Re: [Users] replacing self-signed certificates
Hi Itamar, On Wed, Nov 20, 2013 at 2:54 PM, Itamar Heim wrote: > iordan - maybe wikify for future generations? > I don't see why not! Once I verify the procedure I'll get an account to edit the wiki. Cheers, iordan ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] replacing self-signed certificates
On 11/20/2013 08:58 PM, i iordanov wrote: Thanks Alon and Thomas! iordan iordan - maybe wikify for future generations? thanks, Itamar On Wed, Nov 20, 2013 at 1:51 PM, Alon Bar-Lev mailto:alo...@redhat.com>> wrote: - Original Message - > From: "i iordanov" mailto:iiorda...@gmail.com>> > To: users@ovirt.org <mailto:users@ovirt.org> > Sent: Wednesday, November 20, 2013 6:50:04 PM > Subject: [Users] replacing self-signed certificates > > Hello, > > I searched around but could not come up with specific instructions for how to > replace the self-signed certificates in an oVirt 3.3 setup with > non-self-signed certificates. I need to ensure that my oVirt/SPICE client > actually does the right thing when connecting to a machine with a 3rd party > signed certificate. > > Presumably, I would be able to adapt the instructions provided here: > http://www.ovirt.org/How_to_change_engine_host_name > > right? Which steps need to be modified? If I hammer at it long enough, I > would probably succeed in getting it to work at some point, but I was hoping > for somebody more experienced to help me over the initial hurdle. > > In case I have to reinstall to use non-self-signed certificates, how do I go > about preparing the environment prior to running engine-setup? Usually there is no need to replace any other certificate than the certificate that is used for apache frontend. No need to touch the spice and other certificates and keys. Replace /etc/pki/ovirt-engine/apache-ca.pem with your 3rd party CA certificate chain. Replace /etc/pki/ovirt-engine/keys/apache.p12 with key store. Extract key from apache.p12 to /etc/pki/ovirt-engine/keys/apache.key.nopass do not protect with password. Extract certificate from apache.p12 to /etc/pki/ovirt-engine/certs/apache.cer Alternatively, you can configure the mod_ssl as you wish. Once you do this, if you have ovirt-node already installed, delete /etc/pki/vdsm/certs/engine_web_ca.pem to allow fetch ssl trust and allow registration in future. Regards, Alon Bar-Lev. -- The conscious mind has only one thread of execution. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] replacing self-signed certificates
Thanks Alon and Thomas! iordan On Wed, Nov 20, 2013 at 1:51 PM, Alon Bar-Lev wrote: > > > - Original Message - > > From: "i iordanov" > > To: users@ovirt.org > > Sent: Wednesday, November 20, 2013 6:50:04 PM > > Subject: [Users] replacing self-signed certificates > > > > Hello, > > > > I searched around but could not come up with specific instructions for > how to > > replace the self-signed certificates in an oVirt 3.3 setup with > > non-self-signed certificates. I need to ensure that my oVirt/SPICE client > > actually does the right thing when connecting to a machine with a 3rd > party > > signed certificate. > > > > Presumably, I would be able to adapt the instructions provided here: > > http://www.ovirt.org/How_to_change_engine_host_name > > > > right? Which steps need to be modified? If I hammer at it long enough, I > > would probably succeed in getting it to work at some point, but I was > hoping > > for somebody more experienced to help me over the initial hurdle. > > > > In case I have to reinstall to use non-self-signed certificates, how do > I go > > about preparing the environment prior to running engine-setup? > > Usually there is no need to replace any other certificate than the > certificate that is used for apache frontend. > > No need to touch the spice and other certificates and keys. > > Replace /etc/pki/ovirt-engine/apache-ca.pem with your 3rd party CA > certificate chain. > Replace /etc/pki/ovirt-engine/keys/apache.p12 with key store. > Extract key from apache.p12 to > /etc/pki/ovirt-engine/keys/apache.key.nopass do not protect with password. > Extract certificate from apache.p12 to > /etc/pki/ovirt-engine/certs/apache.cer > > Alternatively, you can configure the mod_ssl as you wish. > > Once you do this, if you have ovirt-node already installed, delete > /etc/pki/vdsm/certs/engine_web_ca.pem to allow fetch ssl trust and allow > registration in future. > > Regards, > Alon Bar-Lev. > -- The conscious mind has only one thread of execution. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] replacing self-signed certificates
