Greetings, I have a running oVirt install that's been working for almost 2 years. I'm building a _completely_ new install. I mention it because it is useful for me to compare configurations when I run into issues like this one. Right now there are three physical hosts: 1x management where I run the engine and db 2x hypervisor nodes. I had it up and installed and running smooth this morning on 4.3.9.4-1.el7 on Scientific Linux 7.8 (fully patched). I copied over our 3rd party certs from the running system and restarted httpd. Perfect. SSL is running! /etc/pki/ovirt-engine/apache-ca.pem /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/keys/apache.key.nopass Next I used ovirt-engine-extension-aaa-ldap-setup to point to our ldap server. I did the login and search test and both passed on the command line! Horray! Then I went to the web interface... sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target I'm digging through logs and I don't see anything close to this error except nearly the identical message in engine.log. ERROR [org.ovirt.engine.core.aaa.servlet.SslPostLoginServlet] (default task-2) [] server_error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target I can't log in via the web at all, I only get that message (so I can't even test out the local admin). The aaa ldap configuration it generated is darn near perfectly identical (just a name change). The certs are the same. Even when I look in the keystore, the sha1 hashes are the same between the two environments! After over an hour poking at this, I'm completely stumped. Can someone please give me a pointer on what I should try next? Thanks! ~Stack~
Can you check https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html just in case you missed a step ? Best Regards, Strahil Nikolov На 27 май 2020 г. 23:10:53 GMT+03:00, Stack Korora <stackkorora@disroot.org> написа:
Greetings, I have a running oVirt install that's been working for almost 2 years. I'm building a _completely_ new install. I mention it because it is useful for me to compare configurations when I run into issues like this one.
Right now there are three physical hosts: 1x management where I run the engine and db 2x hypervisor nodes.
I had it up and installed and running smooth this morning on 4.3.9.4-1.el7 on Scientific Linux 7.8 (fully patched).
I copied over our 3rd party certs from the running system and restarted httpd. Perfect. SSL is running! /etc/pki/ovirt-engine/apache-ca.pem /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/keys/apache.key.nopass
Next I used ovirt-engine-extension-aaa-ldap-setup to point to our ldap server. I did the login and search test and both passed on the command line! Horray!
Then I went to the web interface...
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I'm digging through logs and I don't see anything close to this error except nearly the identical message in engine.log.
ERROR [org.ovirt.engine.core.aaa.servlet.SslPostLoginServlet] (default task-2) [] server_error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I can't log in via the web at all, I only get that message (so I can't even test out the local admin). The aaa ldap configuration it generated is darn near perfectly identical (just a name change). The certs are the same. Even when I look in the keystore, the sha1 hashes are the same between the two environments!
After over an hour poking at this, I'm completely stumped.
Can someone please give me a pointer on what I should try next?
Thanks! ~Stack~ _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/YOR3ATLII3LYIB...
On 2020-05-28 16:07, Strahil Nikolov wrote:
Can you check https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html just in case you missed a step ?
Best Regards, Strahil Nikolov
Greetings, Thanks for replying. I was going to argue a bit since the way my certs come are in different formats so my commands are a bit different then the directions. But I went through step by step. Got to the end, and the internal authentication was working with the right SSL cert! My LDAP authentication was missing though...it looks correct. So I redid all the steps for adding LDAP. At the end of the ovirt-engine-extension-aaa-ldap-setup script, I can test accounts and search so I know that is correct. My cert is in the right .jks file. Still nothing I do shows anything but internal. So I scrapped the changes and started over. Round three on a fresh reboot (just in case I missed a service) with the SSL certs and configuring LDAP. SSL works, internal works, ldap doesn't show up as a drop-down option for the profile. Grr...Reboot just in case I missed a service again...nope. SSL and internal work, ldap still not shown in the profile. Tried a different browser, same thing. Double Grr... Any suggestions on where I might be going wrong? Thanks!
You mentioned that your certificates were different. Did you try converting them to the type used in the example ? Best Regards, Strahil Nikolov На 29 май 2020 г. 1:29:51 GMT+03:00, Stack Korora <stackkorora@disroot.org> написа:
On 2020-05-28 16:07, Strahil Nikolov wrote:
Can you check https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html just in case you missed a step ?
