ovirt 3.5 engine web certificate
Hi all, I've followed the procedure to replace self signed certificate to one issued by our internal PKI to avoid security failure when users access to the webui (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualizat...). The connection to the webui now works fine without any security warning (the internal PKI CA is in the trusted CA of our clients OS). But on the other hand, i've some troubles: * I've to specify the --ca-file option for ovirt-shell and engine-iso-uploader (i didn't test the engine-image-upload command), it will be nice if the documentation provide a way to replace this by default (or use the trusted ca store of the OS ?). This is not a bug just some feedback on the certificate change procedure that don't cover these side effects. * I can't add new ovirt-node anymore. The ovirt-hosted-engine --deploy fails on new nodes with an SSL error. To workaround this i've to modify the file "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around line 233 to make an insecure connection to the engine and add the new node. I didn't have tested to add a new node from the ovirt engine cli/webui but i think it will be the same issue because the error occurs on the vdsm activation that is common to the 'new hosted engine node' and 'new node' deployment. I've seen https://bugzilla.redhat.com/show_bug.cgi?id=1059952 but the workaround noted in the comment #8 didn't work for me. Someone have more info on this issue or have the same problem ? This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes). Have a nice day. Regards. -- Baptiste
----- Original Message -----
From: "Baptiste Agasse" <baptiste.agasse@lyra-network.com> To: "users" <users@ovirt.org> Sent: Monday, August 31, 2015 6:54:28 PM Subject: [ovirt-users] ovirt 3.5 engine web certificate
Hi all,
I've followed the procedure to replace self signed certificate to one issued by our internal PKI to avoid security failure when users access to the webui (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualizat...). The connection to the webui now works fine without any security warning (the internal PKI CA is in the trusted CA of our clients OS). But on the other hand, i've some troubles:
* I've to specify the --ca-file option for ovirt-shell and engine-iso-uploader (i didn't test the engine-image-upload command), it will be nice if the documentation provide a way to replace this by default (or use the trusted ca store of the OS ?). This is not a bug just some feedback on the certificate change procedure that don't cover these side effects.
This is [1], probably you want to modify the configuration files of these tools at /etc so you will have proper defaults. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1146710
* I can't add new ovirt-node anymore.
If ovirt-node was added using previous certificate it "Remembers" that certificate. You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to register again.
* The ovirt-hosted-engine --deploy fails on new nodes with an SSL error. To workaround this i've to modify the file "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around line 233 to make an insecure connection to the engine and add the new node. I didn't have tested to add a new node from the ovirt engine cli/webui but i think it will be the same issue because the error occurs on the vdsm activation that is common to the 'new hosted engine node' and 'new node' deployment. I've seen https://bugzilla.redhat.com/show_bug.cgi?id=1059952 but the workaround noted in the comment #8 didn't work for me.
CC sandro for this.
Someone have more info on this issue or have the same problem ?
This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes).
Have a nice day.
Regards.
-- Baptiste _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Mon, Aug 31, 2015 at 6:08 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Baptiste Agasse" <baptiste.agasse@lyra-network.com> To: "users" <users@ovirt.org> Sent: Monday, August 31, 2015 6:54:28 PM Subject: [ovirt-users] ovirt 3.5 engine web certificate
Hi all,
I've followed the procedure to replace self signed certificate to one issued by our internal PKI to avoid security failure when users access to the webui ( https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualizat... ). The connection to the webui now works fine without any security warning (the internal PKI CA is in the trusted CA of our clients OS). But on the other hand, i've some troubles:
* I've to specify the --ca-file option for ovirt-shell and engine-iso-uploader (i didn't test the engine-image-upload command), it will be nice if the documentation provide a way to replace this by default (or use the trusted ca store of the OS ?). This is not a bug just some feedback on the certificate change procedure that don't cover these side effects.
This is [1], probably you want to modify the configuration files of these tools at /etc so you will have proper defaults.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1146710
* I can't add new ovirt-node anymore.
If ovirt-node was added using previous certificate it "Remembers" that certificate. You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to register again.
