[ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

Martin Perina mperina at redhat.com
Tue Nov 1 11:29:51 UTC 2016


On Tue, Nov 1, 2016 at 11:49 AM, Martin Perina <mperina at redhat.com> wrote:

> So first of all, we don't support replacing oVirt internal CA which is
> used to sign host certificates. This internal CA is also used to sign HTTPS
> certificate by default, but you can provided your own HTTPS certificate
> signed by custom CA. The correct steps how to do that are (assuming you
> have you custom CA certififcate in PEM format and HTTPS ceritificate along
> with private key in PKCS12 format):
>
> 1.  Add your commercially issued certificate to the host-wide trust store.
>        cp YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ca-trust/source/anchors
>        update-ca-trust
>
> 2. Remove Apache CA link pointing to oVirt internal
>        rm /etc/pki/ovirt-engine/apache-ca.pem
>
> 3. Install your custom certificate (including complete certificate chain)
>        mv YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ovirt-engine/apache-ca.pem
>

          mv YOUR-3RD-PART-CERT.p12
​​​/etc/pki/ovirt-engine/keys/apache.p12​

The above command was missing in original steps, thanks Didi for pointing
this out.
​


>
> 4. Extract private key and certificate
>
> ​     ​
> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes
> > /etc/pki/ovirt-engine/keys/apache.key.nopass
> ​       ​
> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys >
> /etc/pki/ovirt-engine/certs/apache.cer
>
> ​5. Restart Apache
>       service httpd restart
>
> 6. Create a new trust store configuration file.
>       vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
>
>    Add the following content and save the file.
>
>       ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
>       ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
>
> 7. Restart the ovirt-engine service.
>       systemctl restart ovirt-engine.service​
>
>
> ​Steps 1., 6. and 7. are new to 4.0, other steps are same as in oVirt 3.x​
>
> ​Also it's expected that CA certificate (including whole CA chain) is
> properly installed in all clients that access oVirt using HTTP and/or
> Spice.​
>
> ​Martin Perina​
>
>
>
>
> On Thu, Oct 27, 2016 at 10:38 PM, Kenneth Bingham <w at qrk.us> wrote:
>
>> That makes sense, but it is also disappointing to realize that oVirt
>> Manager will only trust certificates that itself has issued, and that there
>> is no support for Manager to trust VDSM server certificates issued by
>> another authority.
>>
>> If I understand you correctly, then the *only* way to install a VDSM host
>> certificate is by registering with Manager at which time a certificate is
>> automatically issued and installed by Manager's built-in certificate
>> authority.
>>
>>
>> On Thu, Oct 27, 2016 at 3:27 PM Ravi Nori <rnori at redhat.com> wrote:
>>
>> Since you replace ca.pem you need to replace the private key of ca.pem
>>
>> Please copy the private key of  /etc/pki/ovirt-engine/ca.pem to
>> /etc/pki/ovirt-engine/private/ca.pem and let me know if everything works
>>
>> On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham <w at qrk.us> wrote:
>>
>>
>> Thanks Ravi, that's helpful and I appreciate the precision and attention
>> to detail. I performed similar steps to install a custom certificate for
>> the oVirt Manager GUI. But what about configuring ovirt-engine to trust a
>> certificate issued by the same CA and presented by the VDSM host? On the
>> hypervisor host, I used the existing private key to generate the CSR,
>> issued the server certificate, and installed in three locations before
>> bouncing vdsmd.
>>
>> On the hypervisor Host server (not the Manager/engine server):
>> /etc/pki/vdsm/certs/vdsmcert.pem
>> /etc/pki/vdsm/libvirt-spice/server-cert.pem
>> /etc/pki/libvirt/clientcert.pem
>>
>> Now, that host is "non responsive" in Manager because ovirt-engine does
>> not trust the new certificate even though I already performed all of the
>> steps that you describe above except that I installed the issuer's CA
>> certificate as the trusted entity. I've documented all of the steps I took in
>> this Gist
>> <https://gist.github.com/qrkourier/9c9ac3e8b190dcb91d3767179d5a39ea>.
>>
>>
>>
>> On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori <rnori at redhat.com> wrote:
>>
>> Here is a complete set of instructions that works for me
>>
>> You can skip the first few steps of generating the certificate.
>>
>> Ravi
>>
>>
>> Generate a self-signed certificate using openssl
>> ======================================
>> openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout
>> privateKey.key -out certificate.pem
>>
>> Convert a PEM certificate file and a private key to PKCS#12 (.p12)
>> =====================================================
>> openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in
>> certificate.pem
>>
>> Extract the key from the bundle
>> =========================
>> openssl pkcs12 -in  certificate.p12 -nocerts -nodes > apache.key.nopass
