[ovirt-devel] [missing_subjectAltName] in engine ca certificate?

Juan Hernández jhernand at redhat.com
Wed May 10 07:13:14 UTC 2017 

On 05/10/2017 09:07 AM, Yaniv Kaul wrote:
> 
> 
> On Wed, May 10, 2017 at 9:35 AM, Martin Perina <mperina at redhat.com
> <mailto:mperina at redhat.com>> wrote:
> 
>     Does this mean that we need to create new CA for all existing oVirt
>     installations which are not using custom HTTPS certificate signed by
>     external CA?
> 
> 
> No, just a new certificate for Engine, I believe.
> Y.
> 

Probably not even for the engine, but just for the web server.

> 
>     On Sun, May 7, 2017 at 7:37 PM, Nir Soffer <nsoffer at redhat.com
>     <mailto:nsoffer at redhat.com>> wrote:
> 
>         On Sun, May 7, 2017 at 8:27 PM Dan Kenigsberg <danken at redhat.com
>         <mailto:danken at redhat.com>> wrote:
> 
>             On Sun, May 7, 2017 at 8:22 PM, Nir Soffer
>             <nsoffer at redhat.com <mailto:nsoffer at redhat.com>> wrote:
>             > I imported the certificate from my engine into chrome[1],
>             but Chrome
>             > refuses to use it because:
>             >
>             >     This server could not prove that it is ...; its security
>             >     certificate is from [missing_subjectAltName].
>             >
>             > Same certificate used to work 2 weeks ago, looks like new
>             Chrome
>             > version changed the rules.
>             >
>             > Without importing engine CA, there is no way to upload images
>             > via engine.
>             >
>             > Tested on engine 4.1.1 and 4.1.2 on Centos 7.3.
>             >
>             > Is this  known issue?
>             >
>             > [1] from
>             >
>             http://<engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
>             >
>             > Nir
> 
>             https://gerrit.ovirt.org/#/c/74614/
>             <https://gerrit.ovirt.org/#/c/74614/>
> 
>             "This patch is not yet working, but can be used for discussion."
> 
> 
>         Thanks!
> 
>         Do you know how to manually fix engine certificates until we
>         have a working
>         patch?
> 
>         Nir
> 
>         _______________________________________________
>         Devel mailing list
>         Devel at ovirt.org <mailto:Devel at ovirt.org>
>         http://lists.ovirt.org/mailman/listinfo/devel
>         <http://lists.ovirt.org/mailman/listinfo/devel>
> 
> 
> 
>     _______________________________________________
>     Devel mailing list
>     Devel at ovirt.org <mailto:Devel at ovirt.org>
>     http://lists.ovirt.org/mailman/listinfo/devel
>     <http://lists.ovirt.org/mailman/listinfo/devel>
> 
> 
> 
> 
> _______________________________________________
> Devel mailing list
> Devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/devel
>

More information about the Devel mailing list