
On Wed, Jan 30, 2019 at 10:28 PM Chris Adams <cma@cmadams.net> wrote:
Digging a little deeper... if I add the Let's Encrypt CA to /etc/pki/ovirt-engine/.truststore, imageio-proxy works (I can successfully upload an ISO), so I guess the issue is that imageio-proxy uses the same cert for web and engine communication and the engine wasn't happy with the public-CA-signed cert.
I think I agree with your analysis. I now reproduced this on a test env. I started with ovirt-system-tests basic suite deploy, made sure I can upload an image. Then I followed the docs about replacing certs, using a temporarily- created CA for testing (using openssl, actually using a copy of the engine's pki scripts), including adding 99-custom-truststore.conf, imported the CA's cert to the browser, and: 1. Connecting with the browser worked, all is green. 2. Logged in, pressed "Disks -> Upload -> Start -> Test Connection", and it failed. 3. Edited the ovirt-imageio-proxy conf to point key and cert to a key and cert I created and signed using my temp ca, restarted it, "Test Connection" worked. 4. Actually uploading the image failed as you describe. 5. Imported my CA's cert to /etc/pki/ovirt-engine/.truststore, using: keytool -importcert -trustcacerts -keystore /etc/pki/ovirt-engine/.truststore -storepass mypass -file /etc/pki/ovirt-engine/apache-ca.pem and restarted the engine, and then upload works. Adding Martin and Nir.
So, rather than point part of the engine at a separate trust store (as the docs recommend), maybe just add the public CA to the engine's existing trust store?
I admit I still didn't try to fully analyze this myself, but I tend to agree with you. Or rather: Our docs should probably support both options - tell the engine to trust (and use?) the system-wide store, or manually add a specific cert. Because I guess you can find people that will prefer either option.
However, while digging, I also noticed that now the engine is not communicating with ovirt-provider-ovn, possibly due to a similar issue? It is having the reverse problem; it rejects the engine's cert.
Didn't try this yet, adding Dominik.
This is all on 4.2.8 BTW.
I personally tried this on: ovirt-engine-4.3.0-0.8.master.20190122121624.git9a8a519.el7.noarch I guess the behavior didn't change much between them. Thanks for your debugging and report! Best regards, -- Didi