subject:"\[ovirt\-users\] Re\: Use public\-signed SSL certs\?"

[ovirt-users] Re: Use public-signed SSL certs?

2019-07-31 Thread Chris Adams

Circling back to an old email...

Once upon a time, Yedidyah Bar David  said:
> On Wed, Jan 30, 2019 at 10:28 PM Chris Adams  wrote:
> > However, while digging, I also noticed that now the engine is not
> > communicating with ovirt-provider-ovn, possibly due to a similar issue?
> > It is having the reverse problem; it rejects the engine's cert.
> 
> Didn't try this yet, adding Dominik.

Was anybody able to look at this?  I had to use my dev hardware for
something else for a bit, so re-installed with 4.3.5 yesterday.  The
imageio SSL cert issue looks good, but I still can't figure out the
ovirt-provider-ovn CA usage.

My little bit of digging seems to show that the engine connects to the
provider and is using an SSL client cert, and that cert is signed by
something... but I'm not sure what.  I think the provider side is trying
to validate with the following setting from
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf

[OVIRT]
ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem

Following the general "3rd-party SSL", that is now the Let's Encrypt CA.
I tried changing it to point to the original self-signed oVirt CA (same
directory, just "ca.pem"), but that didn't work either.

Any suggestions?
-- 
Chris Adams 
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/VBM4JSHX2IC2DLEZJB2O3FBPRILPU3HV/

[ovirt-users] Re: Use public-signed SSL certs?

2019-08-01 Thread Chris Adams

I figured it out.  When ovirt-provider-ovn attempts to connect back to
the engine via HTTPS, it tells the python requests module to use the
specified CA cert file... but that won't work with most 3rd-party certs
because they have an intermediate cert as well.  It appears that the
requests module tries to validate both certs.

Creating /etc/ovirt-provider-ovn/conf.d/99-custom-cert.conf that just
has:

[OVIRT]
ovirt-ca-file=

tells the module to use the regular system CA cert file(s), which works.
This should probably be added to the oVirt doc for using a 3rd-party
cert.

Once upon a time, Chris Adams  said:
> Circling back to an old email...
> 
> Once upon a time, Yedidyah Bar David  said:
> > On Wed, Jan 30, 2019 at 10:28 PM Chris Adams  wrote:
> > > However, while digging, I also noticed that now the engine is not
> > > communicating with ovirt-provider-ovn, possibly due to a similar issue?
> > > It is having the reverse problem; it rejects the engine's cert.
> > 
> > Didn't try this yet, adding Dominik.
> 
> Was anybody able to look at this?  I had to use my dev hardware for
> something else for a bit, so re-installed with 4.3.5 yesterday.  The
> imageio SSL cert issue looks good, but I still can't figure out the
> ovirt-provider-ovn CA usage.
> 
> My little bit of digging seems to show that the engine connects to the
> provider and is using an SSL client cert, and that cert is signed by
> something... but I'm not sure what.  I think the provider side is trying
> to validate with the following setting from
> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
> 
> [OVIRT]
> ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem
> 
> Following the general "3rd-party SSL", that is now the Let's Encrypt CA.
> I tried changing it to point to the original self-signed oVirt CA (same
> directory, just "ca.pem"), but that didn't work either.
> 
> Any suggestions?

-- 
Chris Adams 
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/AG3IN73YZ2WLBLNCA2V42LE5V72XQ6Y6/

[ovirt-users] Re: Use public-signed SSL certs?

2019-08-02 Thread Dominik Holler

On Thu, 1 Aug 2019 20:45:56 -0500
Chris Adams  wrote:

> I figured it out.  When ovirt-provider-ovn attempts to connect back to
> the engine via HTTPS, it tells the python requests module to use the
> specified CA cert file... but that won't work with most 3rd-party certs
> because they have an intermediate cert as well.  It appears that the
> requests module tries to validate both certs.
> 
> Creating /etc/ovirt-provider-ovn/conf.d/99-custom-cert.conf that just
> has:
> 
> [OVIRT]
> ovirt-ca-file=
> 
> tells the module to use the regular system CA cert file(s), which works.


Thanks for your investigation!
Looks like the empty string is converted implicitly to Boolean in
https://github.com/psf/requests/blob/75bdc998e2d430a35d869b2abf1779bd0d34890e/requests/adapters.py#L215
Because bool('') is False in python, the certificate should be checked
at all.

