[ovirt-users] Replacing engine SSL cert

Yedidyah Bar David didi at redhat.com
Sun Sep 10 09:18:56 UTC 2017


On Sat, Sep 9, 2017 at 9:48 PM, Chris Adams <cma at cmadams.net> wrote:
> I'm writing a script to install a new SSL key/cert pair (from Let's
> Encrypt) for the engine web UI on oVirt 4.1.  I'm looking at this, but
> it's a little confusing.
>
> https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/

You might want to check recent RHV docs:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl

ovirt.org is still not updated, sorry. Patches are welcome :-)

>
> It sounds like steps 1 and 3 are referring to the CA-supplied
> intermediate cert(s), not the actual issue cert for the server.  Is that
> right?

Correct.

>
> Does anything actually use the PCKS12 format file referred to in step 4?

Currently, AFAIK, no.

> I don't normally see that format from regular CAs; they usually provide
> cert+intermediate(s) in PEM format.

Indeed, that's why in above rhv docs we split it up to two procedures.

>
> With Apache 2.4, it is normal to just put the cert+intermediate(s) chain
> in one file and configure Apache with SSLCertificateFile.  You aren't
> supposed to put the CA-supplied cert in the SSLCACertificateFile like
> oVirt appears to do; that's intended to be used for validating client
> certs, not the intermediate(s) for the server cert.

Searching the net I also find:

https://stackoverflow.com/questions/1899983/difference-between-sslcacertificatefile-and-sslcertificatechainfile

Seems like this was changed in:

https://gerrit.ovirt.org/15837

But no idea why. Perhaps we wanted the option to allow authentication
by client certs? See e.g.:

http://machacekondra.blogspot.co.il/2016/02/client-certificate-authentication-with.html

If you think that's a problem, please open a bug. Thanks!

>
> It really just looks like the cert+intermediate(s) should go in
> /etc/pki/ovirt-engine/certs/apache.cer, the corresponding key put in
> /etc/pki/ovirt-engine/keys/apache.key.nopass, and then Apache needs to
> be restarted.  Since oVirt doesn't use the engine web UI cert for
> anything internally (right?),

Mostly right

> do any of the other steps on the above
> page matter?

For step 8, you can searching for 'site:bugzilla.redhat.com
ENGINE_HTTPS_PKI_TRUST_STORE'.
There were several bugs about this.

The log collector always _does_ use the https interface, even on local machine.

Best,
-- 
Didi


More information about the Users mailing list