[ovirt-users] ovirt 3.5 engine web certificate
Baptiste Agasse
baptiste.agasse at lyra-network.com
Tue Sep 1 11:36:18 UTC 2015
Hi,
----- Le 1 Sep 15, à 9:43, Sandro Bonazzola <sbonazzo at redhat.com> a écrit :
> On Mon, Aug 31, 2015 at 6:08 PM, Alon Bar-Lev < alonbl at redhat.com > wrote:
>> ----- Original Message -----
>> > From: "Baptiste Agasse" < baptiste.agasse at lyra-network.com >
>> > To: "users" < users at ovirt.org >
>> > Sent: Monday, August 31, 2015 6:54:28 PM
>> > Subject: [ovirt-users] ovirt 3.5 engine web certificate
>> > Hi all,
>> > I've followed the procedure to replace self signed certificate to one issued
>> > by our internal PKI to avoid security failure when users access to the webui
>>> (
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https
>> > ).
>> > The connection to the webui now works fine without any security warning (the
>> > internal PKI CA is in the trusted CA of our clients OS). But on the other
>> > hand, i've some troubles:
>> > * I've to specify the --ca-file option for ovirt-shell and
>> > engine-iso-uploader (i didn't test the engine-image-upload command), it will
>> > be nice if the documentation provide a way to replace this by default (or
>> > use the trusted ca store of the OS ?). This is not a bug just some feedback
>> > on the certificate change procedure that don't cover these side effects.
>> This is [1], probably you want to modify the configuration files of these tools
>> at /etc so you will have proper defaults.
>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1146710
Thank you for this link.
>> > * I can't add new ovirt-node anymore.
>> If ovirt-node was added using previous certificate it "Remembers" that
>> certificate.
>> You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to register
>> again.
>> > * The ovirt-hosted-engine --deploy fails
>> > on new nodes with an SSL error. To workaround this i've to modify the file
>> > "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around line
>> > 233 to make an insecure connection to the engine and add the new node. I
>> > didn't have tested to add a new node from the ovirt engine cli/webui but i
>> > think it will be the same issue because the error occurs on the vdsm
>> > activation that is common to the 'new hosted engine node' and 'new node'
>> > deployment. I've seen https://bugzilla.redhat.com/show_bug.cgi?id=1059952
>> > but the workaround noted in the comment #8 didn't work for me.
>> CC sandro for this.
> Can you please share full sos report?
The report is a little bit big (about 57MB) to be sent by mail, have you any procedure i can use to send it to you ?
>> > Someone have more info on this issue or have the same problem ?
>> > This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes).
>> > Have a nice day.
>> > Regards.
>> > --
>> > Baptiste
>> > _______________________________________________
>> > Users mailing list
>> > Users at ovirt.org
>> > http://lists.ovirt.org/mailman/listinfo/users
> --
> Sandro Bonazzola
> Better technology. Faster innovation. Powered by community collaboration.
> See how it works at redhat.com
--
Baptiste
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150901/a8cc92fb/attachment-0001.html>
More information about the Users
mailing list