Would
ovirt-ca-file=/etc/pki/tls/certs/ca-bundle.crt
work for you?
(It works for https://helloworld.letsencrypt.org)

> This should probably be added to the oVirt doc for using a 3rd-party
> cert.
> 
> Once upon a time, Chris Adams  said:
> > Circling back to an old email...
> > 
> > Once upon a time, Yedidyah Bar David  said:
> > > On Wed, Jan 30, 2019 at 10:28 PM Chris Adams  wrote:
> > > > However, while digging, I also noticed that now the engine is not
> > > > communicating with ovirt-provider-ovn, possibly due to a similar issue?
> > > > It is having the reverse problem; it rejects the engine's cert.
> > > 
> > > Didn't try this yet, adding Dominik.
> > 
> > Was anybody able to look at this?  I had to use my dev hardware for
> > something else for a bit, so re-installed with 4.3.5 yesterday.  The
> > imageio SSL cert issue looks good, but I still can't figure out the
> > ovirt-provider-ovn CA usage.
> > 
> > My little bit of digging seems to show that the engine connects to the
> > provider and is using an SSL client cert, and that cert is signed by
> > something... but I'm not sure what.  I think the provider side is trying
> > to validate with the following setting from
> > /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
> > 
> > [OVIRT]
> > ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem
> > 
> > Following the general "3rd-party SSL", that is now the Let's Encrypt CA.
> > I tried changing it to point to the original self-signed oVirt CA (same
> > directory, just "ca.pem"), but that didn't work either.
> > 
> > Any suggestions?
> 
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BDVMCNCD7AHEBNFJ7QADJ7Y4ARNHQO3Y/

[ovirt-users] Re: Use public-signed SSL certs?

2019-08-02 Thread Dominik Holler

On Fri, Aug 2, 2019 at 4:37 PM Dominik Holler  wrote:

> On Thu, 1 Aug 2019 20:45:56 -0500
> Chris Adams  wrote:
>
> > I figured it out.  When ovirt-provider-ovn attempts to connect back to
> > the engine via HTTPS, it tells the python requests module to use the
> > specified CA cert file... but that won't work with most 3rd-party certs
> > because they have an intermediate cert as well.  It appears that the
> > requests module tries to validate both certs.
> >
> > Creating /etc/ovirt-provider-ovn/conf.d/99-custom-cert.conf that just
> > has:
> >
> > [OVIRT]
> > ovirt-ca-file=
> >
> > tells the module to use the regular system CA cert file(s), which works.
>
>
> Thanks for your investigation!
> Looks like the empty string is converted implicitly to Boolean in
>
> https://github.com/psf/requests/blob/75bdc998e2d430a35d869b2abf1779bd0d34890e/requests/adapters.py#L215
> Because bool('') is False in python, the certificate should be checked
> at all.
>
>
Because bool('') is False in python, the certificate should be* not *checked
at all.


> Would
> ovirt-ca-file=/etc/pki/tls/certs/ca-bundle.crt
> work for you?
> (It works for https://helloworld.letsencrypt.org)
>
> > This should probably be added to the oVirt doc for using a 3rd-party
> > cert.
> >
> > Once upon a time, Chris Adams  said:
> > > Circling back to an old email...
> > >
> > > Once upon a time, Yedidyah Bar David  said:
> > > > On Wed, Jan 30, 2019 at 10:28 PM Chris Adams 
> wrote:
> > > > > However, while digging, I also noticed that now the engine is not
> > > > > communicating with ovirt-provider-ovn, possibly due to a similar
> issue?
> > > > > It is having the reverse problem; it rejects the engine's cert.
> > > >
> > > > Didn't try this yet, adding Dominik.
> > >
> > > Was anybody able to look at this?  I had to use my dev hardware for
> > > something else for a bit, so re-installed with 4.3.5 yesterday.  The
> > > imageio SSL cert issue looks good, but I still can't figure out the
> > > ovirt-provider-ovn CA usage.
> > >
> > > My little bit of digging seems to show that the engine connects to the
> > > provider and is using an SSL client cert, and that cert is signed by
> > > something... but I'm not sure what.  I think the provider side is
> trying
> > > to validate with the following setting from
> > > /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
> > >
> > > [OVIRT]
> > > ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem
> > >
> > > Following the general "3rd-party SSL", that is now the Let's Encrypt
> CA.
> > > I tried changing it to point to the original self-signed oVirt CA (same
> > > directory, just "ca.pem"), but that didn't work either.
> > >
> > > Any suggestions?
> >
>
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/5HZ42UMK6RQFSETO5ED4ZUKSPFFO5TD4/

[ovirt-users] Re: Use public-signed SSL certs?

