subject:"\[ovirt\-users\] Re\: Extend apache.cer and websocket\-proxy.cer"

[ovirt-users] Re: Extend apache.cer and websocket-proxy.cer

2023-11-20 Thread Matej Dujava via Users

Hi,

> certificate validation value in engine-setup
Do you mean expiration date on CA generated by ovirt?
Then I would look at (copied from bugzila):
> I found two places where the lifspan is hard coded in scripts: 
> /usr/share/ovirt-engine/bin/pki-enroll-openssh-cert.sh 
> /usr/share/ovirt-engine/bin/pki-enroll-request.sh
But changing files provided by the package has its own issues.

Rerunning setup-engine does not affect guest vms. It can ask you to 
restart/reload ovirt-manager (to read a new cert) but it should not cause any 
disruption to guest vms. Only user's/admins would need to relogion to webui.

On 4 November 2023 19:35:56 CET, LS CHENG  wrote:
>Hi
>
>I think I will stick with the default certificate 398 days rule. To renew
>the certificate automatically I am thinking to write a script and
>run engine-setup which will detect the certificate are close to expire such
>as following
>
>
>
>
>
>*  --== PKI CONFIGURATION ==--   One or more of the
>certificates should be renewed, because they expire soon, or include an
>invalid expiry date, or they were created with validity period longer than
>398 days, or do not include the subjectAltName extension, which can cause
>them to be rejected by recent browsers and up to date hosts.  See
>https://www.ovirt.org/develop/release-management/features/infra/pki-renew/
>
>for more details.  Renew certificates? (Yes, No) [No]:*
>
>
>However I see a couple of problems
>
>   1. engine-setup must be run with offline option because otherwise it
>   will try to update the packages which I want to avoid, when offline is used
>   do the VM running in the KVM hosts be stopped? Can this be done online? It
>   is a pain if every time I need to renew the certificates I have to stop the
>   entire virtualization environment.
>   2. To script and run this process as a cron job can we run engine-setup
>   non-interactively?
>
>
>Thanks
>
>
>
>
>On Sat, Nov 4, 2023 at 6:47 PM LS CHENG  wrote:
>
>> Hi
>>
>> Yes it is generated with engine-setup.
>>
>> How do you extend the certificate validation value in engine-setup? (I am
>> aware that browser can have problems with long duration certificates as
>> explained in
>> https://techbeacon.com/security/google-apple-mozilla-enforce-1-year-max-security-certifications
>> )
>>
>> Thanks
>>
>> On Sat, Nov 4, 2023 at 6:39 PM Matej Dujava  wrote:
>>
>>> Hi,
>>>
>>> By self signed cert, you mean managed cert generated by ovirt itself
>>> (engine-setup)?
>>>
>>> I found an issue https://bugzilla.redhat.com/show_bug.cgi?id=1824103 where
>>> it's mentioned that safari (maybe other browsers too) have problem with
>>> long self signed CA. Of it's not affecting your clients you can change
>>> values and regenerate cert by engine-setup.
>>>
>>> You can always generate SSL cert by hand (openssl or cfssl ...) and
>>> replace it with following
>>> https://www.ovirt.org/documentation/administration_guide/#Replacing_the_Manager_CA_Certificate
>>>  .
>>>
>>>
>>> On 4 November 2023 14:18:26 CET, LS CHENG  wrote:
>>>
 Hi again

 Forgot to mention that I am using self signed certificates

 Thank you



 On Sat, Nov 4, 2023 at 2:07 PM LS CHENG  wrote:

> Hi all
>
> I am running Oracle Linux Virtualization Manager 4.4.
>
> The default expiration length for apache.cer and websocket-proxy.cer is
> 1 year, is there a way to extend them to 10 years?
>
> Thank you
>
>
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/6DVPQZRY7XIDJ2ZSWC3FG2H7TOIKJL4T/

[ovirt-users] Re: Extend apache.cer and websocket-proxy.cer

2023-11-04 Thread LS CHENG

Hi

I think I will stick with the default certificate 398 days rule. To renew
the certificate automatically I am thinking to write a script and
run engine-setup which will detect the certificate are close to expire such
as following

*  --== PKI CONFIGURATION ==--   One or more of the
certificates should be renewed, because they expire soon, or include an
invalid expiry date, or they were created with validity period longer than
398 days, or do not include the subjectAltName extension, which can cause
them to be rejected by recent browsers and up to date hosts.  See
https://www.ovirt.org/develop/release-management/features/infra/pki-renew/

for more details.  Renew certificates? (Yes, No) [No]:*

However I see a couple of problems

   1. engine-setup must be run with offline option because otherwise it
   will try to update the packages which I want to avoid, when offline is used
   do the VM running in the KVM hosts be stopped? Can this be done online? It
   is a pain if every time I need to renew the certificates I have to stop the
   entire virtualization environment.
   2. To script and run this process as a cron job can we run engine-setup
   non-interactively?