* The ovirt-hosted-engine --deploy fails on new nodes with an SSL error. To workaround this i've to modify the file "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around line 233 to make an insecure connection to the engine and add the new node. I didn't have tested to add a new node from the ovirt engine cli/webui but i think it will be the same issue because the error occurs on the vdsm activation that is common to the 'new hosted engine node' and 'new node' deployment. I've seen https://bugzilla.redhat.com/show_bug.cgi?id=1059952 but the workaround noted in the comment #8 didn't work for me.
CC sandro for this.
Can you please share full sos report?
Someone have more info on this issue or have the same problem ?
This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes).
Have a nice day.
Regards.
-- Baptiste _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
------=_Part_1393437_616811997.1441107378725 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi,=20 ----- Le 1 Sep 15, =C3=A0 9:43, Sandro Bonazzola <sbonazzo@redhat.com> a = =C3=A9crit :=20
On Mon, Aug 31, 2015 at 6:08 PM, Alon Bar-Lev < alonbl@redhat.com > wrote= :
----- Original Message -----
From: "Baptiste Agasse" < baptiste.agasse@lyra-network.com > To: "users" < users@ovirt.org > Sent: Monday, August 31, 2015 6:54:28 PM Subject: [ovirt-users] ovirt 3.5 engine web certificate
Hi all,
I've followed the procedure to replace self signed certificate to one = issued by our internal PKI to avoid security failure when users access to the= webui ( https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtua= lization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualizati= on_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Vi= rtualization_Manager_to_identify_itself_to_users_connecting_over_https ). The connection to the webui now works fine without any security warnin= g (the internal PKI CA is in the trusted CA of our clients OS). But on the ot= her hand, i've some troubles:
* I've to specify the --ca-file option for ovirt-shell and engine-iso-uploader (i didn't test the engine-image-upload command), i= t will be nice if the documentation provide a way to replace this by default = (or use the trusted ca store of the OS ?). This is not a bug just some fee= dback on the certificate change procedure that don't cover these side effect= s.
This is [1], probably you want to modify the configuration files of thes= e tools at /etc so you will have proper defaults.
Thank you for this link.=20
* I can't add new ovirt-node anymore.
If ovirt-node was added using previous certificate it "Remembers" that certificate. You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to regist= er again.
* The ovirt-hosted-engine --deploy fails on new nodes with an SSL error. To workaround this i've to modify the = file "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around l= ine 233 to make an insecure connection to the engine and add the new node.= I didn't have tested to add a new node from the ovirt engine cli/webui b= ut i think it will be the same issue because the error occurs on the vdsm activation that is common to the 'new hosted engine node' and 'new nod= e' deployment. I've seen https://bugzilla.redhat.com/show_bug.cgi?id=3D10= 59952 but the workaround noted in the comment #8 didn't work for me.
CC sandro for this.
Can you please share full sos report?
The report is a little bit big (about 57MB) to be sent by mail, have you an= y procedure i can use to send it to you ?=20
Someone have more info on this issue or have the same problem ?
This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes).
Have a nice day.
Regards.
