[Users] Hosted Engine adding host SSL Failure (w/ engine custom cert)

Yedidyah Bar David didi at redhat.com
Wed Jan 29 07:05:06 UTC 2014


> From: "Andrew Lau" <andrew at andrewklau.com>
> To: "users" <users at ovirt.org>
> Sent: Wednesday, January 29, 2014 8:38:33 AM
> Subject: [Users] Hosted Engine adding host SSL Failure (w/ engine custom
> cert)

> Hi,

> After running through the new patch posted in BZ 1055153 I'm adding a second
> host to the hosted-engine cluster but it seems to fail right before the
> finish:

> [ ERROR ] Failed to execute stage 'Closing up': [ERROR]::oVirt API connection
> failure, [Errno 1] _ssl.c:492: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

> Couple Extra Notes:
> Engine has a custom SSL cert but the CA has been trusted by the new host.
> When I temporarily return the engine's SSL back to the default generated one
> the install will succeed.

> Setup logs: http://www.fpaste.org/72624/13909770/

> What confuses me is:

> curl https://engine.example.net with the custom SSL cert will succeed but
> with the original self-signed gives the expected "insecure" message. What
> criteria need to be met so the install will pass?

Seems like a bug (or a missing feature) - hosted-engine only supports the self-signed cert. Can you please open a bug for this? 

You might manage to make it work by replacing /etc/pki/ovirt-engine/ca.pem with the certificate of your ca, but this will prevent adding hosts (because it's needed to create a certificate for them). Perhaps other things will break too, I didn't try that. 
-- 
Didi 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20140129/89daf33a/attachment-0001.html>


More information about the Users mailing list