<div dir="ltr"><div dir="ltr" class="gmail_msg">That makes sense, but it is also disappointing to realize that oVirt Manager will only trust certificates that itself has issued, and that there is no support for Manager to trust VDSM server certificates issued by another authority.<div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">If I understand you correctly, then the *only* way to install a VDSM host certificate is by registering with Manager at which time a certificate is automatically issued and installed by Manager's built-in certificate authority.</div><div class="gmail_msg"><br class="gmail_msg"></div></div><br class="gmail_msg"><div class="gmail_quote gmail_msg"><div dir="ltr" class="gmail_msg">On Thu, Oct 27, 2016 at 3:27 PM Ravi Nori <<a href="mailto:rnori@redhat.com" class="gmail_msg" target="_blank">rnori@redhat.com</a>> wrote:<br class="gmail_msg"></div><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="gmail_msg"><div class="gmail_msg">Since you replace ca.pem you need to replace the private key of ca.pem<br class="gmail_msg"><br class="gmail_msg"></div>Please copy the private key of /etc/pki/ovirt-engine/ca.pem to /etc/pki/ovirt-engine/private/ca.pem and let me know if everything works<br class="gmail_msg"></div><div class="gmail_extra gmail_msg"><br class="gmail_msg"><div class="gmail_quote gmail_msg">On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham <span dir="ltr" class="gmail_msg"><<a href="mailto:w@qrk.us" class="gmail_msg" target="_blank">w@qrk.us</a>></span> wrote:<br class="gmail_msg"><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="gmail_msg"><br class="gmail_msg"><div class="gmail_msg">Thanks Ravi, that's helpful and I appreciate the precision and attention to detail. I performed similar steps to install a custom certificate for the oVirt Manager GUI. But what about configuring ovirt-engine to trust a certificate issued by the same CA and presented by the VDSM host? On the hypervisor host, I used the existing private key to generate the CSR, issued the server certificate, and installed in three locations before bouncing vdsmd.</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">On the hypervisor Host server (not the Manager/engine server):</div><div class="gmail_msg">/etc/pki/vdsm/certs/vdsmcert.pem</div><div class="gmail_msg">/etc/pki/vdsm/libvirt-spice/server-cert.pem</div><div class="gmail_msg">/etc/pki/libvirt/clientcert.pem</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">Now, that host is "non responsive" in Manager because ovirt-engine does not trust the new certificate even though I already performed all of the steps that you describe above except that I installed the issuer's CA certificate as the trusted entity. I've documented all of the steps I took <a href="https://gist.github.com/qrkourier/9c9ac3e8b190dcb91d3767179d5a39ea" class="gmail_msg" target="_blank">in this Gist</a>.</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg"><br class="gmail_msg"></div></div><div class="m_7440200668888794961m_2611409000370850777HOEnZb gmail_msg"><div class="m_7440200668888794961m_2611409000370850777h5 gmail_msg"><br class="gmail_msg"><div class="gmail_quote gmail_msg"><div dir="ltr" class="gmail_msg">On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori <<a href="mailto:rnori@redhat.com" class="gmail_msg" target="_blank">rnori@redhat.com</a>> wrote:<br class="gmail_msg"></div><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><div class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">Here is a complete set of instructions that works for me<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"></div><div class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">You can skip the first few steps of generating the certificate.<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"></div><div class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"></div>Ravi<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><div class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">Generate a self-signed certificate using openssl<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">======================================<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.pem<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">Convert a PEM certificate file and a private key to PKCS#12 (.p12)<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">=====================================================<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.pem<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">Extract the key from the bundle <br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">=========================<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">openssl pkcs12 -in certificate.p12 -nocerts -nodes > apache.key.nopass<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">Extract the certificate from the bundle<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">==============================<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">openssl pkcs12 -in certificate.p12 -nokeys > apache.cer<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">Create a new Keystore for testing<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">==========================<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">keytool -keystore clientkeystore -genkey -alias client<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">Convert .pem to .der<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">================<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">openssl x509 -outform der -in certificate.pem -out certificate.der<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">Import certificates to keystore<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">=======================<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">keytool -import -alias apache -keystore ./clientkeystore -file ./certificate.der<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">Create Custom conf for ovirt<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">======================<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">Set location of truststore and its password<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">=================================<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore"<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456"<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">Copy the custom certificates<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">======================<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">rm /etc/pki/ovirt-engine/apache-ca.pem<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">Restart engine and httpd<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">===================<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">service httpd restart<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">service ovirt-engine restart<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"></div></div><div class="gmail_extra m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><div class="gmail_quote m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot <span dir="ltr" class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><<a href="mailto:nicolas@ecarnot.net" class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg" target="_blank">nicolas@ecarnot.net</a>></span> wrote:<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><blockquote class="gmail_quote m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<blockquote class="gmail_quote m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I did install a server certificate from a private CA on the engine<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
server for the oVirt 4 Manager GUI, but haven't figured out how to<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
configure engine to trust the same CA which also issued the server<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
certificate presented by vdsm. This is important for us because this is<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
the same server certificate presented by the host when using the console<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
(e.g. websocket console falls silently if the user agent doesn't trust<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
the console server's certificate).<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
