[ovirt-users] Replacing engine SSL cert

Chris Adams cma at cmadams.net
Sat Sep 9 18:48:06 UTC 2017


I'm writing a script to install a new SSL key/cert pair (from Let's
Encrypt) for the engine web UI on oVirt 4.1.  I'm looking at this, but
it's a little confusing.

https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/

It sounds like steps 1 and 3 are referring to the CA-supplied
intermediate cert(s), not the actual issue cert for the server.  Is that
right?

Does anything actually use the PCKS12 format file referred to in step 4?
I don't normally see that format from regular CAs; they usually provide
cert+intermediate(s) in PEM format.

With Apache 2.4, it is normal to just put the cert+intermediate(s) chain
in one file and configure Apache with SSLCertificateFile.  You aren't
supposed to put the CA-supplied cert in the SSLCACertificateFile like
oVirt appears to do; that's intended to be used for validating client
certs, not the intermediate(s) for the server cert.

It really just looks like the cert+intermediate(s) should go in
/etc/pki/ovirt-engine/certs/apache.cer, the corresponding key put in
/etc/pki/ovirt-engine/keys/apache.key.nopass, and then Apache needs to
be restarted.  Since oVirt doesn't use the engine web UI cert for
anything internally (right?), do any of the other steps on the above
page matter?

-- 
Chris Adams <cma at cmadams.net>


More information about the Users mailing list