Re: [ovirt-devel] [missing_subjectAltName] in engine ca certificate?

Wed, 10 May 2017 00:13:51 -0700 

On 05/10/2017 09:07 AM, Yaniv Kaul wrote:
> 
> 
> On Wed, May 10, 2017 at 9:35 AM, Martin Perina <mper...@redhat.com
> <mailto:mper...@redhat.com>> wrote:
> 
>     Does this mean that we need to create new CA for all existing oVirt
>     installations which are not using custom HTTPS certificate signed by
>     external CA?
> 
> 
> No, just a new certificate for Engine, I believe.
> Y.
> 

Probably not even for the engine, but just for the web server.

> 
>     On Sun, May 7, 2017 at 7:37 PM, Nir Soffer <nsof...@redhat.com
>     <mailto:nsof...@redhat.com>> wrote:
> 
>         On Sun, May 7, 2017 at 8:27 PM Dan Kenigsberg <dan...@redhat.com
>         <mailto:dan...@redhat.com>> wrote:
> 
>             On Sun, May 7, 2017 at 8:22 PM, Nir Soffer
>             <nsof...@redhat.com <mailto:nsof...@redhat.com>> wrote:
>             > I imported the certificate from my engine into chrome[1],
>             but Chrome
>             > refuses to use it because:
>             >
>             >     This server could not prove that it is ...; its security
>             >     certificate is from [missing_subjectAltName].
>             >
>             > Same certificate used to work 2 weeks ago, looks like new
>             Chrome
>             > version changed the rules.
>             >
>             > Without importing engine CA, there is no way to upload images
>             > via engine.
>             >
>             > Tested on engine 4.1.1 and 4.1.2 on Centos 7.3.
>             >
>             > Is this  known issue?
>             >
>             > [1] from
>             >
>             
> http://<engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
>             >
>             > Nir
> 
>             https://gerrit.ovirt.org/#/c/74614/
>             <https://gerrit.ovirt.org/#/c/74614/>
> 
>             "This patch is not yet working, but can be used for discussion."
> 
> 
>         Thanks!
> 
>         Do you know how to manually fix engine certificates until we
>         have a working
>         patch?
> 
>         Nir
> 
>         _______________________________________________
>         Devel mailing list
>         Devel@ovirt.org <mailto:Devel@ovirt.org>
>         http://lists.ovirt.org/mailman/listinfo/devel
>         <http://lists.ovirt.org/mailman/listinfo/devel>
> 
> 
> 
>     _______________________________________________
>     Devel mailing list
>     Devel@ovirt.org <mailto:Devel@ovirt.org>
>     http://lists.ovirt.org/mailman/listinfo/devel
>     <http://lists.ovirt.org/mailman/listinfo/devel>
> 
> 
> 
> 
> _______________________________________________
> Devel mailing list
> Devel@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/devel
> 

_______________________________________________
Devel mailing list
Devel@ovirt.org
http://lists.ovirt.org/mailman/listinfo/devel

Reply via email to