[ovirt-users] ovirt 3.5 engine web certificate

Baptiste Agasse baptiste.agasse at lyra-network.com
Mon Aug 31 11:54:28 EDT 2015


Hi all,

I've followed the procedure to replace self signed certificate to one issued by our internal PKI to avoid security failure when users access to the webui (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https). The connection to the webui now works fine without any security warning (the internal PKI CA is in the trusted CA of our clients OS). But on the other hand, i've some troubles:

* I've to specify the --ca-file option for ovirt-shell and engine-iso-uploader (i didn't test the engine-image-upload command), it will be nice if the documentation provide a way to replace this by default (or use the trusted ca store of the OS ?). This is not a bug just some feedback on the certificate change procedure that don't cover these side effects.
* I can't add new ovirt-node anymore. The ovirt-hosted-engine --deploy fails on new nodes with an SSL error. To workaround this i've to modify the file "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around line 233 to make an insecure connection to the engine and add the new node. I didn't have tested to add a new node from the ovirt engine cli/webui but i think it will be the same issue because the error occurs on the vdsm activation that is common to the 'new hosted engine node' and 'new node' deployment. I've seen https://bugzilla.redhat.com/show_bug.cgi?id=1059952 but the workaround noted in the comment #8 didn't work for me.

Someone have more info on this issue or have the same problem ?

This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes).

Have a nice day.

Regards.

-- 
Baptiste


More information about the Users mailing list