[ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

Beckman, Daniel Daniel.Beckman at ingramcontent.com
Wed Nov 2 16:49:59 EDT 2016


Thanks very much for the detailed instructions! I was able to upgrade from 3.6.7 to 4.0.4 successfully. Here are some additional notes for those (like me) who were already using a custom HTTPS certificate in 3.6:

On step #3 “b” -- mv YOUR-3RD-PART-CERT.p12 ​​​/etc/pki/ovirt-engine/keys/apache.p12​ – I didn’t need to perform this as the file was already there from my previous 3.6 configuration; setup had not removed it.

On step #4 – extracting private key and certificate – I didn’t need to perform this either; existing files were left intact from version 3.6.

Restarting Apache and oVirt service was not enough to bring up the web admin portal in my case. I had to reboot the server running oVirt engine, after which the web admin portal was accessible.

I recommend backing up /etc/pki in addition to /etc/ovirt-engine prior to running setup.

Best,
Daniel

From: <users-bounces at ovirt.org> on behalf of Martin Perina <mperina at redhat.com>
Date: Tuesday, November 1, 2016 at 6:29 AM
To: Kenneth Bingham <w at qrk.us>
Cc: users <users at ovirt.org>
Subject: Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4



On Tue, Nov 1, 2016 at 11:49 AM, Martin Perina <mperina at redhat.com<mailto:mperina at redhat.com>> wrote:
So first of all, we don't support replacing oVirt internal CA which is used to sign host certificates. This internal CA is also used to sign HTTPS certificate by default, but you can provided your own HTTPS certificate signed by custom CA. The correct steps how to do that are (assuming you have you custom CA certififcate in PEM format and HTTPS ceritificate along with private key in PKCS12 format):

1.  Add your commercially issued certificate to the host-wide trust store.
       cp YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ca-trust/source/anchors
       update-ca-trust
2. Remove Apache CA link pointing to oVirt internal
       rm /etc/pki/ovirt-engine/apache-ca.pem
3. Install your custom certificate (including complete certificate chain)
       mv YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ovirt-engine/apache-ca.pem

          mv YOUR-3RD-PART-CERT.p12 ​​​/etc/pki/ovirt-engine/keys/apache.p12​

The above command was missing in original steps, thanks Didi for pointing this out.
​


4. Extract private key and certificate

​     ​
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/apache.key.nopass
​       ​
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /etc/pki/ovirt-engine/certs/apache.cer
​5. Restart Apache
      service httpd restart

6. Create a new trust store configuration file.
      vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf

   Add the following content and save the file.

      ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
      ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""

7. Restart the ovirt-engine service.
      systemctl restart ovirt-engine.service​

​Steps 1., 6. and 7. are new to 4.0, other steps are same as in oVirt 3.x​

​Also it's expected that CA certificate (including whole CA chain) is properly installed in all clients that access oVirt using HTTP and/or Spice.​

​Martin Perina​




On Thu, Oct 27, 2016 at 10:38 PM, Kenneth Bingham <w at qrk.us<mailto:w at qrk.us>> wrote:
That makes sense, but it is also disappointing to realize that oVirt Manager will only trust certificates that itself has issued, and that there is no support for Manager to trust VDSM server certificates issued by another authority.

If I understand you correctly, then the *only* way to install a VDSM host certificate is by registering with Manager at which time a certificate is automatically issued and installed by Manager's built-in certificate authority.


On Thu, Oct 27, 2016 at 3:27 PM Ravi Nori <rnori at redhat.com<mailto:rnori at redhat.com>> wrote:
Since you replace ca.pem you need to replace the private key of ca.pem
Please copy the private key of  /etc/pki/ovirt-engine/ca.pem to /etc/pki/ovirt-engine/private/ca.pem and let me know if everything works

On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham <w at qrk.us<mailto:w at qrk.us>> wrote:

Thanks Ravi, that's helpful and I appreciate the precision and attention to detail. I performed similar steps to install a custom certificate for the oVirt Manager GUI. But what about configuring ovirt-engine to trust a certificate issued by the same CA and presented by the VDSM host? On the hypervisor host, I used the existing private key to generate the CSR, issued the server certificate, and installed in three locations before bouncing vdsmd.

On the hypervisor Host server (not the Manager/engine server):
/etc/pki/vdsm/certs/vdsmcert.pem
/etc/pki/vdsm/libvirt-spice/server-cert.pem
/etc/pki/libvirt/clientcert.pe<http://clientcert.pe>m

Now, that host is "non responsive" in Manager because ovirt-engine does not trust the new certificate even though I already performed all of the steps that you describe above except that I installed the issuer's CA certificate as the trusted entity. I've documented all of the steps I took in this Gist<https://gist.github.com/qrkourier/9c9ac3e8b190dcb91d3767179d5a39ea>.



