replaced ovirt certs, now i'm locked out with unable to find valid certification path
I followed the guide here to replace the self-signed certs with 3rd party certs, and now i'm getting this error on signin: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target do i need to have the .p12 in place also? I extracted the .key and .cer from the existing PFX, and copied them to all the places in the article, renaming the .cer to .pem as neded and I always get that error. Yes, I did copy to the java directory and ran the program to update the trust store, and I can list out the trust store and see it listed. Has there been a recent change in how it handles certs? I tried it with the blank password for the certstore, with "changeit" and also changing the password to "123456" and none work.
I fixed this 30 minutes after I posted this. So for anyone else that has this issue, It turns out that the cert wan't getting imported after running the command "keytool -import -alias ovirt -keystore ./cacerts -file <3rdpartycert>.cer" manually, as "update-ca-trust" did not add it automatically. Also, the default password for the keystore is "changeit", and I put the keystore password in the "99-custom-truststore.conf" file, not the "" entry like the article says.
It appears I spoke too soon, even though I can now get into the ovirt portal, I can't connect with the spice console. Even after recopying the cert and key over and restarting the service.
Hi, On Sat, May 4, 2019 at 1:24 AM <michael@wanderingmad.com> wrote:
I fixed this 30 minutes after I posted this. So for anyone else that has this issue, It turns out that the cert wan't getting imported after running the command "keytool -import -alias ovirt -keystore ./cacerts -file <3rdpartycert>.cer" manually, as "update-ca-trust" did not add it automatically. Also, the default password for the keystore is "changeit", and I put the keystore password in the "99-custom-truststore.conf" file, not the "" entry like the article says.
Can you please elaborate? I assume you refer to this doc: [1] https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html I never tried configuring access to LDAP (TLS or not). I think you either mix things a bit, or I fail to follow. In particular: ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD should indeed usually be empty. If you use a custom trust store for this, instead of the system-wide /etc/pki/java/cacerts, it's indeed up to you - you can protect it with a password, and then have to provide that password in this param. "changeit" is the default password for the engine-internal truststore, "/etc/pki/ovirt-engine/.truststore". But above procedure does not suggest to add your 3rd-party CA cert there. If you need to, that's a bug. We recently fixed such a bug: https://bugzilla.redhat.com/1687301 "keytool -import -alias ovirt -keystore ./cacerts -file <3rdpartycert>.cer" is mentioned only in the second part, about LDAP access. It suggests to create another truststore, and use that in the aaa configuration. You should indeed use the same password when creating it and in the aaa conf (but do not need to do that in the engine conf). On Sat, May 4, 2019 at 2:23 AM <michael@wanderingmad.com> wrote:
It appears I spoke too soon, even though I can now get into the ovirt portal, I can't connect with the spice console. Even after recopying the cert and key over and restarting the service.
Please provide more details: What exactly did you change when trying to use 3rd-party CA certs? What error do you get and where? What do you see in relevant log files? Thanks and best regards, -- Didi
This had nothing to do with LDAP or anything, just trying to change the cert to a 3rd party signed one. Until I did those two steps I was unable to sign into the portal, as I just had a java error every time, it had nothing to do with LDAP. For me, that SSL document is really confusing because it's not clear how some parts of the certs require full chain, some parts are just the actual 3rd party cert, and some parts it seems like it says "CA" cert, does it mean the root cert? or does it just mean the 3rd party cert you're installing? does it require a p12 file? the article says "we suggest storing .p12 here" but it doesn't say "you must put your .p12 here". Right now it works, sort of. I'm able to sign into portal, but i'm unable to connect to any of the VM consoles. I don't know where to go from here, the article says nothing about SPICE, is spice also supposed to work after the cert change? or is that part of another article that we can't see? Is a cert placed wrong? When I try to connect to a console, it errors out with "could not connect to server". The log on the VM host says: (process:31241): Spice-WARNING **: 14:04:43.782: reds-stream.c:469:reds_stream_ssl_accept: SSL_accept failed, error=1 139940713029056:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1493:SSL alert number 48 in the engine server.log: 2019-05-04 20:09:55,479-04 INFO [org.apache.commons.httpclient.HttpMethodBase] (EE-ManagedThreadFactory-engine-Thread-14097) Response content length is not known and the .vv file from ovirt looks like this, it has a private cert, for the host, but the 3rd part for the host? Is this right? What about a proxy? does that come into play? Did i miss a cert? [virt-viewer] type=spice host=172.16.x.x port=5901 password=zYhIyn7/zVju # Password is valid for 120 seconds. delete-this-file=1 fullscreen=0 title=ADFSTwo:%d toggle-fullscreen=shift+f11 release-cursor=shift+f12 secure-attention=ctrl+alt+end tls-port=5902 enable-smartcard=0 enable-usb-autoshare=1 usb-filter=-1,-1,-1,-1,0 tls-ciphers=DEFAULT host-subject=<private cert CA name> ca=-----BEGIN CERTIFICATE-----\nMIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx\nGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds\nb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV\nBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD\nVQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa\nDuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc\nTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb\nKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVtbNV4FpWi6cgKOOvyJBNP\nc1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrX\ngzT/LCrBbBlDSgeF59N89iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\nHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUF\nAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOzyj1hTdNGCbM+w6Dj\nY1Ub8rrvrTnhQ7k4o+YviiY776BQVv nGCv04zcQLcFGUl5gE38NflNUVyRRBnMRddWQVDf9VMOyG\nj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymPAbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhH\nhm4qxFYxldBniYUr+WymXUadDKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveC\nX4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==\n-----END CERTIFICATE-----\n secure-channels=main;inputs;cursor;playback;record;display;smartcard;usbredir versions=rhev-win64:2.0-160;rhev-win32:2.0-160;rhel7:2.0-6;rhel6:99.0-1 newer-version-url=http://www.ovirt.org/documentation/admin-guide/virt/console-client-resources [ovirt] host=ovirt.wanderingmad.com:443 vm-guid=8779c8b7-18e8-49ef-aff4-d84609a519a3 sso-token=fjTGwB266hsU57uyOffllkPYG2m2wnaZnQJlUswKL3bYg9YM7rOfJ3QH-aBMibqbQsCEiV7AzPn39AWz40p_SA admin=1 should I replace certs on the host?
I Also get these errors in the websocket proxy, it looks like either I messed up a cert on the main ovirt machine, or there is some additiona configuration on the hosts. May 06 22:33:07 ovirt.domain.com ovirt-websocket[31306]: 2019-05-06 22:33:07,786-0400 ovirt-websocket-proxy: INFO log_message:117 <client> - - [06/May/2019 22:33:07] connecting to: <ovirt_node>:5900 (using SSL) May 06 22:33:07 ovirt.wanderingmad.com ovirt-websocket-proxy.py[30731]: ovirt-websocket-proxy[31306] INFO log_message:117 <client> - - [06/May/2019 22:33:07] connecting to: <ovirt-node>:5900 (using SSL) May 06 22:33:07 ovirt.domain.com ovirt-websocket-proxy.py[30731]: ovirt-websocket-proxy[31306] INFO msg:887 handler exception: [Errno -2] Name or service not known
participants (2)
-
michael@wanderingmad.com -
Yedidyah Bar David