[ovirt-users] ovirt 3.5 engine web certificate

Baptiste Agasse baptiste.agasse at lyra-network.com
Tue Sep 1 11:36:18 UTC 2015


Hi, 

----- Le 1 Sep 15, à 9:43, Sandro Bonazzola <sbonazzo at redhat.com> a écrit : 

> On Mon, Aug 31, 2015 at 6:08 PM, Alon Bar-Lev < alonbl at redhat.com > wrote:

>> ----- Original Message -----
>> > From: "Baptiste Agasse" < baptiste.agasse at lyra-network.com >
>> > To: "users" < users at ovirt.org >
>> > Sent: Monday, August 31, 2015 6:54:28 PM
>> > Subject: [ovirt-users] ovirt 3.5 engine web certificate

>> > Hi all,

>> > I've followed the procedure to replace self signed certificate to one issued
>> > by our internal PKI to avoid security failure when users access to the webui
>>> (
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https
>> > ).
>> > The connection to the webui now works fine without any security warning (the
>> > internal PKI CA is in the trusted CA of our clients OS). But on the other
>> > hand, i've some troubles:

>> > * I've to specify the --ca-file option for ovirt-shell and
>> > engine-iso-uploader (i didn't test the engine-image-upload command), it will
>> > be nice if the documentation provide a way to replace this by default (or
>> > use the trusted ca store of the OS ?). This is not a bug just some feedback
>> > on the certificate change procedure that don't cover these side effects.

>> This is [1], probably you want to modify the configuration files of these tools
>> at /etc so you will have proper defaults.

>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1146710

Thank you for this link. 

>> > * I can't add new ovirt-node anymore.

>> If ovirt-node was added using previous certificate it "Remembers" that
>> certificate.
>> You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to register
>> again.

>> > * The ovirt-hosted-engine --deploy fails
>> > on new nodes with an SSL error. To workaround this i've to modify the file
>> > "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around line
>> > 233 to make an insecure connection to the engine and add the new node. I
>> > didn't have tested to add a new node from the ovirt engine cli/webui but i
>> > think it will be the same issue because the error occurs on the vdsm
>> > activation that is common to the 'new hosted engine node' and 'new node'
>> > deployment. I've seen https://bugzilla.redhat.com/show_bug.cgi?id=1059952
>> > but the workaround noted in the comment #8 didn't work for me.

>> CC sandro for this.

> Can you please share full sos report?

The report is a little bit big (about 57MB) to be sent by mail, have you any procedure i can use to send it to you ? 


>> > Someone have more info on this issue or have the same problem ?

>> > This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes).

>> > Have a nice day.

>> > Regards.

>> > --
>> > Baptiste
>> > _______________________________________________
>> > Users mailing list
>> > Users at ovirt.org
>> > http://lists.ovirt.org/mailman/listinfo/users


> --
> Sandro Bonazzola
> Better technology. Faster innovation. Powered by community collaboration.
> See how it works at redhat.com

-- 
Baptiste 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150901/a8cc92fb/attachment-0001.html>


More information about the Users mailing list