[ovirt-users] Replacing engine SSL cert
Yedidyah Bar David
didi at redhat.com
Sun Sep 10 09:18:56 UTC 2017
On Sat, Sep 9, 2017 at 9:48 PM, Chris Adams <cma at cmadams.net> wrote:
> I'm writing a script to install a new SSL key/cert pair (from Let's
> Encrypt) for the engine web UI on oVirt 4.1. I'm looking at this, but
> it's a little confusing.
>
> https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/
You might want to check recent RHV docs:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl
ovirt.org is still not updated, sorry. Patches are welcome :-)
>
> It sounds like steps 1 and 3 are referring to the CA-supplied
> intermediate cert(s), not the actual issue cert for the server. Is that
> right?
Correct.
>
> Does anything actually use the PCKS12 format file referred to in step 4?
Currently, AFAIK, no.
> I don't normally see that format from regular CAs; they usually provide
> cert+intermediate(s) in PEM format.
Indeed, that's why in above rhv docs we split it up to two procedures.
>
> With Apache 2.4, it is normal to just put the cert+intermediate(s) chain
> in one file and configure Apache with SSLCertificateFile. You aren't
> supposed to put the CA-supplied cert in the SSLCACertificateFile like
> oVirt appears to do; that's intended to be used for validating client
> certs, not the intermediate(s) for the server cert.
Searching the net I also find:
https://stackoverflow.com/questions/1899983/difference-between-sslcacertificatefile-and-sslcertificatechainfile
Seems like this was changed in:
https://gerrit.ovirt.org/15837
But no idea why. Perhaps we wanted the option to allow authentication
by client certs? See e.g.:
http://machacekondra.blogspot.co.il/2016/02/client-certificate-authentication-with.html
If you think that's a problem, please open a bug. Thanks!
>
> It really just looks like the cert+intermediate(s) should go in
> /etc/pki/ovirt-engine/certs/apache.cer, the corresponding key put in
> /etc/pki/ovirt-engine/keys/apache.key.nopass, and then Apache needs to
> be restarted. Since oVirt doesn't use the engine web UI cert for
> anything internally (right?),
Mostly right
> do any of the other steps on the above
> page matter?
For step 8, you can searching for 'site:bugzilla.redhat.com
ENGINE_HTTPS_PKI_TRUST_STORE'.
There were several bugs about this.
The log collector always _does_ use the https interface, even on local machine.
Best,
--
Didi
More information about the Users
mailing list