-- Baptiste _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
></span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin: 0= 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;" data-mce-style= =3D"margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;"><s=
You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to registe= r again.<br><br> > * The ovirt-hosted-engine --deploy fails<br><span cla= ss=3D"">> on new nodes with an SSL error. To workaround this i've to mod= ify the file<br> > "/usr/lib/python2.7/site-packages/ovirtsdk/web/connec= tion.py" around line<br> > 233 to make an insecure connection to the eng= ine and add the new node. I<br> > didn't have tested to add a new node f= rom the ovirt engine cli/webui but i<br> > think it will be the same iss= ue because the error occurs on the vdsm<br> > activation that is common = to the 'new hosted engine node' and 'new node'<br> > deployment. I've se= en <a href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D1059952" rel=3D= "noreferrer" target=3D"_blank" data-mce-href=3D"https://bugzilla.redhat.com= /show_bug.cgi?id=3D1059952">https://bugzilla.redhat.com/show_bug.cgi?id=3D1= 059952</a><br> > but the workaround noted in the comment #8 didn't work = for me.<br> <br> </span>CC sandro for this.<br></blockquote><br><div>Can yo= u please share full sos report?</div></div></div></div></blockquote><div><b= r></div><div>The report is a little bit big (about 57MB) to be sent by mail= , have you any procedure i can use to send it to you ?<br data-mce-bogus=3D= "1"></div><div><br data-mce-bogus=3D"1"></div><blockquote style=3D"border-l= eft: 2px solid #1010FF; margin-left: 5px; padding-left: 5px; color: #000; f= ont-weight: normal; font-style: normal; text-decoration: none; font-family:= Helvetica,Arial,sans-serif; font-size: 12pt;" data-mce-style=3D"border-lef= t: 2px solid #1010FF; margin-left: 5px; padding-left: 5px; color: #000; fon= t-weight: normal; font-style: normal; text-decoration: none; font-family: H= elvetica,Arial,sans-serif; font-size: 12pt;"><div dir=3D"ltr"><div class=3D= "gmail_extra"><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" =
><br></div></div></blockquote></div><br><br clear=3D"all"><br>-- <br><=
--=20 Baptiste=20 ------=_Part_1393437_616811997.1441107378725 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><body><div style=3D"font-family: arial, helvetica, sans-serif; font-s= ize: 12pt; color: #000000"><div>Hi,<br></div><div><br></div><div><span id= =3D"zwchr" data-marker=3D"__DIVIDER__">----- Le 1 Sep 15, =C3=A0 9:43, Sand= ro Bonazzola <sbonazzo@redhat.com> a =C3=A9crit :<br></span></div><di= v data-marker=3D"__QUOTED_TEXT__"><blockquote style=3D"border-left: 2px sol= id #1010FF; margin-left: 5px; padding-left: 5px; color: #000; font-weight: = normal; font-style: normal; text-decoration: none; font-family: Helvetica,A= rial,sans-serif; font-size: 12pt;" data-mce-style=3D"border-left: 2px solid= #1010FF; margin-left: 5px; padding-left: 5px; color: #000; font-weight: no= rmal; font-style: normal; text-decoration: none; font-family: Helvetica,Ari= al,sans-serif; font-size: 12pt;"><div dir=3D"ltr"><br><div class=3D"gmail_e= xtra"><br><div class=3D"gmail_quote">On Mon, Aug 31, 2015 at 6:08 PM, Alon = Bar-Lev <span dir=3D"ltr"><<a href=3D"mailto:alonbl@redhat.com" target= =3D"_blank" data-mce-href=3D"mailto:alonbl@redhat.com">alonbl@redhat.com</a= pan class=3D""><br> <br> ----- Original Message -----<br> > From: "Bapti= ste Agasse" <<a href=3D"mailto:baptiste.agasse@lyra-network.com" target= =3D"_blank" data-mce-href=3D"mailto:baptiste.agasse@lyra-network.com">bapti= ste.agasse@lyra-network.com</a>><br> > To: "users" <<a href=3D"mai= lto:users@ovirt.org" target=3D"_blank" data-mce-href=3D"mailto:users@ovirt.= org">users@ovirt.org</a>><br> > Sent: Monday, August 31, 2015 6:54:28= PM<br> > Subject: [ovirt-users] ovirt 3.5 engine web certificate<br> &g= t;<br> > Hi all,<br> ><br> > I've followed the procedure to replac= e self signed certificate to one issued<br> > by our internal PKI to avo= id security failure when users access to the webui<br> > (<a href=3D"htt= ps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualizatio= n/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_= SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualiz= ation_Manager_to_identify_itself_to_users_connecting_over_https" rel=3D"nor= eferrer" target=3D"_blank" data-mce-href=3D"https://access.redhat.com/docum= entation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Gu= ide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_c= ertificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_it= self_to_users_connecting_over_https">https://access.redhat.com/documentatio= n/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/app= e-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certific= ate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to= _users_connecting_over_https</a>).