Can you check https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html just in case you missed a step ? Best Regards, Strahil Nikolov На 27 май 2020 г. 23:10:53 GMT+03:00, Stack Korora <stackkorora(a)disroot.org&gt; написа: >Greetings, >I have a running oVirt install that's been working for almost 2 years. >I'm building a _completely_ new install. I mention it because it is >useful for me to compare configurations when I run into issues like >this >one. > >Right now there are three physical hosts: >1x management where I run the engine and db >2x hypervisor nodes. > >I had it up and installed and running smooth this morning on >4.3.9.4-1.el7 on Scientific Linux 7.8 (fully patched). > >I copied over our 3rd party certs from the running system and restarted >httpd. Perfect. SSL is running! >/etc/pki/ovirt-engine/apache-ca.pem >/etc/pki/ovirt-engine/certs/apache.cer >/etc/pki/ovirt-engine/keys/apache.key.nopass > >Next I used ovirt-engine-extension-aaa-ldap-setup to point to our ldap >server. I did the login and search test and both passed on the command >line! Horray! > >Then I went to the web interface... > >sun.security.validator.ValidatorException: PKIX path building failed: >sun.security.provider.certpath.SunCertPathBuilderException: unable to >find valid certification path to requested target > >I'm digging through logs and I don't see anything close to this error >except nearly the identical message in engine.log. > >ERROR [org.ovirt.engine.core.aaa.servlet.SslPostLoginServlet] (default >task-2) [] server_error: sun.security.validator.ValidatorException: >PKIX >path building failed: >sun.security.provider.certpath.SunCertPathBuilderException: unable to >find valid certification path to requested target > >I can't log in via the web at all, I only get that message (so I can't >even test out the local admin). The aaa ldap configuration it generated >is darn near perfectly identical (just a name change). The certs are >the >same. Even when I look in the keystore, the sha1 hashes are the same >between the two environments! > >After over an hour poking at this, I'm completely stumped. > >Can someone please give me a pointer on what I should try next? > >Thanks! >~Stack~ >_______________________________________________ >Users mailing list -- users(a)ovirt.org >To unsubscribe send an email to users-leave(a)ovirt.org >Privacy Statement: https://www.ovirt.org/privacy-policy.html >oVirt Code of Conduct: >https://www.ovirt.org/community/about/community-guidelines/ >List Archives: >https://lists.ovirt.org/archives/list/users@ovirt.org/message/YOR3ATLII3LYIBEYVOKTEE4RIYZGJR76/

You mentioned that your certificates were different. Did you try converting them to the type used in the example ? Best Regards, Strahil Nikolov На 29 май 2020 г. 1:29:51 GMT+03:00, Stack Korora <stackkorora(a)disroot.org&gt; написа: >On 2020-05-28 16:07, Strahil Nikolov wrote: >> Can you check >https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html > just in case you missed a step ? >> >> Best Regards, >> Strahil Nikolov > >Greetings, > >Thanks for replying. > >I was going to argue a bit since the way my certs come are in different >formats so my commands are a bit different then the directions. But I >went through step by step. Got to the end, and the internal >authentication was working with the right SSL cert! My LDAP >authentication was missing though...it looks correct. > >So I redid all the steps for adding LDAP. At the end of the >ovirt-engine-extension-aaa-ldap-setup script, I can test accounts and >search so I know that is correct. My cert is in the right .jks file. >Still nothing I do shows anything but internal. > >So I scrapped the changes and started over. Round three on a fresh >reboot (just in case I missed a service) with the SSL certs and >configuring LDAP. SSL works, internal works, ldap doesn't show up as a >drop-down option for the profile. > >Grr...Reboot just in case I missed a service again...nope. SSL and >internal work, ldap still not shown in the profile. Tried a different >browser, same thing. Double Grr... > >Any suggestions on where I might be going wrong? > >Thanks! > > > >_______________________________________________ >Users mailing list -- users(a)ovirt.org >To unsubscribe send an email to users-leave(a)ovirt.org >Privacy Statement: https://www.ovirt.org/privacy-policy.html >oVirt Code of Conduct: >https://www.ovirt.org/community/about/community-guidelines/ >List Archives: >https://lists.ovirt.org/archives/list/users@ovirt.org/message/A4BKWITWPNPYYVLDVRN4XOSDTN4LPNB3/

On 2020-05-29 08:08, Martin Perina wrote: Correct. I did and yes they were. I do see both authz and authn. It does work and it returns valid information. A result=SUCCESS on that too! However, I still don't see a second profile option on the web login. Thanks for responding and giving me some help!

On 2020-06-02 06:16, Martin Perina wrote: Greetings Martin, Thank you for the response. Sorry it took a while, I had a family issue come up and had to road-trip 10hours away for a few days. An update on the status, we were also struggling with an unrelated hardware problem. The new NVMe drives were giving my coworkers and myself issues on 7. My coworker tried CentOS8 just to see what happened, and it worked flawlessly. So we _just_ rebuilt the whole thing: CentOS8 + oVirt 4.4. We figured we might as well attempt to future-proof this install a little bit while it is still in the "build" stage. :-) One of my goals today is to get SSL and LDAP working on the fresh install. If I have issues, I will post back. Thank you again!