[ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

Kenneth Bingham w at qrk.us
Thu Oct 27 20:38:00 UTC 2016

That makes sense, but it is also disappointing to realize that oVirt
Manager will only trust certificates that itself has issued, and that there
is no support for Manager to trust VDSM server certificates issued by
another authority.

If I understand you correctly, then the *only* way to install a VDSM host
certificate is by registering with Manager at which time a certificate is
automatically issued and installed by Manager's built-in certificate

On Thu, Oct 27, 2016 at 3:27 PM Ravi Nori <rnori at redhat.com> wrote:

Since you replace ca.pem you need to replace the private key of ca.pem

Please copy the private key of  /etc/pki/ovirt-engine/ca.pem to
/etc/pki/ovirt-engine/private/ca.pem and let me know if everything works

On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham <w at qrk.us> wrote:

Thanks Ravi, that's helpful and I appreciate the precision and attention to
detail. I performed similar steps to install a custom certificate for the
oVirt Manager GUI. But what about configuring ovirt-engine to trust a
certificate issued by the same CA and presented by the VDSM host? On the
hypervisor host, I used the existing private key to generate the CSR,
issued the server certificate, and installed in three locations before
bouncing vdsmd.

On the hypervisor Host server (not the Manager/engine server):

Now, that host is "non responsive" in Manager because ovirt-engine does not
trust the new certificate even though I already performed all of the steps
that you describe above except that I installed the issuer's CA certificate
as the trusted entity. I've documented all of the steps I took in this Gist

On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori <rnori at redhat.com> wrote:

Here is a complete set of instructions that works for me

You can skip the first few steps of generating the certificate.


Generate a self-signed certificate using openssl
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout
privateKey.key -out certificate.pem

Convert a PEM certificate file and a private key to PKCS#12 (.p12)
openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in

Extract the key from the bundle
openssl pkcs12 -in  certificate.p12 -nocerts -nodes > apache.key.nopass

Extract the certificate from the bundle
openssl pkcs12 -in certificate.p12 -nokeys > apache.cer

Create a new Keystore for testing
keytool -keystore clientkeystore -genkey -alias client

Convert .pem to .der
openssl x509 -outform der -in certificate.pem -out certificate.der

Import certificates to keystore
keytool -import -alias apache -keystore ./clientkeystore -file

Create Custom conf for ovirt
vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf

Set location of truststore and its password

Copy the custom certificates
rm /etc/pki/ovirt-engine/apache-ca.pem
cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem
cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12
cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer
cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass

Restart engine and httpd
service httpd restart
service ovirt-engine restart

On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot <nicolas at ecarnot.net>

Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :

I did install a server certificate from a private CA on the engine
server for the oVirt 4 Manager GUI, but haven't figured out how to
configure engine to trust the same CA which also issued the server
certificate presented by vdsm. This is important for us because this is
the same server certificate presented by the host when using the console
(e.g. websocket console falls silently if the user agent doesn't trust
the console server's certificate).


Maybe related bug : on an oVirt 4, I followed the same procedure below to
install a custom CA, with *SUCCESS*.

Today, I had to reinstall one of the hosts, and it is failing with :
"CA certificate and CA private key do not match" :


Which certificate did we (Kenneth and I) did we mis-used?
What did we do wrong?



On Wed, Oct 26, 2016, 16:58 Beckman, Daniel
<Daniel.Beckman at ingramcontent.com
<mailto:Daniel.Beckman at ingramcontent.com>> wrote:

    We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release.
    I read the release notes (https://www.ovirt.org/release/4.0.4/) and
    noted comment #4 under “Install / Upgrade from previous version”:____

    __ __

    /If you are using HTTPS certificate signed by custom certificate
    authority, please take a look at https://bugzilla.redhat.com/1336838
    for steps which need to be done after migration to 4.0. Also please
    consult https://bugzilla.redhat.com/1313379 how to setup this custom
    CA for use with virt-viewer clients.____/

    /__ __/

    So I referred to the first bugzilla
    (https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it
    states as follows:____

    __ __

    If customer wants to use custom HTTPS certificate signed by
    different CA, then he has to perform following steps: ____

    __ __

    1. Install custom CA (that signed HTTPS certificate) into host wide
    trustore (more info can be found in update-ca-trust man page) ____

    __ __

    2. Configure HTTPS certificate in Apache (this step is same as in
    previous versions) ____

    __ __

    3. Create new configuration file (for example
    /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with
    following content: ____


    __ __

    4. Restart ovirt-engine service____

    __ __

    I find it humorous that step # 1 suggests reading the “man page”
    which is only slightly better than suggesting to “google” it. ____

    __ __

    Has anyone using a custom CA for their HTTPS certificate
    successfully upgraded to oVirt 4? If so could you share your
    detailed steps? Or can anyone point me to an actual example of this
    procedure? I’m a little nervous about the upgrade if you can’t
    already tell. ____

    __ __



    Users mailing list
    Users at ovirt.org <mailto:Users at ovirt.org>

Users mailing list
Users at ovirt.org


Users mailing list
Users at ovirt.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20161027/26e2a027/attachment-0001.html>

More information about the Users mailing list