
I figured it out. When ovirt-provider-ovn attempts to connect back to the engine via HTTPS, it tells the python requests module to use the specified CA cert file... but that won't work with most 3rd-party certs because they have an intermediate cert as well. It appears that the requests module tries to validate both certs. Creating /etc/ovirt-provider-ovn/conf.d/99-custom-cert.conf that just has: [OVIRT] ovirt-ca-file= tells the module to use the regular system CA cert file(s), which works. This should probably be added to the oVirt doc for using a 3rd-party cert. Once upon a time, Chris Adams <cma@cmadams.net> said:
Circling back to an old email...
Once upon a time, Yedidyah Bar David <didi@redhat.com> said:
On Wed, Jan 30, 2019 at 10:28 PM Chris Adams <cma@cmadams.net> wrote:
However, while digging, I also noticed that now the engine is not communicating with ovirt-provider-ovn, possibly due to a similar issue? It is having the reverse problem; it rejects the engine's cert.
Didn't try this yet, adding Dominik.
Was anybody able to look at this? I had to use my dev hardware for something else for a bit, so re-installed with 4.3.5 yesterday. The imageio SSL cert issue looks good, but I still can't figure out the ovirt-provider-ovn CA usage.
My little bit of digging seems to show that the engine connects to the provider and is using an SSL client cert, and that cert is signed by something... but I'm not sure what. I think the provider side is trying to validate with the following setting from /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
[OVIRT] ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem
Following the general "3rd-party SSL", that is now the Let's Encrypt CA. I tried changing it to point to the original self-signed oVirt CA (same directory, just "ca.pem"), but that didn't work either.
Any suggestions?
-- Chris Adams <cma@cmadams.net>