAs; they usually provide cert+intermediate(s) in PEM format.
Indeed, that's why in above rhv docs we split it up to two procedures.
With Apache 2.4, it is normal to just put the cert+intermediate(s) chain in one file and configure Apache with SSLCertificateFile. You aren't supposed to put the CA-supplied cert in the SSLCACertificateFile like oVirt appears to do; that's intended to be used for validating client certs, not the intermediate(s) for the server cert.
Searching the net I also find: https://stackoverflow.com/questions/1899983/difference-between-sslcacertific... Seems like this was changed in: https://gerrit.ovirt.org/15837 But no idea why. Perhaps we wanted the option to allow authentication by client certs? See e.g.: http://machacekondra.blogspot.co.il/2016/02/client-certificate-authenticatio... If you think that's a problem, please open a bug. Thanks!
It really just looks like the cert+intermediate(s) should go in /etc/pki/ovirt-engine/certs/apache.cer, the corresponding key put in /etc/pki/ovirt-engine/keys/apache.key.nopass, and then Apache needs to be restarted. Since oVirt doesn't use the engine web UI cert for anything internally (right?),
Mostly right
do any of the other steps on the above page matter?
For step 8, you can searching for 'site:bugzilla.redhat.com ENGINE_HTTPS_PKI_TRUST_STORE'. There were several bugs about this. The log collector always _does_ use the https interface, even on local machine. Best, -- Didi
participants (2)
-
Chris Adams -
Yedidyah Bar David