Hi. I have configured Engine webservice to use certificate issued by internal CA. According to http://www.ovirt.org/Features/PKI the CA certificates must be in /etc/pki/ovirt-engine/apache-ca.pem. I have kept the self signed (Engine internal) certificate (previously linked from /etc/pki/ovirt-engine/apache-ca.pem to /etc/pki/ovirt-engine/ca.pem) in /etc/pki/ovirt-engine/ca.pem. When I want to approve/install node host, the /etc/pki/ovirt-engine/apache-ca.pem file is downloaded to node as /etc/pki/vdsm/certs/cacert.pem. Because vdsmcert.pem is not signed by this CA, libvirt fails to start. How should I set up Engine local and internal CA files, so that they would not conflict? oVirt Node Hypervisor release 3.0.4 (1.0.201401291204.el6) oVirt Engine Version: 3.4.3-1.el6 Thank you --- Raul Laansoo
----- Original Message -----
From: "Raul Laansoo" <raul.laansoo@bigbank.ee> To: "users" <users@ovirt.org> Sent: Monday, September 29, 2014 2:40:33 PM Subject: [ovirt-users] oVirt node vdsm certificate issue
Hi.
I have configured Engine webservice to use certificate issued by internal CA. According to http://www.ovirt.org/Features/PKI the CA certificates must be in /etc/pki/ovirt-engine/apache-ca.pem. I have kept the self signed (Engine internal) certificate (previously linked from /etc/pki/ovirt-engine/apache-ca.pem to /etc/pki/ovirt-engine/ca.pem) in /etc/pki/ovirt-engine/ca.pem.
When I want to approve/install node host, the /etc/pki/ovirt-engine/apache-ca.pem file is downloaded to node as /etc/pki/vdsm/certs/cacert.pem. Because vdsmcert.pem is not signed by this CA, libvirt fails to start. How should I set up Engine local and internal CA files, so that they would not conflict?
Hello, What have you changed apart from the above? What certificate do you get out of: curl http://@HOST@/ovirt-engine/services/pki-resource?resource=ca-certificate Alon
oVirt Node Hypervisor release 3.0.4 (1.0.201401291204.el6) oVirt Engine Version: 3.4.3-1.el6
Thank you --- Raul Laansoo _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Hi Alon. I get our internal CA certificate. It could be that I have made some changes to the configuration I forgot. Regards. Raul. ----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Raul Laansoo" <raul.laansoo@bigbank.ee> Cc: "users" <users@ovirt.org> Sent: Monday, 29 September, 2014 2:45:24 PM Subject: Re: [ovirt-users] oVirt node vdsm certificate issue
----- Original Message -----
From: "Raul Laansoo" <raul.laansoo@bigbank.ee> To: "users" <users@ovirt.org> Sent: Monday, September 29, 2014 2:40:33 PM Subject: [ovirt-users] oVirt node vdsm certificate issue
Hi.
I have configured Engine webservice to use certificate issued by internal CA. According to http://www.ovirt.org/Features/PKI the CA certificates must be in /etc/pki/ovirt-engine/apache-ca.pem. I have kept the self signed (Engine internal) certificate (previously linked from /etc/pki/ovirt-engine/apache-ca.pem to /etc/pki/ovirt-engine/ca.pem) in /etc/pki/ovirt-engine/ca.pem.
When I want to approve/install node host, the /etc/pki/ovirt-engine/apache-ca.pem file is downloaded to node as /etc/pki/vdsm/certs/cacert.pem. Because vdsmcert.pem is not signed by this CA, libvirt fails to start. How should I set up Engine local and internal CA files, so that they would not conflict?
Hello,
What have you changed apart from the above? What certificate do you get out of: curl http://@HOST@/ovirt-engine/services/pki-resource?resource=ca-certificate
Alon
oVirt Node Hypervisor release 3.0.4 (1.0.201401291204.el6) oVirt Engine Version: 3.4.3-1.el6
Thank you --- Raul Laansoo _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "Raul Laansoo" <raul.laansoo@bigbank.ee> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org> Sent: Monday, September 29, 2014 3:59:00 PM Subject: Re: [ovirt-users] oVirt node vdsm certificate issue
Hi Alon.
I get our internal CA certificate. It could be that I have made some changes to the configuration I forgot.
So ca.pem is not the engine internal ca certificate, please fix so that apache-ca.pem will contain your ca while ca.pem will remain.
Regards.
Raul.
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Raul Laansoo" <raul.laansoo@bigbank.ee> Cc: "users" <users@ovirt.org> Sent: Monday, 29 September, 2014 2:45:24 PM Subject: Re: [ovirt-users] oVirt node vdsm certificate issue
----- Original Message -----
From: "Raul Laansoo" <raul.laansoo@bigbank.ee> To: "users" <users@ovirt.org> Sent: Monday, September 29, 2014 2:40:33 PM Subject: [ovirt-users] oVirt node vdsm certificate issue
Hi.
I have configured Engine webservice to use certificate issued by internal CA. According to http://www.ovirt.org/Features/PKI the CA certificates must be in /etc/pki/ovirt-engine/apache-ca.pem. I have kept the self signed (Engine internal) certificate (previously linked from /etc/pki/ovirt-engine/apache-ca.pem to /etc/pki/ovirt-engine/ca.pem) in /etc/pki/ovirt-engine/ca.pem.
When I want to approve/install node host, the /etc/pki/ovirt-engine/apache-ca.pem file is downloaded to node as /etc/pki/vdsm/certs/cacert.pem. Because vdsmcert.pem is not signed by this CA, libvirt fails to start. How should I set up Engine local and internal CA files, so that they would not conflict?
Hello,
What have you changed apart from the above? What certificate do you get out of: curl http://@HOST@/ovirt-engine/services/pki-resource?resource=ca-certificate
Alon
oVirt Node Hypervisor release 3.0.4 (1.0.201401291204.el6) oVirt Engine Version: 3.4.3-1.el6
Thank you --- Raul Laansoo _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (2)
-
Alon Bar-Lev -
Raul Laansoo