[ovirt-users] Regenerating SSL keys

Yaniv Kaul ykaul at redhat.com
Sun May 14 08:01:40 UTC 2017


On Sat, May 13, 2017 at 2:35 AM, Jamie Lawrence <jlawrence at squaretrade.com>
wrote:

> The key generated by the engine install ended up with a bad CN; it has a
> five-digit number appended to the host name, and no SAN.
>

The 5 random digits are supposed to be OK, and are actually a feature - it
ensures uniqueness if you re-generate (most likely reinstall your Engine),
as otherwise some browsers fail miserably if a CA cert mismatches what they
know.

SAN is being worked on - we are aware of Chrome 58 now requiring it.
I sincerely hope to see it in 4.1.2 (see https://bugzilla.redhat.com/1449084
).
Y.



> I've lived with this through setup, but now I'm getting close to prod use,
> and need to clean up so that it is usable for general consumption. And the
> SPICE HTML client is completely busted due to this; that's a problem
> because we're mostly MacOS on the client side, and the Mac Spice client is
> unusable for normal humans.
>
>  I'm wary of attempting to regenerate these manually, as I don't have a
> handle on how the keysare used by the various components.
>
> What is the approved method of regenerating these keys?
>
> -j
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170514/9bf28374/attachment-0001.html>


More information about the Users mailing list