[ovirt-devel] [missing_subjectAltName] in engine ca certificate?
Nir Soffer
nsoffer at redhat.com
Wed May 10 06:42:38 UTC 2017
On Wed, May 10, 2017 at 9:35 AM Martin Perina <mperina at redhat.com> wrote:
> Does this mean that we need to create new CA for all existing oVirt
> installations which are not using custom HTTPS certificate signed by
> external CA?
>
This seems to be the case, Chrome is rejecting the old certificate.
>
> On Sun, May 7, 2017 at 7:37 PM, Nir Soffer <nsoffer at redhat.com> wrote:
>
>> On Sun, May 7, 2017 at 8:27 PM Dan Kenigsberg <danken at redhat.com> wrote:
>>
>>> On Sun, May 7, 2017 at 8:22 PM, Nir Soffer <nsoffer at redhat.com> wrote:
>>> > I imported the certificate from my engine into chrome[1], but Chrome
>>> > refuses to use it because:
>>> >
>>> > This server could not prove that it is ...; its security
>>> > certificate is from [missing_subjectAltName].
>>> >
>>> > Same certificate used to work 2 weeks ago, looks like new Chrome
>>> > version changed the rules.
>>> >
>>> > Without importing engine CA, there is no way to upload images
>>> > via engine.
>>> >
>>> > Tested on engine 4.1.1 and 4.1.2 on Centos 7.3.
>>> >
>>> > Is this known issue?
>>> >
>>> > [1] from
>>> > http://
>>> <engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
>>> >
>>> > Nir
>>>
>>> https://gerrit.ovirt.org/#/c/74614/
>>>
>>> "This patch is not yet working, but can be used for discussion."
>>>
>>
>> Thanks!
>>
>> Do you know how to manually fix engine certificates until we have a
>> working
>> patch?
>>
>> Nir
>>
>> _______________________________________________
>> Devel mailing list
>> Devel at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/devel
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/devel/attachments/20170510/e074c99a/attachment.html>
More information about the Devel
mailing list