[ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4
Kenneth Bingham
w at qrk.us
Wed Oct 26 22:14:51 UTC 2016
I did install a server certificate from a private CA on the engine server
for the oVirt 4 Manager GUI, but haven't figured out how to configure
engine to trust the same CA which also issued the server certificate
presented by vdsm. This is important for us because this is the same server
certificate presented by the host when using the console (e.g. websocket
console falls silently if the user agent doesn't trust the console server's
certificate).
On Wed, Oct 26, 2016, 16:58 Beckman, Daniel <
Daniel.Beckman at ingramcontent.com> wrote:
> We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release. I read
> the release notes (https://www.ovirt.org/release/4.0.4/) and noted
> comment #4 under “Install / Upgrade from previous version”:
>
>
>
> *If you are using HTTPS certificate signed by custom certificate
> authority, please take a look at https://bugzilla.redhat.com/1336838
> <https://bugzilla.redhat.com/1336838> for steps which need to be done after
> migration to 4.0. Also please consult https://bugzilla.redhat.com/1313379
> <https://bugzilla.redhat.com/1313379> how to setup this custom CA for use
> with virt-viewer clients.*
>
>
>
> So I referred to the first bugzilla (
> https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it states as
> follows:
>
>
>
> If customer wants to use custom HTTPS certificate signed by different CA,
> then he has to perform following steps:
>
>
>
> 1. Install custom CA (that signed HTTPS certificate) into host wide
> trustore (more info can be found in update-ca-trust man page)
>
>
>
> 2. Configure HTTPS certificate in Apache (this step is same as in previous
> versions)
>
>
>
> 3. Create new configuration file (for example
> /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with following
> content:
>
> ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
>
>
>
> 4. Restart ovirt-engine service
>
>
>
> I find it humorous that step # 1 suggests reading the “man page” which is
> only slightly better than suggesting to “google” it.
>
>
>
> Has anyone using a custom CA for their HTTPS certificate successfully
> upgraded to oVirt 4? If so could you share your detailed steps? Or can
> anyone point me to an actual example of this procedure? I’m a little
> nervous about the upgrade if you can’t already tell.
>
>
>
> Thanks,
>
> Daniel
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161026/7c52813e/attachment-0001.html>
More information about the Users
mailing list