[ovirt-devel] [missing_subjectAltName] in engine ca certificate?

Yedidyah Bar David didi at redhat.com
Wed May 10 11:24:10 UTC 2017 

On Wed, May 10, 2017 at 2:06 PM, Martin Perina <mperina at redhat.com> wrote:
>
>
> On Wed, May 10, 2017 at 9:13 AM, Juan Hernández <jhernand at redhat.com> wrote:
>>
>> On 05/10/2017 09:07 AM, Yaniv Kaul wrote:
>> >
>> >
>> > On Wed, May 10, 2017 at 9:35 AM, Martin Perina <mperina at redhat.com
>> > <mailto:mperina at redhat.com>> wrote:
>> >
>> >     Does this mean that we need to create new CA for all existing oVirt
>> >     installations which are not using custom HTTPS certificate signed by
>> >     external CA?
>> >
>> >
>> > No, just a new certificate for Engine, I believe.
>> > Y.
>> >
>>
>> Probably not even for the engine, but just for the web server.
>
>
> @Sandro/@Didi: do we
>
> have some documentation how to create new engine HTTPS certificate signed by
> oVirt internal CA with subjectAltName properly set?

I don't think so, and didn't try that myself. Adding Dominik.
The doc will likely be a(n almost?) subset of bz 1420577.

I suggest to open a bug for this, and make 1449503 depend on it.
Also it might be not-very-hard to do by engine-setup instead of doc.
Perhaps open another bug for that if you want.

>
>>
>> >
>> >     On Sun, May 7, 2017 at 7:37 PM, Nir Soffer <nsoffer at redhat.com
>> >     <mailto:nsoffer at redhat.com>> wrote:
>> >
>> >         On Sun, May 7, 2017 at 8:27 PM Dan Kenigsberg <danken at redhat.com
>> >         <mailto:danken at redhat.com>> wrote:
>> >
>> >             On Sun, May 7, 2017 at 8:22 PM, Nir Soffer
>> >             <nsoffer at redhat.com <mailto:nsoffer at redhat.com>> wrote:
>> >             > I imported the certificate from my engine into chrome[1],
>> >             but Chrome
>> >             > refuses to use it because:
>> >             >
>> >             >     This server could not prove that it is ...; its
>> > security
>> >             >     certificate is from [missing_subjectAltName].
>> >             >
>> >             > Same certificate used to work 2 weeks ago, looks like new
>> >             Chrome
>> >             > version changed the rules.
>> >             >
>> >             > Without importing engine CA, there is no way to upload
>> > images
>> >             > via engine.
>> >             >
>> >             > Tested on engine 4.1.1 and 4.1.2 on Centos 7.3.
>> >             >
>> >             > Is this  known issue?
>> >             >
>> >             > [1] from
>> >             >
>> >
>> > http://<engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
>> >             >
>> >             > Nir
>> >
>> >             https://gerrit.ovirt.org/#/c/74614/
>> >             <https://gerrit.ovirt.org/#/c/74614/>
>> >
>> >             "This patch is not yet working, but can be used for
>> > discussion."
>> >
>> >
>> >         Thanks!
>> >
>> >         Do you know how to manually fix engine certificates until we
>> >         have a working
>> >         patch?
>> >
>> >         Nir
>> >
>> >         _______________________________________________
>> >         Devel mailing list
>> >         Devel at ovirt.org <mailto:Devel at ovirt.org>
>> >         http://lists.ovirt.org/mailman/listinfo/devel
>> >         <http://lists.ovirt.org/mailman/listinfo/devel>
>> >
>> >
>> >
>> >     _______________________________________________
>> >     Devel mailing list
>> >     Devel at ovirt.org <mailto:Devel at ovirt.org>
>> >     http://lists.ovirt.org/mailman/listinfo/devel
>> >     <http://lists.ovirt.org/mailman/listinfo/devel>
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Devel mailing list
>> > Devel at ovirt.org
>> > http://lists.ovirt.org/mailman/listinfo/devel
>> >
>>
>



-- 
Didi

More information about the Devel mailing list