I was setting up a new oVirt cluster yesterday, and deployed a Let's Encrypt SSL cert on it for the website. After that, I noticed that oVirt was getting errors synchronizing networks with ovirt-provider-ovn. It appears that the python library used for SSL by ovirt-provider-ovn has the same issue as older OpenSSL versions, and can't handle the default Let's Encrypt root cert path; the path used for old Android compatibility can end with an expired cert that's still in the CA store (even though there's another verification path that doesn't end with an expired cert). The solution was to switch the Let's Encrypt cert to the "ISRG Root X1" chain (which is fine, since I don't log in to oVirt from Android 7 devices). Just an FYI for anyone else using a Let's Encrypt cert (or other cert with a similar expired root path, they aren't the only one). -- Chris Adams <cma(a)cmadams.net&gt;