2019-08-02 Thread Chris Adams

Once upon a time, Dominik Holler  said:
> Would
> ovirt-ca-file=/etc/pki/tls/certs/ca-bundle.crt
> work for you?

Yes, that looks like it works correctly.

Still chasing issues with a 3rd-party cert down... now it seems like
there may be an SSL issue between ovirt-provider-ovn and ovsdb-server
(seeing SSL and protocol errors in ovsdb-server-nb.log that weren't
there before changing the cert).

Also, I updated the engine from 4.3.4 to 4.3.5 and it overwrote the
necessary changes in ovirt-imageio-proxy's config.

-- 
Chris Adams 
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/SME7XGJLCJ5YTMFQ2OBJKFT53WODEQOI/

[ovirt-users] Re: Use public-signed SSL certs?

2019-01-29 Thread Chris Adams

I had not.  Can that be run non-interactively to do whatever is needed?
I'm using a Let's Encrypt cert, which needs to have a 100% automated
deployment.

Once upon a time, Staniforth, Paul  said:
> Did you try running engine-setup ?
> 
> Regards,
>   Paul S.
> 
> From: Chris Adams 
> Sent: 29 January 2019 15:51
> To: users@ovirt.org
> Subject: [ovirt-users] Use public-signed SSL certs?
> 
> I installed an SSL cert from a public CA (Let's Encrypt) on my engine,
> following this:
> 
> https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_CA_Certificate
> 
> That gets the regular web UI working, but I can't upload an ISO.  I
> assume that I need to do something with the imageio-proxy service on the
> engine, but not sure what... I tried replacing imageio-proxy.cer and
> imageio-proxy.key.nopass, but that didn't work.
> 
> I'm trying to avoid ever needing to install a special CA cert in
> browsers.
> --
> Chris Adams 
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: 
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives: 
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/NZBGRCKW6WA4WISTCRDJIFUCMNIKJ2CG/
> To view the terms under which this email is distributed, please go to:-
> http://leedsbeckett.ac.uk/disclaimer/email/

-- 
Chris Adams 
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MO64G3S2MXF5HA54E5PSHNDAZU2OPIYL/

[ovirt-users] Re: Use public-signed SSL certs?

2019-01-29 Thread John Florian


On 1/29/19 1:30 PM, Chris Adams wrote:

Can that be run non-interactively to do whatever is needed?
I'm using a Let's Encrypt cert, which needs to have a 100% automated
deployment.


Yes, I believe so.  Look at the whole biz with the "answers" file and 
the --config-append=file option.  You should already have a generated 
answers file laying around from when you ran engine-setup before.  See 
/var/lib/ovirt-engine/setup/answers IIRC.

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/4V7XPHN63OD5LON365IBXH4KCBAV7XID/

[ovirt-users] Re: Use public-signed SSL certs?

2019-01-29 Thread Chris Adams

Once upon a time, John Florian  said:
> On 1/29/19 1:30 PM, Chris Adams wrote:
> >Can that be run non-interactively to do whatever is needed?
> >I'm using a Let's Encrypt cert, which needs to have a 100% automated
> >deployment.
> 
> Yes, I believe so.  Look at the whole biz with the "answers" file
> and the --config-append=file option.  You should already have a
> generated answers file laying around from when you ran engine-setup
> before.  See /var/lib/ovirt-engine/setup/answers IIRC.

Hmm, that won't work - it looks like you can't run engine-setup on a
hosted engine unless you first set hosted-engine HA to global
maintenance.

Is running engine-setup necessary to install/update certificates, or
maybe is there a simpler way?
-- 
Chris Adams 
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/OLWCGI5DFDPGZMACRH4CLEAA57MM6KDF/

[ovirt-users] Re: Use public-signed SSL certs?

