<div dir="ltr"><div>Hi all,</div><div><br></div><div>I think that I found a way to solve the problem from: <a href="http://lists.ovirt.org/pipermail/users/2018-January/086441.html">http://lists.ovirt.org/pipermail/users/2018-January/086441.html</a> and I'm trying to fix it.<br><br>But my servers are in Production(50%) and I found that are some errors with my SSL Certificates.</div><div><br></div><div>## What I need now? Fixes all certificates problems using my Freeipa generated certificates: vdsmclient* on hosts, ovirt-engine communication ssl certificates on hosted-engine.</div><div><br></div><div>I made with Freeipa(internal) the certificates for ovirt-engine( only apache - self hosted) and Hosts(vsdmclient and vdsmkey....) and replaced using this howto:</div><div><br></div><div><a href="https://gist.github.com/qrkourier/9c9ac3e8b190dcb91d3767179d5a39ea">https://gist.github.com/qrkourier/9c9ac3e8b190dcb91d3767179d5a39ea</a><br></div><div><br></div><div>## Now ovirt-engine can't contact a Host(Non Responsive) with the errors(Yes, I have a Backup from all old certificates):</div><div><br></div><div><i>VDSM host.domain.tld command GetCapabilitiesVDS failed: General SSLEngine problem<br></i></div><div><i><br></i></div><div>On engine.log:</div><div><br></div><div><div><i>2018-01-23 13:33:40,160+01 ERROR [org.ovirt.engine.core.vdsbroker.vdsbroker.GetAllVmStatsVDSCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-23) [] Command 'GetAllVmStatsVDSCommand(HostName = host.domain.tld, VdsIdVDSCommandParametersBase:{hostId='d6bc650b-7edd-4019-b316-54313217880f'})' execution failed: VDSGenericException: VDSNetworkException: General SSLEngine problem</i></div><div><i>2018-01-23 13:33:40,160+01 INFO [org.ovirt.engine.core.vdsbroker.monitoring.PollVmStatsRefresher] (EE-ManagedThreadFactory-engineScheduled-Thread-23) [] Failed to fetch vms info for host 'host.domain.tld' - skipping VMs monitoring.</i></div></div><div><br></div><div><br></div><div>## I read, that ovirt-engine generates certificates for all hosts and it uses his own CA.</div><div><br></div><div><br></div><div>Questions:</div><div><br></div><div>- How can I fix the communication from hosted-engine and vsdm on hosts? Should I copy my Freeipa ca.crt and replace the ca.der file on <i>/etc/pki/ovirt-engine/certs</i>?</div><div><br></div><div>- Should I change the engine.cer certificate from <i>/etc/pki/ovirt-engine/certs </i>with my Certificate made using Freeipa?</div><div><br></div><div>- How to do that properly?</div><div><br></div><div>- Where can I find a complete workflow from SSL Certificates from oVirt? What certificates should I change?</div><div><br></div><div>## I found some links that to me are confusing(or I'm just dumb), I will take my end solution and do a howto to all: </div><div><br></div><div>- <a href="https://www.ovirt.org/develop/release-management/features/infra/pki/">https://www.ovirt.org/develop/release-management/features/infra/pki/</a> - how updated is that? I can't overwrite a ca from ovirt-engine? </div><div><br></div><div>- <a href="https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/">https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/</a> <i>- </i><strong style="font-style:italic;box-sizing:border-box;color:rgb(51,51,51);font-family:"Source Sans Pro","Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif">Note:</strong><span style="color:rgb(51,51,51);font-family:"Source Sans Pro","Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif"><i> Using a commercially issued certificate for HTTPS connections does not affect the certificate used for authentication between your Engine and hosts. They will continue to use the self-signed certificate generated by the Engine... </i></span></div><div><span style="color:rgb(51,51,51);font-family:"Source Sans Pro","Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif"><br></span></div><div><span style="color:rgb(51,51,51);font-family:"Source Sans Pro","Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif">... Well, why I keep receiving errors with the self-signed CA from ovirt-engine and the disk uploads?(</span><font color="#333333" face="Source Sans Pro, Open Sans, Helvetica Neue, Helvetica, Arial, sans-serif"><i>Unable to upload image to disk a-b-c-d-e due to a network error. Make sure ovirt-imageio-proxy service is installed and configured, and ovirt-engine's certificate is registered as a valid CA in the browser. The certificate can be fetched from https://<engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA</i>)</font></div><div><font color="#333333" face="Source Sans Pro, Open Sans, Helvetica Neue, Helvetica, Arial, sans-serif"><br></font></div><div><font color="#333333" face="Source Sans Pro, Open Sans, Helvetica Neue, Helvetica, Arial, sans-serif">Thanks in Advance!</font></div><div><font color="#333333" face="Source Sans Pro, Open Sans, Helvetica Neue, Helvetica, Arial, sans-serif"><br></font></div><div><font color="#333333" face="Source Sans Pro, Open Sans, Helvetica Neue, Helvetica, Arial, sans-serif">Best Regards,</font></div><div><font color="#333333" face="Source Sans Pro, Open Sans, Helvetica Neue, Helvetica, Arial, sans-serif"><br></font></div><div><font color="#333333" face="Source Sans Pro, Open Sans, Helvetica Neue, Helvetica, Arial, sans-serif">Gabriel</font></div><div><font color="#333333" face="Source Sans Pro, Open Sans, Helvetica Neue, Helvetica, Arial, sans-serif">PS: I would help with the oVirt Wiki if needed, I would follow the rhce path and do the rhcs certification too, will be nice to study a lot.</font><span style="color:rgb(51,51,51);font-family:"Source Sans Pro","Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif"> </span></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br><br><br></div><div><br></div><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><span><font color="#888888"><span style="font-family:Calibri,sans-serif;font-size:11pt">Gabriel Stein</span><br><span style="font-family:Calibri,sans-serif;font-size:11pt">------------------------------</span><br><span style="font-family:Calibri,sans-serif;font-size:11pt">Gabriel Ferraz Stein</span><br><span style="font-family:Calibri,sans-serif;font-size:11pt">Tel.: <a value="+4915778816311">+49 (0) 170 2881531</a></span><br></font></span></div></div></div></div></div>
</div>