[ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4
Yedidyah Bar David
didi at redhat.com
Thu Nov 3 06:09:03 UTC 2016
On Wed, Nov 2, 2016 at 10:49 PM, Beckman, Daniel
<Daniel.Beckman at ingramcontent.com> wrote:
> Thanks very much for the detailed instructions! I was able to upgrade from
> 3.6.7 to 4.0.4 successfully. Here are some additional notes for those (like
> me) who were already using a custom HTTPS certificate in 3.6:
>
>
>
> On step #3 “b” -- mv YOUR-3RD-PART-CERT.p12
> /etc/pki/ovirt-engine/keys/apache.p12 – I didn’t need to perform this as the
> file was already there from my previous 3.6 configuration; setup had not
> removed it.
>
>
>
> On step #4 – extracting private key and certificate – I didn’t need to
> perform this either; existing files were left intact from version 3.6.
>
>
>
> Restarting Apache and oVirt service was not enough to bring up the web admin
> portal in my case. I had to reboot the server running oVirt engine, after
> which the web admin portal was accessible.
>
>
>
> I recommend backing up /etc/pki in addition to /etc/ovirt-engine prior to
> running setup.
Thanks a lot for the report!
Perhaps you'd like to push a patch to github to update the following page?
http://www.ovirt.org/develop/release-management/features/infra/pki/
Best regards,
>
>
>
> Best,
>
> Daniel
>
>
>
> From: <users-bounces at ovirt.org> on behalf of Martin Perina
> <mperina at redhat.com>
> Date: Tuesday, November 1, 2016 at 6:29 AM
> To: Kenneth Bingham <w at qrk.us>
> Cc: users <users at ovirt.org>
> Subject: Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS
> certificate signed by custom CA to oVirt 4
>
>
>
>
>
>
>
> On Tue, Nov 1, 2016 at 11:49 AM, Martin Perina <mperina at redhat.com> wrote:
>
> So first of all, we don't support replacing oVirt internal CA which is used
> to sign host certificates. This internal CA is also used to sign HTTPS
> certificate by default, but you can provided your own HTTPS certificate
> signed by custom CA. The correct steps how to do that are (assuming you have
> you custom CA certififcate in PEM format and HTTPS ceritificate along with
> private key in PKCS12 format):
>
> 1. Add your commercially issued certificate to the host-wide trust store.
> cp YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ca-trust/source/anchors
> update-ca-trust
>
> 2. Remove Apache CA link pointing to oVirt internal
> rm /etc/pki/ovirt-engine/apache-ca.pem
>
> 3. Install your custom certificate (including complete certificate chain)
> mv YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ovirt-engine/apache-ca.pem
>
>
>
> mv YOUR-3RD-PART-CERT.p12 /etc/pki/ovirt-engine/keys/apache.p12
>
> The above command was missing in original steps, thanks Didi for pointing
> this out.
>
>
>
>
>
> 4. Extract private key and certificate
>
>
>
>
> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes >
> /etc/pki/ovirt-engine/keys/apache.key.nopass
>
>
>
> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys >
> /etc/pki/ovirt-engine/certs/apache.cer
>
> 5. Restart Apache
> service httpd restart
>
> 6. Create a new trust store configuration file.
> vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
>
> Add the following content and save the file.
>
> ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
>
> 7. Restart the ovirt-engine service.
> systemctl restart ovirt-engine.service
>
>
>
> Steps 1., 6. and 7. are new to 4.0, other steps are same as in oVirt 3.x
>
>
>
> Also it's expected that CA certificate (including whole CA chain) is
> properly installed in all clients that access oVirt using HTTP and/or Spice.
>
>
>
> Martin Perina
>
>
>
>
>
>
>
> On Thu, Oct 27, 2016 at 10:38 PM, Kenneth Bingham <w at qrk.us> wrote:
>
> That makes sense, but it is also disappointing to realize that oVirt Manager
> will only trust certificates that itself has issued, and that there is no
> support for Manager to trust VDSM server certificates issued by another
> authority.
>
>
>
> If I understand you correctly, then the *only* way to install a VDSM host
> certificate is by registering with Manager at which time a certificate is
> automatically issued and installed by Manager's built-in certificate
> authority.
>
>
>
>
>
> On Thu, Oct 27, 2016 at 3:27 PM Ravi Nori <rnori at redhat.com> wrote:
>
> Since you replace ca.pem you need to replace the private key of ca.pem
>
> Please copy the private key of /etc/pki/ovirt-engine/ca.pem to
> /etc/pki/ovirt-engine/private/ca.pem and let me know if everything works
>
>
>
> On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham <w at qrk.us> wrote:
>
>
>
> Thanks Ravi, that's helpful and I appreciate the precision and attention to
> detail. I performed similar steps to install a custom certificate for the
> oVirt Manager GUI. But what about configuring ovirt-engine to trust a
> certificate issued by the same CA and presented by the VDSM host? On the
> hypervisor host, I used the existing private key to generate the CSR, issued
> the server certificate, and installed in three locations before bouncing
> vdsmd.