2019-01-29 Thread John Florian


On 1/29/19 2:47 PM, Chris Adams wrote:

Once upon a time, John Florian  said:

On 1/29/19 1:30 PM, Chris Adams wrote:

Can that be run non-interactively to do whatever is needed?
I'm using a Let's Encrypt cert, which needs to have a 100% automated
deployment.

Yes, I believe so.  Look at the whole biz with the "answers" file
and the --config-append=file option.  You should already have a
generated answers file laying around from when you ran engine-setup
before.  See /var/lib/ovirt-engine/setup/answers IIRC.

Hmm, that won't work - it looks like you can't run engine-setup on a
hosted engine unless you first set hosted-engine HA to global
maintenance.

Is running engine-setup necessary to install/update certificates, or
maybe is there a simpler way?


I'm quite certain you can do it w/o engine-setup if you hit all the 
right file locations.

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/23CSSA5MA22MFA7NZMOKA7RVRHQAHYUC/

[ovirt-users] Re: Use public-signed SSL certs?

2019-01-29 Thread John Florian

On 1/29/19 3:13 PM, John Florian wrote:
> On 1/29/19 2:47 PM, Chris Adams wrote:
>> Once upon a time, John Florian  said:
>>> On 1/29/19 1:30 PM, Chris Adams wrote:
 Can that be run non-interactively to do whatever is needed?
 I'm using a Let's Encrypt cert, which needs to have a 100% automated
 deployment.
>>> Yes, I believe so.  Look at the whole biz with the "answers" file
>>> and the --config-append=file option.  You should already have a
>>> generated answers file laying around from when you ran engine-setup
>>> before.  See /var/lib/ovirt-engine/setup/answers IIRC.
>> Hmm, that won't work - it looks like you can't run engine-setup on a
>> hosted engine unless you first set hosted-engine HA to global
>> maintenance.
>>
>> Is running engine-setup necessary to install/update certificates, or
>> maybe is there a simpler way?
>
> I'm quite certain you can do it w/o engine-setup if you hit all the
> right file locations.

Just to follow up on this Chris, I have my puppet drop my CA cert in
/etc/pki/ca-trust/source/anchors/, my self-signed cert
in/etc/pki/ovirt-engine/certs/ and my key in 
/etc/pki/ovirt-engine/keys.  I also manage
/etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf to have:

ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""

I believe this gives me everything you seek.

-- 

John Florian
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/QHWEL244HI4ZNZXDMSSG23UOL7RIBVGF/

[ovirt-users] Re: Use public-signed SSL certs?

2019-01-29 Thread Chris Adams

Once upon a time, John Florian  said:
> Just to follow up on this Chris, I have my puppet drop my CA cert in
> /etc/pki/ca-trust/source/anchors/, my self-signed cert
> in/etc/pki/ovirt-engine/certs/ and my key in 
> /etc/pki/ovirt-engine/keys.  I also manage
> /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf to have:
> 
> ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
> 
> I believe this gives me everything you seek.

That works to get the core engine UI using a new cert (that and a little
more are in the Red Hat URL in my original message).  It doesn't handle
the imageio-proxy however.
-- 
Chris Adams 
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/SPQLME4PMHRXM6LCVSX4V5GNZLFOIF4W/

[ovirt-users] Re: Use public-signed SSL certs?

2019-01-29 Thread Staniforth, Paul

Did you try running engine-setup ?

Regards,
  Paul S.

From: Chris Adams 
Sent: 29 January 2019 15:51
To: users@ovirt.org
Subject: [ovirt-users] Use public-signed SSL certs?

I installed an SSL cert from a public CA (Let's Encrypt) on my engine,
following this:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_CA_Certificate

That gets the regular web UI working, but I can't upload an ISO.  I
assume that I need to do something with the imageio-proxy service on the
engine, but not sure what... I tried replacing imageio-proxy.cer and
imageio-proxy.key.nopass, but that didn't work.

I'm trying to avoid ever needing to install a special CA cert in
browsers.
--
Chris Adams 
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/NZBGRCKW6WA4WISTCRDJIFUCMNIKJ2CG/
To view the terms under which this email is distributed, please go to:-
http://leedsbeckett.ac.uk/disclaimer/email/
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/VY3FEC5VFBDP5OMCENB2FZTSEAX43ONX/

[ovirt-users] Re: Use public-signed SSL certs?

