[Users] Hosted Engine adding host SSL Failure (w/ engine custom cert)

Andrew Lau andrew at andrewklau.com
Wed Jan 29 08:17:21 UTC 2014 

Shame about the way the CA works, may be worth putting a reverse proxy in
front as unsigned SSL can be a deal breaker.

Anyway, my vdsm.log is here http://www.fpaste.org/72643/98338713/

When it's "Still waiting for VDSM host to become operational.." there is no
output in vdsm.log

On Wed, Jan 29, 2014 at 6:11 PM, Yedidyah Bar David <didi at redhat.com> wrote:

>  *From: *"Yedidyah Bar David" <didi at redhat.com>
> *To: *"Andrew Lau" <andrew at andrewklau.com>
> *Cc: *"users" <users at ovirt.org>
> *Sent: *Wednesday, January 29, 2014 9:05:06 AM
> *Subject: *Re: [Users] Hosted Engine adding host SSL Failure (w/
> engine        custom        cert)
>
>
> *From: *"Andrew Lau" <andrew at andrewklau.com>
> *To: *"users" <users at ovirt.org>
> *Sent: *Wednesday, January 29, 2014 8:38:33 AM
> *Subject: *[Users] Hosted Engine adding host SSL Failure (w/ engine
> custom        cert)
>
> Hi,
>
> After running through the new patch posted in BZ 1055153 I'm adding a
> second host to the hosted-engine cluster but it seems to fail right before
> the finish:
>
> [ ERROR ] Failed to execute stage 'Closing up': [ERROR]::oVirt API
> connection failure, [Errno 1] _ssl.c:492: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> Couple Extra Notes:
> Engine has a custom SSL cert but the CA has been trusted by the new host.
> When I temporarily return the engine's SSL back to the default generated
> one the install will succeed.
>
> Setup logs: http://www.fpaste.org/72624/13909770/
>
> What confuses me is:
>
> curl https://engine.example.net with the custom SSL cert will succeed but
> with the original self-signed gives the expected "insecure" message. What
> criteria need to be met so the install will pass?
>
>
> Seems like a bug (or a missing feature) - hosted-engine only supports the
> self-signed cert. Can you please open a bug for this?
>
> You might manage to make it work by replacing /etc/pki/ovirt-engine/ca.pem
> with the certificate of your ca, but this will prevent adding hosts
> (because it's needed to create a certificate for them). Perhaps other
> things will break too, I didn't try that.
>
>
> On a second thought, I don't think it will work. The engine will still
> sign certs for hosts with its private key, but the hosts will try to verify
> that with the ca.pem you put there and fail.
> --
> Didi
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20140129/b819a922/attachment-0001.html>

More information about the Users mailing list