Shame about the way the CA works, may be worth putting a reverse proxy in front as unsigned SSL can be a deal breaker.
Anyway, my vdsm.log is here http://www.fpaste.org/72643/98338713/ When it's "Still waiting for VDSM host to become operational.." there is no output in vdsm.log On Wed, Jan 29, 2014 at 6:11 PM, Yedidyah Bar David <d...@redhat.com> wrote: > *From: *"Yedidyah Bar David" <d...@redhat.com> > *To: *"Andrew Lau" <and...@andrewklau.com> > *Cc: *"users" <users@ovirt.org> > *Sent: *Wednesday, January 29, 2014 9:05:06 AM > *Subject: *Re: [Users] Hosted Engine adding host SSL Failure (w/ > engine custom cert) > > > *From: *"Andrew Lau" <and...@andrewklau.com> > *To: *"users" <users@ovirt.org> > *Sent: *Wednesday, January 29, 2014 8:38:33 AM > *Subject: *[Users] Hosted Engine adding host SSL Failure (w/ engine > custom cert) > > Hi, > > After running through the new patch posted in BZ 1055153 I'm adding a > second host to the hosted-engine cluster but it seems to fail right before > the finish: > > [ ERROR ] Failed to execute stage 'Closing up': [ERROR]::oVirt API > connection failure, [Errno 1] _ssl.c:492: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > Couple Extra Notes: > Engine has a custom SSL cert but the CA has been trusted by the new host. > When I temporarily return the engine's SSL back to the default generated > one the install will succeed. > > Setup logs: http://www.fpaste.org/72624/13909770/ > > What confuses me is: > > curl https://engine.example.net with the custom SSL cert will succeed but > with the original self-signed gives the expected "insecure" message. What > criteria need to be met so the install will pass? > > > Seems like a bug (or a missing feature) - hosted-engine only supports the > self-signed cert. Can you please open a bug for this? > > You might manage to make it work by replacing /etc/pki/ovirt-engine/ca.pem > with the certificate of your ca, but this will prevent adding hosts > (because it's needed to create a certificate for them). Perhaps other > things will break too, I didn't try that. > > > On a second thought, I don't think it will work. The engine will still > sign certs for hosts with its private key, but the hosts will try to verify > that with the ca.pem you put there and fail. > -- > Didi > >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users