2019-01-29 Thread Yedidyah Bar David

On Tue, Jan 29, 2019 at 6:05 PM Chris Adams  wrote:
>
> I installed an SSL cert from a public CA (Let's Encrypt) on my engine,
> following this:
>
> https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_CA_Certificate
>
> That gets the regular web UI working, but I can't upload an ISO.  I
> assume that I need to do something with the imageio-proxy service on the
> engine, but not sure what... I tried replacing imageio-proxy.cer and
> imageio-proxy.key.nopass, but that didn't work.

Did you restart the imageio-proxy?

What didn't work? What happened?

>
> I'm trying to avoid ever needing to install a special CA cert in
> browsers.

Makes sense.

This is known bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1637809

Before opening it, we had a bug about fixing the documentation you
point at:

https://bugzilla.redhat.com/show_bug.cgi?id=1385617

As mentioned there, what you tried to do should have worked.

Best regards,
-- 
Didi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZYR3ZJU5V57356DFSZ6BNCWBGX5Q6PP5/

[ovirt-users] Re: Use public-signed SSL certs?

2019-01-30 Thread Chris Adams

Once upon a time, Yedidyah Bar David  said:
> On Tue, Jan 29, 2019 at 6:05 PM Chris Adams  wrote:
> > I installed an SSL cert from a public CA (Let's Encrypt) on my engine,
> > following this:
> >
> > https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_CA_Certificate
> >
> > That gets the regular web UI working, but I can't upload an ISO.  I
> > assume that I need to do something with the imageio-proxy service on the
> > engine, but not sure what... I tried replacing imageio-proxy.cer and
> > imageio-proxy.key.nopass, but that didn't work.
> 
> Did you restart the imageio-proxy?
> 
> What didn't work? What happened?

I did restart the service.  When I then try to upload an ISO image, I
get "Paused by System" and this in engine.log:


2019-01-30 08:12:15,871-06 ERROR 
[org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand] 
(EE-ManagedThreadFactory-engineScheduled-Thread-52) 
[0052c7ad-38d7-429d-be3a-eb0e496d5ee8] Failed to add image ticket to 
ovirt-imageio-proxy: javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) 
[jsse.jar:1.8.0_191]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) 
[jsse.jar:1.8.0_191]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316) 
[jsse.jar:1.8.0_191]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) 
[jsse.jar:1.8.0_191]
at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) 
[jsse.jar:1.8.0_191]
at 
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) 
[jsse.jar:1.8.0_191]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) 
[jsse.jar:1.8.0_191]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) 
[jsse.jar:1.8.0_191]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) 
[jsse.jar:1.8.0_191]
at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) 
[jsse.jar:1.8.0_191]
at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) 
[jsse.jar:1.8.0_191]
at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) 
[jsse.jar:1.8.0_191]
at 
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) 
[rt.jar:1.8.0_191]
at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
 [rt.jar:1.8.0_191]
at 
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)
 [rt.jar:1.8.0_191]
at 
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)
 [rt.jar:1.8.0_191]
at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259)
 [rt.jar:1.8.0_191]
at 
org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.addImageTicketToProxy(TransferImageCommand.java:654)
 [bll.jar:]
at 
org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.startImageTransferSession(TransferImageCommand.java:579)
 [bll.jar:]
at 
org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.handleImageIsReadyForTransfer(TransferImageCommand.java:261)
 [bll.jar:]
at 
org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.handleInitializing(TransferImageCommand.java:232)
 [bll.jar:]
at 
org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.executeStateHandler(TransferImageCommand.java:167)
 [bll.jar:]
at 
org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.proceedCommandExecution(TransferImageCommand.java:154)
 [bll.jar:]
at 
org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommandCallback.doPolling(TransferImageCommandCallback.java:21)
 [bll.jar:]
at 
org.ovirt.engine.core.bll.tasks.CommandCallbacksPoller.invokeCallbackMethodsImpl(CommandCallbacksPoller.java:146)
 [bll.jar:]
at 
org.ovirt.engine.core.bll.tasks.CommandCallbacksPoller.invokeCallbackMethods(CommandCallbacksPoller.java:107)
 [bll.jar:]
at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) 
[rt.jar:1.8.0_191]
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) 
[rt.jar:1.8.0_191]
at 
org.glassfish.enterprise.concurrent.internal.ManagedScheduledThreadPoolExecutor$ManagedScheduledFutureTask.access$201(ManagedScheduledThreadPoolExecutor.java:383)
 [javax.enterprise.concurrent-1.0.jar:]
at 
org.glassfish.enterprise.concurrent.intern

[ovirt-users] Re: Use public-signed SSL certs?