Thanks

On Sat, Nov 4, 2023 at 6:47 PM LS CHENG  wrote:

> Hi
>
> Yes it is generated with engine-setup.
>
> How do you extend the certificate validation value in engine-setup? (I am
> aware that browser can have problems with long duration certificates as
> explained in
> https://techbeacon.com/security/google-apple-mozilla-enforce-1-year-max-security-certifications
> )
>
> Thanks
>
> On Sat, Nov 4, 2023 at 6:39 PM Matej Dujava  wrote:
>
>> Hi,
>>
>> By self signed cert, you mean managed cert generated by ovirt itself
>> (engine-setup)?
>>
>> I found an issue https://bugzilla.redhat.com/show_bug.cgi?id=1824103 where
>> it's mentioned that safari (maybe other browsers too) have problem with
>> long self signed CA. Of it's not affecting your clients you can change
>> values and regenerate cert by engine-setup.
>>
>> You can always generate SSL cert by hand (openssl or cfssl ...) and
>> replace it with following
>> https://www.ovirt.org/documentation/administration_guide/#Replacing_the_Manager_CA_Certificate
>>  .
>>
>>
>> On 4 November 2023 14:18:26 CET, LS CHENG  wrote:
>>
>>> Hi again
>>>
>>> Forgot to mention that I am using self signed certificates
>>>
>>> Thank you
>>>
>>>
>>>
>>> On Sat, Nov 4, 2023 at 2:07 PM LS CHENG  wrote:
>>>
 Hi all

 I am running Oracle Linux Virtualization Manager 4.4.

 The default expiration length for apache.cer and websocket-proxy.cer is
 1 year, is there a way to extend them to 10 years?

 Thank you

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/U2ELXBFRBVC26USZECMFAC2NGXVF6WED/

[ovirt-users] Re: Extend apache.cer and websocket-proxy.cer

2023-11-04 Thread LS CHENG

Hi

Yes it is generated with engine-setup.

How do you extend the certificate validation value in engine-setup? (I am
aware that browser can have problems with long duration certificates as
explained in
https://techbeacon.com/security/google-apple-mozilla-enforce-1-year-max-security-certifications
)

Thanks

On Sat, Nov 4, 2023 at 6:39 PM Matej Dujava  wrote:

> Hi,
>
> By self signed cert, you mean managed cert generated by ovirt itself
> (engine-setup)?
>
> I found an issue https://bugzilla.redhat.com/show_bug.cgi?id=1824103 where
> it's mentioned that safari (maybe other browsers too) have problem with
> long self signed CA. Of it's not affecting your clients you can change
> values and regenerate cert by engine-setup.
>
> You can always generate SSL cert by hand (openssl or cfssl ...) and
> replace it with following
> https://www.ovirt.org/documentation/administration_guide/#Replacing_the_Manager_CA_Certificate
>  .
>
>
> On 4 November 2023 14:18:26 CET, LS CHENG  wrote:
>
>> Hi again
>>
>> Forgot to mention that I am using self signed certificates
>>
>> Thank you
>>
>>
>>
>> On Sat, Nov 4, 2023 at 2:07 PM LS CHENG  wrote:
>>
>>> Hi all
>>>
>>> I am running Oracle Linux Virtualization Manager 4.4.
>>>
>>> The default expiration length for apache.cer and websocket-proxy.cer is
>>> 1 year, is there a way to extend them to 10 years?
>>>
>>> Thank you
>>>
>>>
>>>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PJZ55BCHULAJKXADZP7YAJMQOQI5NZXF/

[ovirt-users] Re: Extend apache.cer and websocket-proxy.cer

2023-11-04 Thread LS CHENG

Hi again

Forgot to mention that I am using self signed certificates

Thank you



On Sat, Nov 4, 2023 at 2:07 PM LS CHENG  wrote:

> Hi all
>
> I am running Oracle Linux Virtualization Manager 4.4.
>
> The default expiration length for apache.cer and websocket-proxy.cer is 1
> year, is there a way to extend them to 10 years?
>
> Thank you
>
>
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MORLWMZJNFN2DXLYS4W5MODBR6JVQPQJ/

[ovirt-users] Re: Extend apache.cer and websocket-proxy.cer

[ovirt-users] Re: Extend apache.cer and websocket-proxy.cer

[ovirt-users] Re: Extend apache.cer and websocket-proxy.cer

[ovirt-users] Re: Extend apache.cer and websocket-proxy.cer

4 matches

Site Navigation

Mail list logo

Footer information