[ovirt-devel] [missing_subjectAltName] in engine ca certificate?

Martin Perina mperina at redhat.com
Wed May 10 06:35:20 UTC 2017


Does this mean that we need to create new CA for all existing oVirt
installations which are not using custom HTTPS certificate signed by
external CA?

On Sun, May 7, 2017 at 7:37 PM, Nir Soffer <nsoffer at redhat.com> wrote:

> On Sun, May 7, 2017 at 8:27 PM Dan Kenigsberg <danken at redhat.com> wrote:
>
>> On Sun, May 7, 2017 at 8:22 PM, Nir Soffer <nsoffer at redhat.com> wrote:
>> > I imported the certificate from my engine into chrome[1], but Chrome
>> > refuses to use it because:
>> >
>> >     This server could not prove that it is ...; its security
>> >     certificate is from [missing_subjectAltName].
>> >
>> > Same certificate used to work 2 weeks ago, looks like new Chrome
>> > version changed the rules.
>> >
>> > Without importing engine CA, there is no way to upload images
>> > via engine.
>> >
>> > Tested on engine 4.1.1 and 4.1.2 on Centos 7.3.
>> >
>> > Is this  known issue?
>> >
>> > [1] from
>> > http://<engine_url>/ovirt-engine/services/pki-resource?
>> resource=ca-certificate&format=X509-PEM-CA
>> >
>> > Nir
>>
>> https://gerrit.ovirt.org/#/c/74614/
>>
>> "This patch is not yet working, but can be used for discussion."
>>
>
> Thanks!
>
> Do you know how to manually fix engine certificates until we have a working
> patch?
>
> Nir
>
> _______________________________________________
> Devel mailing list
> Devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/devel/attachments/20170510/3cf1600f/attachment-0001.html>


More information about the Devel mailing list