Best Regards, Strahil Nikolov
Greetings,
Thanks for replying.
I was going to argue a bit since the way my certs come are in different formats so my commands are a bit different then the directions. But I went through step by step. Got to the end, and the internal authentication was working with the right SSL cert! My LDAP authentication was missing though...it looks correct.
So I redid all the steps for adding LDAP. At the end of the ovirt-engine-extension-aaa-ldap-setup script, I can test accounts and search so I know that is correct. My cert is in the right .jks file. Still nothing I do shows anything but internal.
So I scrapped the changes and started over. Round three on a fresh reboot (just in case I missed a service) with the SSL certs and configuring LDAP. SSL works, internal works, ldap doesn't show up as a drop-down option for the profile.
Grr...Reboot just in case I missed a service again...nope. SSL and internal work, ldap still not shown in the profile. Tried a different browser, same thing. Double Grr...
Any suggestions on where I might be going wrong?
Thanks!
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/A4BKWITWPNPYYV...
Hi Stack, if I understand correctly your custom SSL certificates are working correctly and you are able to login to webadmin using admin@internal, right? If the problem is, that your aaa-ldap profile is not visible in the login dialog, then there is some issue with aaa-ldap configuration. You have mentioned that you used ovirt-engine-extension-aaa-ldap-setup tool to create you aaa-ldap profile, have you executed login and search operation at the end of setup tool? If so, were they successful? Anyway right you can use following command to debug your aaa extensions setup: # ovirt-engine-extensions-tool info list-extensions Using above command, could you see authn and authz instance of your aaa-ldap profile? If so, please try below tests: 1. Checking is user search is working: # ovirt-engine-extensions-tool aaa search --extension-name=<YOUR PROFILE AUTHZ NAME> --entity-name=<VALID LDAP USERNAME> 2. Checking if login is working # ovirt-engine-extensions-tool aaa login-user --profile=<YOUR PROFILE NAME> --user-name=<VALID LDAP USERNAME> You can find more informations in: https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html https://www.ovirt.org/develop/release-management/features/infra/extension-te... Regards, Martin On Fri, May 29, 2020 at 9:32 AM Strahil Nikolov via Users <users@ovirt.org> wrote:
You mentioned that your certificates were different. Did you try converting them to the type used in the example ?
Best Regards, Strahil Nikolov
На 29 май 2020 г. 1:29:51 GMT+03:00, Stack Korora <stackkorora@disroot.org> написа:
On 2020-05-28 16:07, Strahil Nikolov wrote:
Can you check https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html just in case you missed a step ?
Best Regards, Strahil Nikolov
Greetings,
Thanks for replying.
I was going to argue a bit since the way my certs come are in different formats so my commands are a bit different then the directions. But I went through step by step. Got to the end, and the internal authentication was working with the right SSL cert! My LDAP authentication was missing though...it looks correct.
So I redid all the steps for adding LDAP. At the end of the ovirt-engine-extension-aaa-ldap-setup script, I can test accounts and search so I know that is correct. My cert is in the right .jks file. Still nothing I do shows anything but internal.
So I scrapped the changes and started over. Round three on a fresh reboot (just in case I missed a service) with the SSL certs and configuring LDAP. SSL works, internal works, ldap doesn't show up as a drop-down option for the profile.
Grr...Reboot just in case I missed a service again...nope. SSL and internal work, ldap still not shown in the profile. Tried a different browser, same thing. Double Grr...
Any suggestions on where I might be going wrong?
Thanks!
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/A4BKWITWPNPYYV... _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5ANRX472AJLRXM...
-- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.
On 2020-05-29 08:08, Martin Perina wrote:
Hi Stack,
if I understand correctly your custom SSL certificates are working correctly and you are able to login to webadmin using admin@internal, right?
Correct.
If the problem is, that your aaa-ldap profile is not visible in the login dialog, then there is some issue with aaa-ldap configuration. You have mentioned that you used ovirt-engine-extension-aaa-ldap-setup tool to create you aaa-ldap profile, have you executed login and search operation at the end of setup tool? If so, were they successful?
