[ovirt-users] ovirt 3.5 engine web certificate

Fri Sep 4 08:43:59 UTC 2015

On Tue, Sep 1, 2015 at 1:36 PM, Baptiste Agasse <
baptiste.agasse at lyra-network.com> wrote:

> Hi,
>
> ----- Le 1 Sep 15, à 9:43, Sandro Bonazzola <sbonazzo at redhat.com> a écrit
> :
>
>
>
> On Mon, Aug 31, 2015 at 6:08 PM, Alon Bar-Lev <alonbl at redhat.com> wrote:
>
>>
>>
>> ----- Original Message -----
>> > From: "Baptiste Agasse" <baptiste.agasse at lyra-network.com>
>> > To: "users" <users at ovirt.org>
>> > Sent: Monday, August 31, 2015 6:54:28 PM
>> > Subject: [ovirt-users] ovirt 3.5 engine web certificate
>> >
>> > Hi all,
>> >
>> > I've followed the procedure to replace self signed certificate to one
>> issued
>> > by our internal PKI to avoid security failure when users access to the
>> webui
>> > (
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https
>> ).
>> > The connection to the webui now works fine without any security warning
>> (the
>> > internal PKI CA is in the trusted CA of our clients OS). But on the
>> other
>> > hand, i've some troubles:
>> >
>> > * I've to specify the --ca-file option for ovirt-shell and
>> > engine-iso-uploader (i didn't test the engine-image-upload command), it
>> will
>> > be nice if the documentation provide a way to replace this by default
>> (or
>> > use the trusted ca store of the OS ?). This is not a bug just some
>> feedback
>> > on the certificate change procedure that don't cover these side effects.
>>
>> This is [1], probably you want to modify the configuration files of these
>> tools at /etc so you will have proper defaults.
>>
>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1146710
>>
>
> Thank you for this link.
>
>
>> > * I can't add new ovirt-node anymore.
>>
>> If ovirt-node was added using previous certificate it "Remembers" that
>> certificate.
>> You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to
>> register again.
>>
>> > * The ovirt-hosted-engine --deploy fails
>> > on new nodes with an SSL error. To workaround this i've to modify the
>> file
>> > "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around
>> line
>> > 233 to make an insecure connection to the engine and add the new node. I
>> > didn't have tested to add a new node from the ovirt engine cli/webui
>> but i
>> > think it will be the same issue because the error occurs on the vdsm
>> > activation that is common to the 'new hosted engine node' and 'new node'
>> > deployment. I've seen
>> https://bugzilla.redhat.com/show_bug.cgi?id=1059952
>> > but the workaround noted in the comment #8 didn't work for me.
>>
>> CC sandro for this.
>>
>
> Can you please share full sos report?
>
>
> The report is a little bit big (about 57MB) to be sent by mail, have you
> any procedure i can use to send it to you ?
>

Can you share it on google drive / dropbox any other file sharing service?

>
>
>> >
>> > Someone have more info on this issue or have the same problem ?
>> >
>> > This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes).
>> >
>> > Have a nice day.
>> >
>> > Regards.
>> >
>> > --
>> > Baptiste
>> > _______________________________________________
>> > Users mailing list
>> > Users at ovirt.org
>> > http://lists.ovirt.org/mailman/listinfo/users
>> >
>>
>
>
>
> --
> Sandro Bonazzola
> Better technology. Faster innovation. Powered by community collaboration.
> See how it works at redhat.com
>
>
> --
> Baptiste
>

-- 
Sandro Bonazzola
Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150904/04f0658d/attachment-0001.html>