On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori <rnori at redhat.com<mailto:rnori at redhat.com>> wrote:
Here is a complete set of instructions that works for me
You can skip the first few steps of generating the certificate.

Ravi


Generate a self-signed certificate using openssl
======================================
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.pem

Convert a PEM certificate file and a private key to PKCS#12 (.p12)
=====================================================
openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.pem

Extract the key from the bundle
=========================
openssl pkcs12 -in  certificate.p12 -nocerts -nodes > apache.key.nopass

Extract the certificate from the bundle
==============================
openssl pkcs12 -in certificate.p12 -nokeys > apache.cer

Create a new Keystore for testing
==========================
keytool -keystore clientkeystore -genkey -alias client

Convert .pem to .der
================
openssl x509 -outform der -in certificate.pem -out certificate.der

Import certificates to keystore
=======================
keytool -import -alias apache -keystore ./clientkeystore -file ./certificate.der

Create Custom conf for ovirt
======================
vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf

Set location of truststore and its password
=================================
ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456"

Copy the custom certificates
======================
rm /etc/pki/ovirt-engine/apache-ca.pem
cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem
cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12
cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer
cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass

Restart engine and httpd
===================
service httpd restart
service ovirt-engine restart

On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot <nicolas at ecarnot.net<mailto:nicolas at ecarnot.net>> wrote:
Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :
I did install a server certificate from a private CA on the engine
server for the oVirt 4 Manager GUI, but haven't figured out how to
configure engine to trust the same CA which also issued the server
certificate presented by vdsm. This is important for us because this is
the same server certificate presented by the host when using the console
(e.g. websocket console falls silently if the user agent doesn't trust
the console server's certificate).

Hello,

Maybe related bug : on an oVirt 4, I followed the same procedure below to install a custom CA, with *SUCCESS*.

Today, I had to reinstall one of the hosts, and it is failing with :
"CA certificate and CA private key do not match" :

http://pastebin.com/9JS05JtJ

Which certificate did we (Kenneth and I) did we mis-used?
What did we do wrong?

Regards,

Nicolas ECARNOT


On Wed, Oct 26, 2016, 16:58 Beckman, Daniel
<Daniel.Beckman at ingramcontent.com<mailto:Daniel.Beckman at ingramcontent.com>
<mailto:Daniel.Beckman at ingramcontent.com<mailto:Daniel.Beckman at ingramcontent.com>>> wrote:

    We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release.
    I read the release notes (https://www.ovirt.org/release/4.0.4/) and
    noted comment #4 under “Install / Upgrade from previous version”:____

    __ __

    /If you are using HTTPS certificate signed by custom certificate
    authority, please take a look at https://bugzilla.redhat.com/1336838
    for steps which need to be done after migration to 4.0. Also please
    consult https://bugzilla.redhat.com/1313379 how to setup this custom
    CA for use with virt-viewer clients.____/

    /__ __/

    So I referred to the first bugzilla
    (https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it
    states as follows:____

    __ __

    If customer wants to use custom HTTPS certificate signed by
    different CA, then he has to perform following steps: ____

    __ __

    1. Install custom CA (that signed HTTPS certificate) into host wide
    trustore (more info can be found in update-ca-trust man page) ____

    __ __

    2. Configure HTTPS certificate in Apache (this step is same as in
    previous versions) ____

    __ __

    3. Create new configuration file (for example
    /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with
    following content: ____

    ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
    ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" ____

    __ __

    4. Restart ovirt-engine service____

    __ __

    I find it humorous that step # 1 suggests reading the “man page”
    which is only slightly better than suggesting to “google” it. ____

    __ __

    Has anyone using a custom CA for their HTTPS certificate
    successfully upgraded to oVirt 4? If so could you share your
    detailed steps? Or can anyone point me to an actual example of this
    procedure? I’m a little nervous about the upgrade if you can’t
    already tell. ____

    __ __

    Thanks,____

    Daniel____

    _______________________________________________
    Users mailing list
    Users at ovirt.org<mailto:Users at ovirt.org> <mailto:Users at ovirt.org<mailto:Users at ovirt.org>>
    http://lists.ovirt.org/mailman/listinfo/users



_______________________________________________
Users mailing list
Users at ovirt.org<mailto:Users at ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users


--
Nicolas ECARNOT

_______________________________________________
Users mailing list
Users at ovirt.org<mailto:Users at ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users



_______________________________________________
Users mailing list
Users at ovirt.org<mailto:Users at ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161102/b8da4e7f/attachment-0001.html>


More information about the Users mailing list