2019-01-30 Thread Chris Adams

Digging a little deeper... if I add the Let's Encrypt CA to
/etc/pki/ovirt-engine/.truststore, imageio-proxy works (I can
successfully upload an ISO), so I guess the issue is that imageio-proxy
uses the same cert for web and engine communication and the engine
wasn't happy with the public-CA-signed cert.

So, rather than point part of the engine at a separate trust store (as
the docs recommend), maybe just add the public CA to the engine's
existing trust store?

However, while digging, I also noticed that now the engine is not
communicating with ovirt-provider-ovn, possibly due to a similar issue?
It is having the reverse problem; it rejects the engine's cert.

This is all on 4.2.8 BTW.
-- 
Chris Adams 
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/FC6FNKINSVQFA7FDO2D6FBSHP2U5D7WI/

[ovirt-users] Re: Use public-signed SSL certs?

2019-01-30 Thread Sandro Emma

I got it working by changing the SSL certs pointed out in the
/etc/imageio-proxy/imageio-proxy.conf.

BR

Chris Adams  schrieb am Mi., 30. Jan. 2019, 21:28:

> Digging a little deeper... if I add the Let's Encrypt CA to
> /etc/pki/ovirt-engine/.truststore, imageio-proxy works (I can
> successfully upload an ISO), so I guess the issue is that imageio-proxy
> uses the same cert for web and engine communication and the engine
> wasn't happy with the public-CA-signed cert.
>
> So, rather than point part of the engine at a separate trust store (as
> the docs recommend), maybe just add the public CA to the engine's
> existing trust store?
>
> However, while digging, I also noticed that now the engine is not
> communicating with ovirt-provider-ovn, possibly due to a similar issue?
> It is having the reverse problem; it rejects the engine's cert.
>
> This is all on 4.2.8 BTW.
> --
> Chris Adams 
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/FC6FNKINSVQFA7FDO2D6FBSHP2U5D7WI/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/JJB7EQNSF37RDAZXDIIGHBKX7C2DKPE5/

[ovirt-users] Re: Use public-signed SSL certs?

2019-02-04 Thread Yedidyah Bar David

On Wed, Jan 30, 2019 at 10:28 PM Chris Adams  wrote:
>
> Digging a little deeper... if I add the Let's Encrypt CA to
> /etc/pki/ovirt-engine/.truststore, imageio-proxy works (I can
> successfully upload an ISO), so I guess the issue is that imageio-proxy
> uses the same cert for web and engine communication and the engine
> wasn't happy with the public-CA-signed cert.

I think I agree with your analysis.

I now reproduced this on a test env.

I started with ovirt-system-tests basic suite deploy, made sure I
can upload an image.

Then I followed the docs about replacing certs, using a temporarily-
created CA for testing (using openssl, actually using a copy of the
engine's pki scripts), including adding 99-custom-truststore.conf,
imported the CA's cert to the browser, and:

1. Connecting with the browser worked, all is green.

2. Logged in, pressed "Disks -> Upload -> Start -> Test Connection",
and it failed.

3. Edited the ovirt-imageio-proxy conf to point key and cert to a
key and cert I created and signed using my temp ca, restarted it,
"Test Connection" worked.

4. Actually uploading the image failed as you describe.

5. Imported my CA's cert to /etc/pki/ovirt-engine/.truststore,
using:

keytool -importcert -trustcacerts -keystore
/etc/pki/ovirt-engine/.truststore -storepass mypass -file
/etc/pki/ovirt-engine/apache-ca.pem

and restarted the engine, and then upload works.

Adding Martin and Nir.

>
> So, rather than point part of the engine at a separate trust store (as
> the docs recommend), maybe just add the public CA to the engine's
> existing trust store?

I admit I still didn't try to fully analyze this myself, but I tend
to agree with you. Or rather: Our docs should probably support both
options - tell the engine to trust (and use?) the system-wide store,
or manually add a specific cert. Because I guess you can find people
that will prefer either option.