>>
>> Extract the certificate from the bundle
>> ==============================
>> openssl pkcs12 -in certificate.p12 -nokeys > apache.cer
>>
>> Create a new Keystore for testing
>> ==========================
>> keytool -keystore clientkeystore -genkey -alias client
>>
>> Convert .pem to .der
>> ================
>> openssl x509 -outform der -in certificate.pem -out certificate.der
>>
>> Import certificates to keystore
>> =======================
>> keytool -import -alias apache -keystore ./clientkeystore -file
>> ./certificate.der
>>
>> Create Custom conf for ovirt
>> ======================
>> vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
>>
>> Set location of truststore and its password
>> =================================
>> ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore"
>> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456"
>>
>> Copy the custom certificates
>> ======================
>> rm /etc/pki/ovirt-engine/apache-ca.pem
>> cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem
>> cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12
>> cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer
>> cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass
>>
>> Restart engine and httpd
>> ===================
>> service httpd restart
>> service ovirt-engine restart
>>
>> On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot <nicolas at ecarnot.net>
>> wrote:
>>
>> Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :
>>
>> I did install a server certificate from a private CA on the engine
>> server for the oVirt 4 Manager GUI, but haven't figured out how to
>> configure engine to trust the same CA which also issued the server
>> certificate presented by vdsm. This is important for us because this is
>> the same server certificate presented by the host when using the console
>> (e.g. websocket console falls silently if the user agent doesn't trust
>> the console server's certificate).
>>
>>
>> Hello,
>>
>> Maybe related bug : on an oVirt 4, I followed the same procedure below to
>> install a custom CA, with *SUCCESS*.
>>
>> Today, I had to reinstall one of the hosts, and it is failing with :
>> "CA certificate and CA private key do not match" :
>>
>> http://pastebin.com/9JS05JtJ
>>
>> Which certificate did we (Kenneth and I) did we mis-used?
>> What did we do wrong?
>>
>> Regards,
>>
>> Nicolas ECARNOT
>>
>>
>>
>> On Wed, Oct 26, 2016, 16:58 Beckman, Daniel
>> <Daniel.Beckman at ingramcontent.com
>> <mailto:Daniel.Beckman at ingramcontent.com>> wrote:
>>
>>     We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release.
>>     I read the release notes (https://www.ovirt.org/release/4.0.4/) and
>>     noted comment #4 under “Install / Upgrade from previous version”:____
>>
>>     __ __
>>
>>     /If you are using HTTPS certificate signed by custom certificate
>>     authority, please take a look at https://bugzilla.redhat.com/1336838
>>     for steps which need to be done after migration to 4.0. Also please
>>     consult https://bugzilla.redhat.com/1313379 how to setup this custom
>>     CA for use with virt-viewer clients.____/
>>
>>     /__ __/
>>
>>     So I referred to the first bugzilla
>>     (https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it
>>     states as follows:____
>>
>>     __ __
>>
>>     If customer wants to use custom HTTPS certificate signed by
>>     different CA, then he has to perform following steps: ____
>>
>>     __ __
>>
>>     1. Install custom CA (that signed HTTPS certificate) into host wide
>>     trustore (more info can be found in update-ca-trust man page) ____
>>
>>     __ __
>>
>>     2. Configure HTTPS certificate in Apache (this step is same as in
>>     previous versions) ____
>>
>>     __ __
>>
>>     3. Create new configuration file (for example
>>     /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with
>>     following content: ____
>>
>>     ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
>>     ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" ____
>>
>>     __ __
>>
>>     4. Restart ovirt-engine service____
>>
>>     __ __
>>
>>     I find it humorous that step # 1 suggests reading the “man page”
>>     which is only slightly better than suggesting to “google” it. ____
>>
>>     __ __
>>
>>     Has anyone using a custom CA for their HTTPS certificate
>>     successfully upgraded to oVirt 4? If so could you share your
>>     detailed steps? Or can anyone point me to an actual example of this
>>     procedure? I’m a little nervous about the upgrade if you can’t
>>     already tell. ____
>>
>>     __ __
>>
>>     Thanks,____
>>
>>     Daniel____
>>
>>     _______________________________________________
>>     Users mailing list
>>     Users at ovirt.org <mailto:Users at ovirt.org>
>>     http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>>
>> --
>> Nicolas ECARNOT
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161101/f3e7aadb/attachment-0001.html>


More information about the Users mailing list