This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --7s08lKxr317U4f7S2uiLNhLgbhqI41l89 Content-Type: multipart/mixed; boundary="hSq7F28gapFg5m3iNcupps9DgFkLnpMkc"; protected-headers="v1" From: ~Stack~ <i.am.stack@gmail.com> To: users <users@ovirt.org> Message-ID: <bdcd0a7d-84c7-b37c-e66e-b2c6ace3e31c@gmail.com> Subject: Help with SSL --hSq7F28gapFg5m3iNcupps9DgFkLnpMkc Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Greetings, OS: Scientific Linux 7.3 Ovirt: 4.1.6.2-1.el7.centos Foreman: 1.16.0-RC1 I updated my OVirt SSL cert from a self-signed to a purchased one using the directions here: https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/ Everything seems to work from the web interface. Then I tried to add in Foreman. Thats where I get the error: Unable to save ERF56-1309 [Foreman::FingerprintException]: The remote system presented a public key signed by an unidentified certificate authority. If you are sure the remote system is authentic, go to the compute resource edit page, press the 'Test Connection' or 'Load Datacenters' button and submit= =2E Everything I can find says that it *should* be resolved - From Red Hat, to Foreman, to even the Ovirt list! Yet there it is! Well after poking at it for a while, I realized that the cert Foreman was auto-resolving was still the /OLD/ cert! Step #2 in those ovirt directions says to break the symbolic link to /etc/pki/ovirt-engine/ca.pem. But it doesn't say what to do with that file. So I replaced it with my cert. Restarted ovirt and now Foreman resolves the correct X509 cert! (I have no idea if that broke something else.) But I still get the error in foreman. :-( I feel like I'm still missing something in the ovirt configs. Something needs to be updated/replaced in ovirt that isn't in those docs. Can anyone help me out please? I've been trying for hours and not making progress. Thanks! ~Stack~ --hSq7F28gapFg5m3iNcupps9DgFkLnpMkc-- --7s08lKxr317U4f7S2uiLNhLgbhqI41l89 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJZ3UApAAoJELkej+ysXJPmACEP/11wrxRd3rc3vOyR/4BKO+gg KFdO2eOjuWBZlx6UV1sl61ivj2Pm3tXwz/v97vEtVtxFrmcdstJ1MEGTjsMV3QcB J6j4zljuafGQheLI7atEuzoyi22yhzopbfvfTnMoe6QLdkxVLSFEDmiSf5foV+Rc 52MzSv1Xu8tXgubyam2CazpS/DKGPYU8jojWRlsTyZsF5AJ8su5m+1ZVr8UgdTMR GBZlnZYuwb6bFjEPu0hkXwTPGTzVI6yaj0MfcCfO01merJWpv0QtOwgVAvdDgoyX 9X8HId0hjWqS4fM82CMgIvfmYb9AGzEWVz4deGXlYPLX76tlsi+cu/YkHVWiznPS znReyqliTY2q621WgdcK9xNWW/Kqf2W/CiEbmVIv0k59Hg3FpTGtrjcaS+ny98qw kZpHGRtQNoojCvcSrx86Fnt7e3Oqr8woOtnUJxtzPeN6I0CYCMOw2pt02a9npVSC iKxj84LsFQphMNjVhqrsmrYW7NS9RtWCoiVweEQAwS/+bKfoLniqT4cj8xgpCkHJ W/7qz9qTR8sMTuEr2WhLouZyCk7z5FD6A49B+0OCPpUYuFE7Cll7+7hxSHuNqy8I M74aEPNVO7DdE0iT0yz5EkIxn5oht/gaPwyN8QYCJxjyglUEHOBK/+hAnpvfeLEF y5hEnpvgwgt9iZtqrI4S =qZrE -----END PGP SIGNATURE----- --7s08lKxr317U4f7S2uiLNhLgbhqI41l89--
On Tue, Oct 10, 2017 at 11:48 PM, ~Stack~ <i.am.stack@gmail.com> wrote:
Greetings,
OS: Scientific Linux 7.3 Ovirt: 4.1.6.2-1.el7.centos Foreman: 1.16.0-RC1
I updated my OVirt SSL cert from a self-signed to a purchased one using the directions here: https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/
Everything seems to work from the web interface.
Then I tried to add in Foreman. Thats where I get the error:
Unable to save ERF56-1309 [Foreman::FingerprintException]: The remote system presented a public key signed by an unidentified certificate authority. If you are sure the remote system is authentic, go to the compute resource edit page, press the 'Test Connection' or 'Load Datacenters' button and submit.
Everything I can find says that it *should* be resolved - From Red Hat, to Foreman, to even the Ovirt list! Yet there it is!
Well after poking at it for a while, I realized that the cert Foreman was auto-resolving was still the /OLD/ cert!