>
> However, while digging, I also noticed that now the engine is not
> communicating with ovirt-provider-ovn, possibly due to a similar issue?
> It is having the reverse problem; it rejects the engine's cert.

Didn't try this yet, adding Dominik.

>
> This is all on 4.2.8 BTW.

I personally tried this on:

ovirt-engine-4.3.0-0.8.master.20190122121624.git9a8a519.el7.noarch

I guess the behavior didn't change much between them.

Thanks for your debugging and report!

Best regards,
-- 
Didi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MSEUGUHVCXWESA7SOLYQHGYB6LVN77KE/

[ovirt-users] Re: Use public-signed SSL certs?

2019-02-04 Thread Dominik Holler

On Mon, 4 Feb 2019 13:21:56 +0200
Yedidyah Bar David  wrote:

> On Wed, Jan 30, 2019 at 10:28 PM Chris Adams  wrote:
> >
> > Digging a little deeper... if I add the Let's Encrypt CA to
> > /etc/pki/ovirt-engine/.truststore, imageio-proxy works (I can
> > successfully upload an ISO), so I guess the issue is that imageio-proxy
> > uses the same cert for web and engine communication and the engine
> > wasn't happy with the public-CA-signed cert.
> 
> I think I agree with your analysis.
> 
> I now reproduced this on a test env.
> 
> I started with ovirt-system-tests basic suite deploy, made sure I
> can upload an image.
> 
> Then I followed the docs about replacing certs, using a temporarily-
> created CA for testing (using openssl, actually using a copy of the
> engine's pki scripts), including adding 99-custom-truststore.conf,
> imported the CA's cert to the browser, and:
> 
> 1. Connecting with the browser worked, all is green.
> 
> 2. Logged in, pressed "Disks -> Upload -> Start -> Test Connection",
> and it failed.
> 
> 3. Edited the ovirt-imageio-proxy conf to point key and cert to a
> key and cert I created and signed using my temp ca, restarted it,
> "Test Connection" worked.
> 
> 4. Actually uploading the image failed as you describe.
> 
> 5. Imported my CA's cert to /etc/pki/ovirt-engine/.truststore,
> using:
> 
> keytool -importcert -trustcacerts -keystore
> /etc/pki/ovirt-engine/.truststore -storepass mypass -file
> /etc/pki/ovirt-engine/apache-ca.pem
> 
> and restarted the engine, and then upload works.
> 
> Adding Martin and Nir.
> 
> 
> >
> > So, rather than point part of the engine at a separate trust store (as
> > the docs recommend), maybe just add the public CA to the engine's
> > existing trust store?
> 
> I admit I still didn't try to fully analyze this myself, but I tend
> to agree with you. Or rather: Our docs should probably support both
> options - tell the engine to trust (and use?) the system-wide store,
> or manually add a specific cert. Because I guess you can find people
> that will prefer either option.
> 
> >
> > However, while digging, I also noticed that now the engine is not
> > communicating with ovirt-provider-ovn, possibly due to a similar issue?
> > It is having the reverse problem; it rejects the engine's cert.
> 
> Didn't try this yet, adding Dominik.
> 


Please ensure that the configured certificates in
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
especially ovirt-ca-file, points to the expected files and restart
ovirt-provider-ovn.

If this does not solve the issue, please share
ovirt-provider-ovn.log.

> >
> > This is all on 4.2.8 BTW.
> 
> I personally tried this on:
> 
> ovirt-engine-4.3.0-0.8.master.20190122121624.git9a8a519.el7.noarch
> 
> I guess the behavior didn't change much between them.
> 
> Thanks for your debugging and report!
> 
> Best regards,
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/AKV4FL2B4CLZC6VQ3JUC3D55JRNULNHI/

[ovirt-users] Re: Use public-signed SSL certs?

