[ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

Nicolas Ecarnot nicolas at ecarnot.net
Thu Oct 27 09:30:38 UTC 2016 

Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :
> I did install a server certificate from a private CA on the engine
> server for the oVirt 4 Manager GUI, but haven't figured out how to
> configure engine to trust the same CA which also issued the server
> certificate presented by vdsm. This is important for us because this is
> the same server certificate presented by the host when using the console
> (e.g. websocket console falls silently if the user agent doesn't trust
> the console server's certificate).

Hello,

Maybe related bug : on an oVirt 4, I followed the same procedure below 
to install a custom CA, with *SUCCESS*.

Today, I had to reinstall one of the hosts, and it is failing with :
"CA certificate and CA private key do not match" :

http://pastebin.com/9JS05JtJ

Which certificate did we (Kenneth and I) did we mis-used?
What did we do wrong?

Regards,

Nicolas ECARNOT

>
>
> On Wed, Oct 26, 2016, 16:58 Beckman, Daniel
> <Daniel.Beckman at ingramcontent.com
> <mailto:Daniel.Beckman at ingramcontent.com>> wrote:
>
>     We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release.
>     I read the release notes (https://www.ovirt.org/release/4.0.4/) and
>     noted comment #4 under “Install / Upgrade from previous version”:____
>
>     __ __
>
>     /If you are using HTTPS certificate signed by custom certificate
>     authority, please take a look at https://bugzilla.redhat.com/1336838
>     for steps which need to be done after migration to 4.0. Also please
>     consult https://bugzilla.redhat.com/1313379 how to setup this custom
>     CA for use with virt-viewer clients.____/
>
>     /__ __/
>
>     So I referred to the first bugzilla
>     (https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it
>     states as follows:____
>
>     __ __
>
>     If customer wants to use custom HTTPS certificate signed by
>     different CA, then he has to perform following steps: ____
>
>     __ __
>
>     1. Install custom CA (that signed HTTPS certificate) into host wide
>     trustore (more info can be found in update-ca-trust man page) ____
>
>     __ __
>
>     2. Configure HTTPS certificate in Apache (this step is same as in
>     previous versions) ____
>
>     __ __
>
>     3. Create new configuration file (for example
>     /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with
>     following content: ____
>
>     ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
>     ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" ____
>
>     __ __
>
>     4. Restart ovirt-engine service____
>
>     __ __
>
>     I find it humorous that step # 1 suggests reading the “man page”
>     which is only slightly better than suggesting to “google” it. ____
>
>     __ __
>
>     Has anyone using a custom CA for their HTTPS certificate
>     successfully upgraded to oVirt 4? If so could you share your
>     detailed steps? Or can anyone point me to an actual example of this
>     procedure? I’m a little nervous about the upgrade if you can’t
>     already tell. ____
>
>     __ __
>
>     Thanks,____
>
>     Daniel____
>
>     _______________________________________________
>     Users mailing list
>     Users at ovirt.org <mailto:Users at ovirt.org>
>     http://lists.ovirt.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>


-- 
Nicolas ECARNOT

More information about the Users mailing list