[Users] Hosted Engine adding host SSL Failure (w/ engine custom cert)
Yedidyah Bar David
didi at redhat.com
Wed Jan 29 07:11:58 UTC 2014
> From: "Yedidyah Bar David" <didi at redhat.com>
> To: "Andrew Lau" <andrew at andrewklau.com>
> Cc: "users" <users at ovirt.org>
> Sent: Wednesday, January 29, 2014 9:05:06 AM
> Subject: Re: [Users] Hosted Engine adding host SSL Failure (w/ engine custom
> cert)
> > From: "Andrew Lau" <andrew at andrewklau.com>
>
> > To: "users" <users at ovirt.org>
>
> > Sent: Wednesday, January 29, 2014 8:38:33 AM
>
> > Subject: [Users] Hosted Engine adding host SSL Failure (w/ engine custom
> > cert)
>
> > Hi,
>
> > After running through the new patch posted in BZ 1055153 I'm adding a
> > second
> > host to the hosted-engine cluster but it seems to fail right before the
> > finish:
>
> > [ ERROR ] Failed to execute stage 'Closing up': [ERROR]::oVirt API
> > connection
> > failure, [Errno 1] _ssl.c:492: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> > Couple Extra Notes:
>
> > Engine has a custom SSL cert but the CA has been trusted by the new host.
> > When I temporarily return the engine's SSL back to the default generated
> > one
> > the install will succeed.
>
> > Setup logs: http://www.fpaste.org/72624/13909770/
>
> > What confuses me is:
>
> > curl https://engine.example.net with the custom SSL cert will succeed but
> > with the original self-signed gives the expected "insecure" message. What
> > criteria need to be met so the install will pass?
>
> Seems like a bug (or a missing feature) - hosted-engine only supports the
> self-signed cert. Can you please open a bug for this?
> You might manage to make it work by replacing /etc/pki/ovirt-engine/ca.pem
> with the certificate of your ca, but this will prevent adding hosts (because
> it's needed to create a certificate for them). Perhaps other things will
> break too, I didn't try that.
On a second thought, I don't think it will work. The engine will still sign certs for hosts with its private key, but the hosts will try to verify that with the ca.pem you put there and fail.
--
Didi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20140129/aa98682f/attachment-0001.html>
More information about the Users
mailing list