- Original Message - > From: "i iordanov" > To: users@ovirt.org > Sent: Wednesday, November 20, 2013 6:50:04 PM > Subject: [Users] replacing self-signed certificates > > Hello, > > I searched around but could not come up with specific instructions for how to > replace the self-signed certificates in an oVirt 3.3 setup with > non-self-signed certificates. I need to ensure that my oVirt/SPICE client > actually does the right thing when connecting to a machine with a 3rd party > signed certificate. > > Presumably, I would be able to adapt the instructions provided here: > http://www.ovirt.org/How_to_change_engine_host_name > > right? Which steps need to be modified? If I hammer at it long enough, I > would probably succeed in getting it to work at some point, but I was hoping > for somebody more experienced to help me over the initial hurdle. > > In case I have to reinstall to use non-self-signed certificates, how do I go > about preparing the environment prior to running engine-setup? Usually there is no need to replace any other certificate than the certificate that is used for apache frontend. No need to touch the spice and other certificates and keys. Replace /etc/pki/ovirt-engine/apache-ca.pem with your 3rd party CA certificate chain. Replace /etc/pki/ovirt-engine/keys/apache.p12 with key store. Extract key from apache.p12 to /etc/pki/ovirt-engine/keys/apache.key.nopass do not protect with password. Extract certificate from apache.p12 to /etc/pki/ovirt-engine/certs/apache.cer Alternatively, you can configure the mod_ssl as you wish. Once you do this, if you have ovirt-node already installed, delete /etc/pki/vdsm/certs/engine_web_ca.pem to allow fetch ssl trust and allow registration in future. Regards, Alon Bar-Lev. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] replacing self-signed certificates
Hi Thomas, Thanks for your response! This goes a long way, however there is still the unknown where ovirt-engine takes the SPICE certificate and CA from. Can somebody confirm that replacing just the files referenced in the apache configuration will be sufficient? Thanks! iordan On Wed, Nov 20, 2013 at 1:00 PM, Thomas Suckow wrote: > I don't know about the native SPICE client, but here is what I did for > apache and the websocket proxy: > > In /etc/httpd/conf.d/ssl.conf it lists > SSLCertificateFile > SSLCertificateKeyFile > SSLCertificateChainFile > SSLCACertificateFile > > Those are the files you need to replace for the web interface. My certs > were combined, so I actually only use SSLCertificateFile and > SSLCertificateChainFile > > NOTE: If you modify ssl.conf, the path /etc/pki/ovirt-engine/apache-ca.pem > is used by ovirt-iso-uploader. Uploads will fail unless you replace/symlink > that file or specify a CA certificate on the command line. I actually > linked to my chain file and it seems to be happy. > > > > Websocket Proxy: > > /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf defines the > certificates. > > The websocket proxy needs a combined certificate file with your cert and > the entire chain for SSL_CERTIFICATE > SSL_KEY is just the unencrypted key, and it MUST be accessible by the > ovirt user. > > > > As for spice, I am not sure, I am guessing it is > /etc/pki/ovirt-engine/keys/engine_id_rsa and /etc/pki/ovirt-engine/keys/ > certs/engine.cer > Not sure where they are referenced except by the websocket proxy. > > -- > Thomas > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > -- The conscious mind has only one thread of execution. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] replacing self-signed certificates
I don't know about the native SPICE client, but here is what I did for apache and the websocket proxy: In /etc/httpd/conf.d/ssl.conf it lists SSLCertificateFile SSLCertificateKeyFile SSLCertificateChainFile SSLCACertificateFile Those are the files you need to replace for the web interface. My certs were combined, so I actually only use SSLCertificateFile and SSLCertificateChainFile NOTE: If you modify ssl.conf, the path /etc/pki/ovirt-engine/apache-ca.pem is used by ovirt-iso-uploader. Uploads will fail unless you replace/symlink that file or specify a CA certificate on the command line. I actually linked to my chain file and it seems to be happy. Websocket Proxy: /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf defines the certificates. The websocket proxy needs a combined certificate file with your cert and the entire chain for SSL_CERTIFICATE SSL_KEY is just the unencrypted key, and it MUST be accessible by the ovirt user. As for spice, I am not sure, I am guessing it is /etc/pki/ovirt-engine/keys/engine_id_rsa and /etc/pki/ovirt-engine/keys/certs/engine.cer Not sure where they are referenced except by the websocket proxy. -- Thomas ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] replacing self-signed certificates
Hello, I searched around but could not come up with specific instructions for how to replace the self-signed certificates in an oVirt 3.3 setup with non-self-signed certificates. I need to ensure that my oVirt/SPICE client actually does the right thing when connecting to a machine with a 3rd party signed certificate. Presumably, I would be able to adapt the instructions provided here: http://www.ovirt.org/How_to_change_engine_host_name right? Which steps need to be modified? If I hammer at it long enough, I would probably succeed in getting it to work at some point, but I was hoping for somebody more experienced to help me over the initial hurdle. In case I have to reinstall to use non-self-signed certificates, how do I go about preparing the environment prior to running engine-setup? Thanks! iordan -- The conscious mind has only one thread of execution. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users