I did and yes they were.
Anyway right you can use following command to debug your aaa extensions setup:
# ovirt-engine-extensions-tool info list-extensions
Using above command, could you see authn and authz instance of your aaa-ldap profile?
I do see both authz and authn.
If so, please try below tests:
1. Checking is user search is working:
# ovirt-engine-extensions-tool aaa search --extension-name=<YOUR PROFILE AUTHZ NAME> --entity-name=<VALID LDAP USERNAME>
It does work and it returns valid information.
2. Checking if login is working
# ovirt-engine-extensions-tool aaa login-user --profile=<YOUR PROFILE NAME> --user-name=<VALID LDAP USERNAME>
A result=SUCCESS on that too! However, I still don't see a second profile option on the web login. Thanks for responding and giving me some help!
Hi, could you please restart ovirt-engine service and share server.log and engine.log from /var/log/ovirt-engine ? Thanks, Martin On Fri, May 29, 2020 at 4:36 PM Stack Korora <stackkorora@disroot.org> wrote:
On 2020-05-29 08:08, Martin Perina wrote:
Hi Stack,
if I understand correctly your custom SSL certificates are working correctly and you are able to login to webadmin using admin@internal, right?
Correct.
If the problem is, that your aaa-ldap profile is not visible in the login dialog, then there is some issue with aaa-ldap configuration. You have mentioned that you used ovirt-engine-extension-aaa-ldap-setup tool to create you aaa-ldap profile, have you executed login and search operation at the end of setup tool? If so, were they successful?
I did and yes they were.
Anyway right you can use following command to debug your aaa extensions setup:
# ovirt-engine-extensions-tool info list-extensions
Using above command, could you see authn and authz instance of your aaa-ldap profile?
I do see both authz and authn.
If so, please try below tests:
1. Checking is user search is working:
# ovirt-engine-extensions-tool aaa search --extension-name=<YOUR PROFILE AUTHZ NAME> --entity-name=<VALID LDAP USERNAME>
It does work and it returns valid information.
2. Checking if login is working
# ovirt-engine-extensions-tool aaa login-user --profile=<YOUR PROFILE NAME> --user-name=<VALID LDAP USERNAME>
A result=SUCCESS on that too! However, I still don't see a second profile option on the web login.
Thanks for responding and giving me some help!
-- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.
On 2020-06-02 06:16, Martin Perina wrote:
Hi,
could you please restart ovirt-engine service and share server.log and engine.log from /var/log/ovirt-engine ?
Greetings Martin, Thank you for the response. Sorry it took a while, I had a family issue come up and had to road-trip 10hours away for a few days. An update on the status, we were also struggling with an unrelated hardware problem. The new NVMe drives were giving my coworkers and myself issues on 7. My coworker tried CentOS8 just to see what happened, and it worked flawlessly. So we _just_ rebuilt the whole thing: CentOS8 + oVirt 4.4. We figured we might as well attempt to future-proof this install a little bit while it is still in the "build" stage. :-) One of my goals today is to get SSL and LDAP working on the fresh install. If I have issues, I will post back. Thank you again!
On 2020-05-29 07:03, Strahil Nikolov via Users wrote:
You mentioned that your certificates were different. Did you try converting them to the type used in the example ?
Yeah. So I will walk through the steps. Since I don't have a p12 format, the directions say "proceed to Replacing the Red Hat Virtualization Manager Apache SSL Certificate". Well, that isn't right. :-) Instead I skipped to "Replacing the oVirt Engine Apache SSL Certificate" I converted mine to PEM and did step #1 and I included not just my cert but the full chain. No issues there. I replaced the PEM per #2 and #3. Then backed up per #4. Step #5 & #6 require steps from the first section I skipped above. So I did those. If I do those steps exactly, I will get SSL errors about untrusted cert. However, if I add (>> vs >) to the original (which I backed up) then all the SSL errors go away. That was with apache.key.nopass and apache.cer. The rest of the steps I followed exactly. Not sure if that helps point out what I did wrong. Thanks for replying!
participants (3)
-
Martin Perina -
Stack Korora -
Strahil Nikolov