Step #2 in those ovirt directions says to break the symbolic link to /etc/pki/ovirt-engine/ca.pem. But it doesn't say what to do with that file. So I replaced it with my cert. Restarted ovirt and now Foreman resolves the correct X509 cert! (I have no idea if that broke something else.)
But I still get the error in foreman. :-(
I feel like I'm still missing something in the ovirt configs. Something needs to be updated/replaced in ovirt that isn't in those docs.
Can anyone help me out please? I've been trying for hours and not making
Hi, are you able to login to oVirt webadmin successfully? If so then oVirt side should be fine. About Foreman, is it installed on the same machine as oVirt? If not could you please check, that your custom CA is included either in host wide truststore or in specific trustore for Foreman (no idea what Foreman is using, better to ask in specific Foreman mailing list). Regards Martin
progress. Thanks!
~Stack~
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --bEmOAUlbnLiOh0GLSNbRPgxrBqubQaTqp Content-Type: multipart/mixed; boundary="WDsTq6hVN9FdG29ObA3vWc2msXSFb9U9O"; protected-headers="v1" From: ~Stack~ <i.am.stack@gmail.com> Cc: users <users@ovirt.org> Message-ID: <a1633a01-2157-f50f-3413-e37e0e617298@gmail.com> Subject: Re: [ovirt-users] Help with SSL References: <bdcd0a7d-84c7-b37c-e66e-b2c6ace3e31c@gmail.com> <CAP5iht4zcY=HGp6oHb3+zc=La0tbfEyFjv5TE_4c5WJYg2CTCg@mail.gmail.com> In-Reply-To: <CAP5iht4zcY=HGp6oHb3+zc=La0tbfEyFjv5TE_4c5WJYg2CTCg@mail.gmail.com> --WDsTq6hVN9FdG29ObA3vWc2msXSFb9U9O Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 10/11/2017 05:51 AM, Martin Perina wrote:
=20 [snip] On Tue, Oct 10, 2017 at 11:48 PM, ~Stack~ <i.am.stack@gmail.com are you able to login to oVirt webadmin successfully? If so then oVirt side should be fine. =20 I am able to log into oVirt webmin successfully. Is there a reason to keep the old cert, or was it OK for me to replace /etc/pki/ovirt-engine/ca.pem with mine?
About Foreman, is it installed on the same machine as oVirt?
It is on a separate machine.
If not could you please check, that your custom CA is included either in host wide truststore or in specific trustore for Foreman (no idea what Foreman is using, better to ask in specific Foreman=E2=80=8B =E2=80=8Bmailing list).
I will check. Thanks Martin! ~Stack~ --WDsTq6hVN9FdG29ObA3vWc2msXSFb9U9O-- --bEmOAUlbnLiOh0GLSNbRPgxrBqubQaTqp Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJZ3gsWAAoJELkej+ysXJPmZycP/2+hfmh55Pwr07t81IQg3QKV fae5VQ+ZV+22xNmv3crf/tv0XoMzJFE1g3s3fIN8UnC7NRUCuOyvISaqTSUsYoCZ lSRnHn+ISmgwCLBxxEibPF1mnxGKak5CduEfGtklHRZE7oEae0mPAoRSnDBIEOPt RXeUso5VwimmS5MyjMGjtFD7Eoke/ZKVt36+TJra8F+BHu50OBzicvp0WmI60GHv XtpM3yyXWBC4Y6mp731VIo+ArhcB2RvfTER/TcZt59i1tWQ27d3WLCUv8I5sCdb1 MuG4o6BY6p0pX5kWA+Gj80cwQdVIrMBGnE3aBRz1cgu3C5mYG5bnydrqIJHJg6CS AzYDCM9dGVNM19SNw3Wj4h6pm+7meyiqgN9pcWRuckhTdYzuu4YHsnsT6sPL+CsH U2UN6vHuPDly/A7X/YiLQQe8drAjEDVXRBqstKDJjgg9ksn2PBl+bc+FQesAo7Or EZyZRmYWcC0rXVPJzwLlk2J2dprnt+mq/bL5aVZNtKaaqJL5avwrPxFfyiP7V2pP 0bGLcj1jYz1ss7LQfjp3VosI1PtiKjhWLfLO5tYJA0TkDnI5OlkEbPZzLD+Ku/gp qdgyf6GHU/R7FkIoWaPAx+DMsdovrracZgqKnIXVGWqKRCyfVnYVD/cqM2oST5it 9Ra4pHncB36ZsbOr2EOb =nO3r -----END PGP SIGNATURE----- --bEmOAUlbnLiOh0GLSNbRPgxrBqubQaTqp--
participants (2)
-
Martin Perina -
~Stack~