2019-03-12 Thread Yedidyah Bar David

On Mon, Feb 4, 2019 at 1:21 PM Yedidyah Bar David  wrote:
>
> On Wed, Jan 30, 2019 at 10:28 PM Chris Adams  wrote:
> >
> > Digging a little deeper... if I add the Let's Encrypt CA to
> > /etc/pki/ovirt-engine/.truststore, imageio-proxy works (I can
> > successfully upload an ISO), so I guess the issue is that imageio-proxy
> > uses the same cert for web and engine communication and the engine
> > wasn't happy with the public-CA-signed cert.
>
> I think I agree with your analysis.
>
> I now reproduced this on a test env.
>
> I started with ovirt-system-tests basic suite deploy, made sure I
> can upload an image.
>
> Then I followed the docs about replacing certs, using a temporarily-
> created CA for testing (using openssl, actually using a copy of the
> engine's pki scripts), including adding 99-custom-truststore.conf,
> imported the CA's cert to the browser, and:
>
> 1. Connecting with the browser worked, all is green.
>
> 2. Logged in, pressed "Disks -> Upload -> Start -> Test Connection",
> and it failed.
>
> 3. Edited the ovirt-imageio-proxy conf to point key and cert to a
> key and cert I created and signed using my temp ca, restarted it,
> "Test Connection" worked.
>
> 4. Actually uploading the image failed as you describe.
>
> 5. Imported my CA's cert to /etc/pki/ovirt-engine/.truststore,
> using:
>
> keytool -importcert -trustcacerts -keystore
> /etc/pki/ovirt-engine/.truststore -storepass mypass -file
> /etc/pki/ovirt-engine/apache-ca.pem
>
> and restarted the engine, and then upload works.
>
> Adding Martin and Nir.
>
>
> >
> > So, rather than point part of the engine at a separate trust store (as
> > the docs recommend), maybe just add the public CA to the engine's
> > existing trust store?
>
> I admit I still didn't try to fully analyze this myself, but I tend
> to agree with you. Or rather: Our docs should probably support both
> options - tell the engine to trust (and use?) the system-wide store,
> or manually add a specific cert. Because I guess you can find people
> that will prefer either option.

Decided that only the first makes sense, opened this bug, should be
fixed in 4.3.2:

https://bugzilla.redhat.com/1687301

This is obviously just one step. The next will be:

https://bugzilla.redhat.com/show_bug.cgi?id=1637809

Then, hopefully, following the existing doc to use 3rd-party CA
will "just work" also for imageio.

BTW, of course you can also create another custom truststore
only for https access to the engine, and point
ENGINE_HTTPS_PKI_TRUST_STORE at it - but I wouldn't add this to
the docs before we have automated testing that makes sure this
does not break in the future.

Best regards,


>
> >
> > However, while digging, I also noticed that now the engine is not
> > communicating with ovirt-provider-ovn, possibly due to a similar issue?
> > It is having the reverse problem; it rejects the engine's cert.
>
> Didn't try this yet, adding Dominik.
>
> >
> > This is all on 4.2.8 BTW.
>
> I personally tried this on:
>
> ovirt-engine-4.3.0-0.8.master.20190122121624.git9a8a519.el7.noarch
>
> I guess the behavior didn't change much between them.
>
> Thanks for your debugging and report!
>
> Best regards,
> --
> Didi



--
Didi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/JB2DV6MH6G3UUKSRSUYL4ASO4HJHKCDD/

[ovirt-users] Re: Use public-signed SSL certs?

[ovirt-users] Re: Use public-signed SSL certs?

[ovirt-users] Re: Use public-signed SSL certs?

[ovirt-users] Re: Use public-signed SSL certs?

[ovirt-users] Re: Use public-signed SSL certs?

[ovirt-users] Re: Use public-signed SSL certs?

[ovirt-users] Re: Use public-signed SSL certs?

[ovirt-users] Re: Use public-signed SSL certs?

[ovirt-users] Re: Use public-signed SSL certs?

[ovirt-users] Re: Use public-signed SSL certs?

[ovirt-users] Re: Use public-signed SSL certs?

[ovirt-users] Re: Use public-signed SSL certs?

[ovirt-users] Re: Use public-signed SSL certs?

[ovirt-users] Re: Use public-signed SSL certs?

[ovirt-users] Re: Use public-signed SSL certs?

[ovirt-users] Re: Use public-signed SSL certs?

[ovirt-users] Re: Use public-signed SSL certs?

[ovirt-users] Re: Use public-signed SSL certs?

[ovirt-users] Re: Use public-signed SSL certs?

19 matches

Site Navigation

Mail list logo

Footer information