
Circling back to an old email... Once upon a time, Yedidyah Bar David <didi@redhat.com> said:
On Wed, Jan 30, 2019 at 10:28 PM Chris Adams <cma@cmadams.net> wrote:
However, while digging, I also noticed that now the engine is not communicating with ovirt-provider-ovn, possibly due to a similar issue? It is having the reverse problem; it rejects the engine's cert.
Didn't try this yet, adding Dominik.
Was anybody able to look at this? I had to use my dev hardware for something else for a bit, so re-installed with 4.3.5 yesterday. The imageio SSL cert issue looks good, but I still can't figure out the ovirt-provider-ovn CA usage. My little bit of digging seems to show that the engine connects to the provider and is using an SSL client cert, and that cert is signed by something... but I'm not sure what. I think the provider side is trying to validate with the following setting from /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf [OVIRT] ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem Following the general "3rd-party SSL", that is now the Let's Encrypt CA. I tried changing it to point to the original self-signed oVirt CA (same directory, just "ca.pem"), but that didn't work either. Any suggestions? -- Chris Adams <cma@cmadams.net>