[ovirt-users] Issue with 4.2.1 RC and SSL

Yedidyah Bar David didi at redhat.com
Mon Feb 12 07:09:59 UTC 2018


On Sun, Feb 11, 2018 at 11:41 PM, ~Stack~ <i.am.stack at gmail.com> wrote:
> On 02/11/2018 02:41 AM, Yedidyah Bar David wrote:
>> On Sun, Feb 11, 2018 at 10:26 AM, Yaniv Kaul <ykaul at redhat.com> wrote:
>>>
>>>
>>> On Sun, Feb 11, 2018 at 2:43 AM, ~Stack~ <i.am.stack at gmail.com> wrote:
>
> [snip]
>
>>>> We decided to just start from scratch and my coworker watched and
>>>> confirmed every step. It works! No problems at all this time. Further
>>>> evidence that I goofed _something_ up the first time.
>>>
>>>
>>> We should really have an Ansible role that performs the conversion to
>>> self-signed certificates.
>>> That would make the conversion easier and safer.
>>
>> +1
>>
>> Not sure "self-signed" is the correct term here. Also the internal
>> engine CA's cert is self-signed.
>>
>> I guess you refer to this:
>>
>> https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/
>>
>> I'd call it "configure-3rd-party-CA" or something like that.
>
> Greetings,
>
> Another +1 from me (obviously! :-).
>
> I also agree in that we are not doing a self-signed cert, but rather
> we've purchased a cert from one of the big-name-CA-vendors that is valid
> for our domain. "configure-3rd-party-CA" makes more sense to me.

Nit: This big-name-CA-vendors CA's cert is most likely also self-signed,
so it's not a mistake to call it "self-signed". The difference between
"self-signed by _me_" and "self-signed by big-name" is mainly a matter of
trust and business relations (between that big-name and you, big-name and
the OS/browser vendors, etc.) and not a technical one.

If you loan a friend $100 for a month, the difference between you and a
big bank is very similar to that above difference...

>
> Lastly, that is the link that I used for a guide.
>
> Thanks!
> ~Stack~
>
>
>



-- 
Didi


More information about the Users mailing list