>
>
>
> On the hypervisor Host server (not the Manager/engine server):
>
> /etc/pki/vdsm/certs/vdsmcert.pem
>
> /etc/pki/vdsm/libvirt-spice/server-cert.pem
>
> /etc/pki/libvirt/clientcert.pem
>
>
>
> Now, that host is "non responsive" in Manager because ovirt-engine does not
> trust the new certificate even though I already performed all of the steps
> that you describe above except that I installed the issuer's CA certificate
> as the trusted entity. I've documented all of the steps I took in this Gist.
>
>
>
>
>
>
>
> On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori <rnori at redhat.com> wrote:
>
> Here is a complete set of instructions that works for me
>
> You can skip the first few steps of generating the certificate.
>
>
>
> Ravi
>
>
>
> Generate a self-signed certificate using openssl
> ======================================
> openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout
> privateKey.key -out certificate.pem
>
> Convert a PEM certificate file and a private key to PKCS#12 (.p12)
> =====================================================
> openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in
> certificate.pem
>
> Extract the key from the bundle
> =========================
> openssl pkcs12 -in certificate.p12 -nocerts -nodes > apache.key.nopass
>
> Extract the certificate from the bundle
> ==============================
> openssl pkcs12 -in certificate.p12 -nokeys > apache.cer
>
> Create a new Keystore for testing
> ==========================
> keytool -keystore clientkeystore -genkey -alias client
>
> Convert .pem to .der
> ================
> openssl x509 -outform der -in certificate.pem -out certificate.der
>
> Import certificates to keystore
> =======================
> keytool -import -alias apache -keystore ./clientkeystore -file
> ./certificate.der
>
> Create Custom conf for ovirt
> ======================
> vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
>
> Set location of truststore and its password
> =================================
> ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore"
> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456"
>
> Copy the custom certificates
> ======================
> rm /etc/pki/ovirt-engine/apache-ca.pem
> cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem
> cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12
> cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer
> cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass
>
> Restart engine and httpd
> ===================
> service httpd restart
> service ovirt-engine restart
>
>
>
> On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot <nicolas at ecarnot.net>
> wrote:
>
> Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :
>
> I did install a server certificate from a private CA on the engine
> server for the oVirt 4 Manager GUI, but haven't figured out how to
> configure engine to trust the same CA which also issued the server
> certificate presented by vdsm. This is important for us because this is
> the same server certificate presented by the host when using the console
> (e.g. websocket console falls silently if the user agent doesn't trust
> the console server's certificate).
>
>
> Hello,
>
> Maybe related bug : on an oVirt 4, I followed the same procedure below to
> install a custom CA, with *SUCCESS*.
>
> Today, I had to reinstall one of the hosts, and it is failing with :
> "CA certificate and CA private key do not match" :
>
> http://pastebin.com/9JS05JtJ
>
> Which certificate did we (Kenneth and I) did we mis-used?
> What did we do wrong?
>
> Regards,
>
> Nicolas ECARNOT
>
>
>
> On Wed, Oct 26, 2016, 16:58 Beckman, Daniel
> <Daniel.Beckman at ingramcontent.com
> <mailto:Daniel.Beckman at ingramcontent.com>> wrote:
>
> We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release.
> I read the release notes (https://www.ovirt.org/release/4.0.4/) and
> noted comment #4 under “Install / Upgrade from previous version”:____
>
> __ __
>
> /If you are using HTTPS certificate signed by custom certificate
> authority, please take a look at https://bugzilla.redhat.com/1336838
> for steps which need to be done after migration to 4.0. Also please
> consult https://bugzilla.redhat.com/1313379 how to setup this custom
> CA for use with virt-viewer clients.____/
>
> /__ __/
>
> So I referred to the first bugzilla
> (https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it
> states as follows:____
>
> __ __
>
> If customer wants to use custom HTTPS certificate signed by
> different CA, then he has to perform following steps: ____
>
> __ __
>
> 1. Install custom CA (that signed HTTPS certificate) into host wide
> trustore (more info can be found in update-ca-trust man page) ____
>
> __ __
>
> 2. Configure HTTPS certificate in Apache (this step is same as in
> previous versions) ____
>
> __ __
>
> 3. Create new configuration file (for example
> /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with
> following content: ____
>
> ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" ____
>
> __ __
>
> 4. Restart ovirt-engine service____
>
> __ __
>
> I find it humorous that step # 1 suggests reading the “man page”
> which is only slightly better than suggesting to “google” it. ____
>
> __ __
>
> Has anyone using a custom CA for their HTTPS certificate
> successfully upgraded to oVirt 4? If so could you share your
> detailed steps? Or can anyone point me to an actual example of this
> procedure? I’m a little nervous about the upgrade if you can’t
> already tell. ____
>
> __ __
>
> Thanks,____
>
> Daniel____
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org <mailto:Users at ovirt.org>
> http://lists.ovirt.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
>
> --
> Nicolas ECARNOT
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
--
Didi
More information about the Users
mailing list