<br> > The connection to the webui now= works fine without any security warning (the<br> > internal PKI CA is i= n the trusted CA of our clients OS). But on the other<br> > hand, i've s= ome troubles:<br> ><br> > * I've to specify the --ca-file option for = ovirt-shell and<br> > engine-iso-uploader (i didn't test the engine-imag= e-upload command), it will<br> > be nice if the documentation provide a = way to replace this by default (or<br> > use the trusted ca store of the= OS ?). This is not a bug just some feedback<br> > on the certificate ch= ange procedure that don't cover these side effects.<br> <br> </span>This is= [1], probably you want to modify the configuration files of these tools at= /etc so you will have proper defaults.<br><br> [1] <a href=3D"https://bugz= illa.redhat.com/show_bug.cgi?id=3D1146710" rel=3D"noreferrer" target=3D"_bl= ank" data-mce-href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D1146710= ">https://bugzilla.redhat.com/show_bug.cgi?id=3D1146710</a><br data-mce-bog= us=3D"1"></blockquote></div></div></div></blockquote><div><br></div><div>Th= ank you for this link.<br data-mce-bogus=3D"1"></div><div><br data-mce-bogu= s=3D"1"></div><blockquote style=3D"border-left: 2px solid #1010FF; margin-l= eft: 5px; padding-left: 5px; color: #000; font-weight: normal; font-style: = normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; fon= t-size: 12pt;" data-mce-style=3D"border-left: 2px solid #1010FF; margin-lef= t: 5px; padding-left: 5px; color: #000; font-weight: normal; font-style: no= rmal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-= size: 12pt;"><div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmai= l_quote"><blockquote class=3D"gmail_quote" style=3D"margin: 0 0 0 .8ex; bor= der-left: 1px #ccc solid; padding-left: 1ex;" data-mce-style=3D"margin: 0 0= 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;"><span class=3D"">= <br> > * I can't add new ovirt-node anymore.<br> <br> </span>If ovirt-no= de was added using previous certificate it "Remembers" that certificate.<br= style=3D"margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex= ;" data-mce-style=3D"margin: 0 0 0 .8ex; border-left: 1px #ccc solid; paddi= ng-left: 1ex;"><div class=3D"HOEnZb"><div class=3D"h5"><br> ><br> > S= omeone have more info on this issue or have the same problem ?<br> ><br>= > This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes).<br> &= gt;<br> > Have a nice day.<br> ><br> > Regards.<br> ><br> > = --<br> > Baptiste<br> > _____________________________________________= __<br> > Users mailing list<br> > <a href=3D"mailto:Users@ovirt.org" = target=3D"_blank" data-mce-href=3D"mailto:Users@ovirt.org">Users@ovirt.org<= /a><br> > <a href=3D"http://lists.ovirt.org/mailman/listinfo/users" rel= =3D"noreferrer" target=3D"_blank" data-mce-href=3D"http://lists.ovirt.org/m= ailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a><br= div class=3D"gmail_signature"><div dir=3D"ltr"><div><div dir=3D"ltr">Sandro= Bonazzola<br>Better technology. Faster innovation. Powered by community co= llaboration.<br>See how it works at <a href=3D"http://redhat.com" target=3D= "_blank" data-mce-href=3D"http://redhat.com">redhat.com</a><br></div></div>= </div></div></div></div><br></blockquote></div><div><br></div><div data-mar= ker=3D"__SIG_POST__">-- <br></div><div>Baptiste</div><mytubeelement data=3D= "{"bundle":{"label_delimitor":":","perce= ntage":"%","smart_buffer":"Smart Buffer"= ,"start_playing_when_buffered":"Start playing when buffered&= quot;,"sound":"Sound","desktop_notification":= "Desktop Notification","continuation_on_next_line":&quo= t;-","loop":"Loop","only_notify":"O= nly Notify","estimated_time":"Estimated Time",&quo= t;global_preferences":"Global Preferences","no_notifica= tion_supported_on_your_browser":"No notification style supported = on your browser version","video_buffered":"Video