10:42 a.m.
Given the recent OpenSSL heartbleed vulnerability, I would like to
regenerate the certificates used by my ovirt-engine server. What are
the steps to regenerate the certificates, and which certificates
should be regenerated? My ovirt-engine host is on our campus LAN,
which offers no real protection, so I would consider it public facing
despite not being routable across the WAN. At minimum I'd like to
regenerate the certificates used by Apache.
I'd be happy to document this on the wiki, as the only items I could
find were related to host renaming.
Thanks,
- Trey
4:41 a.m.
Hi,
as a first step, make sure to read and understand this page:
http://www.ovirt.org/Features/PKI
There are different certificates for different things.
I have sadly no time to elaborate on this difficult topic.
But you may want restrict the access to your engine
from the network side (firewalls, routing, etc)
anyway, to minimize the impact of such vulns.
HTH
PS: Some instructions are also here if I remember
correctly:
http://www.ovirt.org/Changing_Engine_Hostname
Am 09.04.2014 17:42, schrieb Trey Dockendorf:
Given the recent OpenSSL heartbleed vulnerability, I would like to
regenerate the certificates used by my ovirt-engine server. What are
the steps to regenerate the certificates, and which certificates
should be regenerated? My ovirt-engine host is on our campus LAN,
which offers no real protection, so I would consider it public facing
despite not being routable across the WAN. At minimum I'd like to
regenerate the certificates used by Apache.
I'd be happy to document this on the wiki, as the only items I could
find were related to host renaming.
Thanks,
- Trey
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
5:26 a.m.
Thank you Sven,
I would avoid the engine rename process.
Trey,
If the internal network is not exposed to the Internet, only the engine SSL certificate
and key may be re-enrolled.
If you did not issue your own SSL certificate for the apache, execute the following to
create a new key/certificate out of the engine internal CA, replace @PASSWROD@ with your
own.
# cp -a /etc/pki/ovirt-engine "/etc/pki/ovirt-engine.$(date
"+%Y%m%d")"
# SUBJECT="$(openssl x509 -subject -noout -in /etc/pki/ovirt-engine/certs/apache.cer
| sed 's/subject= //')"
# /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=apache
--password="@PASSWORD@" --subject="${SUBJECT}"
# openssl pkcs12 -passin "pass:@PASSWORD@" -nokeys -in
/etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer
# openssl pkcs12 -passin "pass:@PASSWORD@" -nocerts -nodes -in
/etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/keys/apache.key.nopass
# chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass
And restart apache.
Regards,
Alon
----- Original Message -----
From: "Sven Kieske" <S.Kieske(a)mittwald.de>
To: users(a)ovirt.org
Sent: Thursday, April 10, 2014 12:41:17 PM
Subject: Re: [ovirt-users] Regenerating new SSL certificates for ovirt-engine
Hi,
as a first step, make sure to read and understand this page:
http://www.ovirt.org/Features/PKI
There are different certificates for different things.
I have sadly no time to elaborate on this difficult topic.
But you may want restrict the access to your engine
from the network side (firewalls, routing, etc)
anyway, to minimize the impact of such vulns.
HTH
PS: Some instructions are also here if I remember
correctly:
http://www.ovirt.org/Changing_Engine_Hostname
Am 09.04.2014 17:42, schrieb Trey Dockendorf:
> Given the recent OpenSSL heartbleed vulnerability, I would like to
> regenerate the certificates used by my ovirt-engine server. What are
> the steps to regenerate the certificates, and which certificates
> should be regenerated? My ovirt-engine host is on our campus LAN,
> which offers no real protection, so I would consider it public facing
> despite not being routable across the WAN. At minimum I'd like to
> regenerate the certificates used by Apache.
>
> I'd be happy to document this on the wiki, as the only items I could
> find were related to host renaming.
>
> Thanks,
> - Trey
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
5:54 p.m.
Thank you for the information.
Our internal network is isolated away from the campus LAN, so these
steps should do exactly what I need. Will attempt as soon as all
systems have OpenSSL updated and document what I can on wiki.
Thanks,
- Trey
On Thu, Apr 10, 2014 at 5:26 AM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
Thank you Sven,
I would avoid the engine rename process.
Trey,
If the internal network is not exposed to the Internet, only the engine SSL certificate
and key may be re-enrolled.
If you did not issue your own SSL certificate for the apache, execute the following to
create a new key/certificate out of the engine internal CA, replace @PASSWROD@ with your
own.
# cp -a /etc/pki/ovirt-engine "/etc/pki/ovirt-engine.$(date
"+%Y%m%d")"
# SUBJECT="$(openssl x509 -subject -noout -in /etc/pki/ovirt-engine/certs/apache.cer
| sed 's/subject= //')"
# /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=apache
--password="@PASSWORD@" --subject="${SUBJECT}"
# openssl pkcs12 -passin "pass:@PASSWORD@" -nokeys -in
/etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer
# openssl pkcs12 -passin "pass:@PASSWORD@" -nocerts -nodes -in
/etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/keys/apache.key.nopass
# chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass
And restart apache.
Regards,
Alon
----- Original Message -----
> From: "Sven Kieske" <S.Kieske(a)mittwald.de>
> To: users(a)ovirt.org
> Sent: Thursday, April 10, 2014 12:41:17 PM
> Subject: Re: [ovirt-users] Regenerating new SSL certificates for ovirt-engine
>
> Hi,
>
> as a first step, make sure to read and understand this page:
> http://www.ovirt.org/Features/PKI
>
> There are different certificates for different things.
>
> I have sadly no time to elaborate on this difficult topic.
>
> But you may want restrict the access to your engine
> from the network side (firewalls, routing, etc)
> anyway, to minimize the impact of such vulns.
>
> HTH
>
> PS: Some instructions are also here if I remember
> correctly:
> http://www.ovirt.org/Changing_Engine_Hostname
>
> Am 09.04.2014 17:42, schrieb Trey Dockendorf:
> > Given the recent OpenSSL heartbleed vulnerability, I would like to
> > regenerate the certificates used by my ovirt-engine server. What are
> > the steps to regenerate the certificates, and which certificates
> > should be regenerated? My ovirt-engine host is on our campus LAN,
> > which offers no real protection, so I would consider it public facing
> > despite not being routable across the WAN. At minimum I'd like to
> > regenerate the certificates used by Apache.
> >
> > I'd be happy to document this on the wiki, as the only items I could
> > find were related to host renaming.
> >
> > Thanks,
> > - Trey
>
>
> --
> Mit freundlichen Grüßen / Regards
>
> Sven Kieske
>
> Systemadministrator
> Mittwald CM Service GmbH & Co. KG
> Königsberger Straße 6
> 32339 Espelkamp
> T: +49-5772-293-100
> F: +49-5772-293-333
> https://www.mittwald.de
> Geschäftsführer: Robert Meyer
> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
3881
days inactive
3882
days old
3 comments
3 participants
participants (3)
-
Alon Bar-Lev -
Sven Kieske -
Trey Dockendorf