On Fri, Aug 2, 2019 at 4:37 PM Dominik Holler <dholler@redhat.com> wrote:
On Thu, 1 Aug 2019 20:45:56 -0500 Chris Adams <cma@cmadams.net> wrote:
I figured it out. When ovirt-provider-ovn attempts to connect back to the engine via HTTPS, it tells the python requests module to use the specified CA cert file... but that won't work with most 3rd-party certs because they have an intermediate cert as well. It appears that the requests module tries to validate both certs.
Creating /etc/ovirt-provider-ovn/conf.d/99-custom-cert.conf that just has:
[OVIRT] ovirt-ca-file=
tells the module to use the regular system CA cert file(s), which works.
Thanks for your investigation! Looks like the empty string is converted implicitly to Boolean in
https://github.com/psf/requests/blob/75bdc998e2d430a35d869b2abf1779bd0d34890... Because bool('') is False in python, the certificate should be checked at all.
Because bool('') is False in python, the certificate should be* not *checked at all.
Would ovirt-ca-file=/etc/pki/tls/certs/ca-bundle.crt work for you? (It works for https://helloworld.letsencrypt.org)
This should probably be added to the oVirt doc for using a 3rd-party cert.
Circling back to an old email...
Once upon a time, Yedidyah Bar David <didi@redhat.com> said:
On Wed, Jan 30, 2019 at 10:28 PM Chris Adams <cma@cmadams.net> wrote:
However, while digging, I also noticed that now the engine is not communicating with ovirt-provider-ovn, possibly due to a similar issue? It is having the reverse problem; it rejects the engine's cert.
Didn't try this yet, adding Dominik.
Was anybody able to look at this? I had to use my dev hardware for something else for a bit, so re-installed with 4.3.5 yesterday. The imageio SSL cert issue looks good, but I still can't figure out the ovirt-provider-ovn CA usage.
My little bit of digging seems to show that the engine connects to the provider and is using an SSL client cert, and that cert is signed by something... but I'm not sure what. I think the provider side is
Once upon a time, Chris Adams <cma@cmadams.net> said: trying
to validate with the following setting from /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
[OVIRT] ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem
Following the general "3rd-party SSL", that is now the Let's Encrypt CA. I tried changing it to point to the original self-signed oVirt CA (same directory, just "ca.pem"), but that didn't work either.
Any suggestions?