Buffer= ed","buffered":"Buffered","hyphen":"= ;-","buffered_message":"The video has been buffered as = requested and is ready to play.","not_supported":"Not S= upported","on":"On","off":"Off"= ;,"click_to_enable_for_this_site":"Click to enable for this = site","desktop_notification_denied":"You have denied pe= rmission for desktop notification for this site","notification_st= atus_delimitor":";","error":"Error",&quo= t;adblock_interferance_message":"Adblock (or similar extension) i= s known to interfere with SmartVideo. Please add this url to adblock whitel= ist.","calculating":"Calculating","waiting&qu= ot;:"Waiting","will_start_buffering_when_initialized":&= quot;Will start buffering when initialized","will_start_playing_w= hen_initialized":"Will start playing when initialized","= ;completed":"Completed","buffering_stalled":"= Buffering is stalled. Will stop.","stopped":"Stopped&qu= ot;,"hr":"Hr","min":"Min","sec= ":"Sec","any_moment":"Any Moment","= popup_donate_to":"Donate to","extension_id":null},= "prefs":{"desktopNotification":true,"soundNotifica= tion":true,"logLevel":0,"enable":true,"loop&q= uot;:false,"hidePopup":false,"autoPlay":false,"aut= oBuffer":true,"autoPlayOnBuffer":true,"autoPlayOnBuffer= Percentage":42,"autoPlayOnSmartBuffer":true,"quality&qu= ot;:"hd720","fshd":false,"onlyNotification":f= alse,"enableFullScreen":true,"saveBandwidth":false,&quo= t;hideAnnotations":false,"turnOffPagedBuffering":true}}" eve= nt=3D"preferencesUpdated" id=3D"myTubeRelayElementToPage"></mytubeelement><= mytubeelement data=3D"{"loadBundle":true}" event=3D"relayPrefs" i= d=3D"myTubeRelayElementToTab"></mytubeelement></div></body></html> ------=_Part_1393437_616811997.1441107378725--
On Tue, Sep 1, 2015 at 1:36 PM, Baptiste Agasse < baptiste.agasse@lyra-network.com> wrote:
Hi,
----- Le 1 Sep 15, à 9:43, Sandro Bonazzola <sbonazzo@redhat.com> a écrit :
On Mon, Aug 31, 2015 at 6:08 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Baptiste Agasse" <baptiste.agasse@lyra-network.com> To: "users" <users@ovirt.org> Sent: Monday, August 31, 2015 6:54:28 PM Subject: [ovirt-users] ovirt 3.5 engine web certificate
Hi all,
I've followed the procedure to replace self signed certificate to one issued by our internal PKI to avoid security failure when users access to the webui ( https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualizat... ). The connection to the webui now works fine without any security warning (the internal PKI CA is in the trusted CA of our clients OS). But on the other hand, i've some troubles:
* I've to specify the --ca-file option for ovirt-shell and engine-iso-uploader (i didn't test the engine-image-upload command), it will be nice if the documentation provide a way to replace this by default (or use the trusted ca store of the OS ?). This is not a bug just some feedback on the certificate change procedure that don't cover these side effects.
This is [1], probably you want to modify the configuration files of these tools at /etc so you will have proper defaults.
Thank you for this link.
* I can't add new ovirt-node anymore.
If ovirt-node was added using previous certificate it "Remembers" that certificate. You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to register again.
* The ovirt-hosted-engine --deploy fails on new nodes with an SSL error. To workaround this i've to modify the file "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around line 233 to make an insecure connection to the engine and add the new node. I didn't have tested to add a new node from the ovirt engine cli/webui but i think it will be the same issue because the error occurs on the vdsm activation that is common to the 'new hosted engine node' and 'new node' deployment. I've seen https://bugzilla.redhat.com/show_bug.cgi?id=1059952 but the workaround noted in the comment #8 didn't work for me.
CC sandro for this.
Can you please share full sos report?
The report is a little bit big (about 57MB) to be sent by mail, have you any procedure i can use to send it to you ?
Can you share it on google drive / dropbox any other file sharing service?
Someone have more info on this issue or have the same problem ?
This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes).
Have a nice day.
Regards.
-- Baptiste _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
-- Baptiste
-- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
participants (3)
-
Alon Bar-Lev -
Baptiste Agasse -
Sandro Bonazzola