</blockquote>
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"></span>
Hello,<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
Maybe related bug : on an oVirt 4, I followed the same procedure below to install a custom CA, with *SUCCESS*.<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
Today, I had to reinstall one of the hosts, and it is failing with :<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
"CA certificate and CA private key do not match" :<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<a href="http://pastebin.com/9JS05JtJ" rel="noreferrer" class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg" target="_blank">http://pastebin.com/9JS05JtJ</a><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
Which certificate did we (Kenneth and I) did we mis-used?<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
What did we do wrong?<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
Regards,<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
Nicolas ECARNOT<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<blockquote class="gmail_quote m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
On Wed, Oct 26, 2016, 16:58 Beckman, Daniel<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<<a href="mailto:Daniel.Beckman@ingramcontent.com" class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg" target="_blank">Daniel.Beckman@ingramcontent.com</a><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"></span><span class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<mailto:<a href="mailto:Daniel.Beckman@ingramcontent.com" class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg" target="_blank">Daniel.Beckman@ingramcontent.com</a>>> wrote:<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release.<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
I read the release notes (<a href="https://www.ovirt.org/release/4.0.4/" rel="noreferrer" class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg" target="_blank">https://www.ovirt.org/release/4.0.4/</a>) and<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"></span>
noted comment #4 under “Install / Upgrade from previous version”:____<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
__ __<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
/If you are using HTTPS certificate signed by custom certificate<span class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
authority, please take a look at <a href="https://bugzilla.redhat.com/1336838" rel="noreferrer" class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg" target="_blank">https://bugzilla.redhat.com/1336838</a><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
for steps which need to be done after migration to 4.0. Also please<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
consult <a href="https://bugzilla.redhat.com/1313379" rel="noreferrer" class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg" target="_blank">https://bugzilla.redhat.com/1313379</a> how to setup this custom<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"></span>
CA for use with virt-viewer clients.____/<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
/__ __/<span class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
So I referred to the first bugzilla<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
(<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1336838" rel="noreferrer" class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1336838</a>), where it<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"></span>
states as follows:____<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
__ __<span class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
If customer wants to use custom HTTPS certificate signed by<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"></span>
different CA, then he has to perform following steps: ____<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
__ __<span class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
1. Install custom CA (that signed HTTPS certificate) into host wide<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"></span>
trustore (more info can be found in update-ca-trust man page) ____<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
__ __<span class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
2. Configure HTTPS certificate in Apache (this step is same as in<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"></span>
previous versions) ____<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
__ __<span class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
3. Create new configuration file (for example<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
/etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"></span>
following content: ____<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" ____<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
__ __<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
4. Restart ovirt-engine service____<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
__ __<span class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
I find it humorous that step # 1 suggests reading the “man page”<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"></span>
which is only slightly better than suggesting to “google” it. ____<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
__ __<span class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
Has anyone using a custom CA for their HTTPS certificate<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
successfully upgraded to oVirt 4? If so could you share your<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
detailed steps? Or can anyone point me to an actual example of this<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
procedure? I’m a little nervous about the upgrade if you can’t<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"></span>
already tell. ____<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
__ __<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
Thanks,____<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
Daniel____<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
_______________________________________________<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
Users mailing list<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<a href="mailto:Users@ovirt.org" class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg" target="_blank">Users@ovirt.org</a> <mailto:<a href="mailto:Users@ovirt.org" class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg" target="_blank">Users@ovirt.org</a>><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><span class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
_______________________________________________<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
Users mailing list<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<a href="mailto:Users@ovirt.org" class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg" target="_blank">Users@ovirt.org</a><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
</span></blockquote><span class="m_7440200668888794961m_2611409000370850777m_-980879755636344940m_-4789423380628271279HOEnZb m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><font class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg" color="#888888">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
-- <br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
Nicolas ECARNOT</font></span><div class="m_7440200668888794961m_2611409000370850777m_-980879755636344940m_-4789423380628271279HOEnZb m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><div class="m_7440200668888794961m_2611409000370850777m_-980879755636344940m_-4789423380628271279h5 m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
_______________________________________________<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
Users mailing list<br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<a href="mailto:Users@ovirt.org" class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg" target="_blank">Users@ovirt.org</a><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg">
</div></div></blockquote></div><br class="m_7440200668888794961m_2611409000370850777m_-980879755636344940gmail_msg gmail_msg"></div>
</blockquote></div>
</div></div></blockquote></div><br class="gmail_msg"></div>
</blockquote></div></div>