[ovirt-users] PKI Problem

ramon Sun, 19 Jul 2020 07:24:01 -0700

Hi

I did a fresh installation of version 4.4.0.3. After the engine setup I 
replaced the apache certificate with a custom certificate. I used this article 
to do it: https://myhomelab.gr/linux/2020/01/20/replacing_ovirt_ssl.html


To summarize, I replaced those files with my own authority and the signed 
custom certificate

/etc/pki/ovirt-engine/keys/apache.key.nopass
/etc/pki/ovirt-engine/certs/apache.cer
/etc/pki/ovirt-engine/apache-ca.pem

That worked so far, apache uses now my certificate, login is possible. To setup 
a new machine, I need to upload an iso image, which failed. I found this error 
in /var/log/ovirt-imageio/daemon.log

2020-07-08 20:43:23,750 INFO    (Thread-10) [http] OPEN client=192.168.1.228
2020-07-08 20:43:23,767 INFO    (Thread-10) [backends.http] Open backend 
netloc='the_secret_hostname:54322' 
path='/images/ef60404c-dc69-4a3d-bfaa-8571f675f3e1' 
cafile='/etc/pki/ovirt-engine/apache-ca.pem' secure=True
2020-07-08 20:43:23,770 ERROR   (Thread-10) [http] Server error
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/http.py", 
line 699, in __call__
    self.dispatch(req, resp)
  File "/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/http.py", 
line 744, in dispatch
    return method(req, resp, *match.groups())
  File "/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/cors.py", 
line 84, in wrapper
    return func(self, req, resp, *args)
  File "/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/images.py", 
line 66, in put
    backends.get(req, ticket, self.config),
  File 
"/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/backends/__init__.py",
 line 53, in get
    cafile=config.tls.ca_file)
  File 
"/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/backends/http.py", 
line 48, in open
    secure=options.get("secure", True))
  File 
"/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/backends/http.py", 
line 63, in __init__
    options = self._options()
  File 
"/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/backends/http.py", 
line 364, in _options
    self._con.request("OPTIONS", self.url.path)
  File "/usr/lib64/python3.6/http/client.py", line 1254, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1300, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1249, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1036, in _send_output
    self.send(msg)
  File "/usr/lib64/python3.6/http/client.py", line 974, in send
    self.connect()
  File "/usr/lib64/python3.6/http/client.py", line 1422, in connect
    server_hostname=server_hostname)
  File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket
    _context=self, _session=session)
  File "/usr/lib64/python3.6/ssl.py", line 776, in __init__
    self.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed 
(_ssl.c:897)
2020-07-08 20:43:23,770 INFO    (Thread-10) [http] CLOSE client=192.168.1.228 
[connection 1 ops, 0.019775 s] [dispatch 1 ops, 0.003114 s]

I'm a python developer so I had no problem reading the traceback. 

The SSL handshake fails when image-io tries to connect to what I think is 
called an ovn-provider. But it is using my new authority certificate 
cafile='/etc/pki/ovirt-engine/apache-ca.pem' which does not validate the 
certificate generated by the ovirt engine setup, which the ovn-provider 
probably uses.

I didn't exactly know where the parameter for the validation ca file is. 
Probably it is the ca_file parameter in 
/etc/ovirt-imageio/conf.d/50-engine.conf. But that needs to be set to my own 
authority ca file.

I modified the python file to set the ca_file parameter to the engine setups 
ca_file directly 

/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/backends/__init__.py

So the function call around line 50 looks like this:

        backend = module.open(
            ticket.url,
            mode,
            sparse=ticket.sparse,
            dirty=ticket.dirty,
            cafile='/etc/pki/ovirt-engine/ca.pem' #config.tls.ca_file
            )

Now the image upload works, but obviously this is not the way to fix things. Is 
there an other way to make image-io accept the certificate from the engine 
setup, while using my custom certificate? I don't want to replace the 
certificates of all ovirt components with custom certificates. I only need the 
weblogin with my custom certificate.

Regards
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/365ISJ7JHAKYIGYPQFXUGDBS7UHJDLI7/

[ovirt-users] PKI Problem

Reply via email to