On Wed, Nov 2, 2016 at 10:49 PM, Beckman, Daniel <daniel.beck...@ingramcontent.com> wrote: > Thanks very much for the detailed instructions! I was able to upgrade from > 3.6.7 to 4.0.4 successfully. Here are some additional notes for those (like > me) who were already using a custom HTTPS certificate in 3.6: > > > > On step #3 “b” -- mv YOUR-3RD-PART-CERT.p12 > /etc/pki/ovirt-engine/keys/apache.p12 – I didn’t need to perform this as the > file was already there from my previous 3.6 configuration; setup had not > removed it. > > > > On step #4 – extracting private key and certificate – I didn’t need to > perform this either; existing files were left intact from version 3.6. > > > > Restarting Apache and oVirt service was not enough to bring up the web admin > portal in my case. I had to reboot the server running oVirt engine, after > which the web admin portal was accessible. > > > > I recommend backing up /etc/pki in addition to /etc/ovirt-engine prior to > running setup.
Thanks a lot for the report! Perhaps you'd like to push a patch to github to update the following page? http://www.ovirt.org/develop/release-management/features/infra/pki/ Best regards, > > > > Best, > > Daniel > > > > From: <users-boun...@ovirt.org> on behalf of Martin Perina > <mper...@redhat.com> > Date: Tuesday, November 1, 2016 at 6:29 AM > To: Kenneth Bingham <w...@qrk.us> > Cc: users <users@ovirt.org> > Subject: Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS > certificate signed by custom CA to oVirt 4 > > > > > > > > On Tue, Nov 1, 2016 at 11:49 AM, Martin Perina <mper...@redhat.com> wrote: > > So first of all, we don't support replacing oVirt internal CA which is used > to sign host certificates. This internal CA is also used to sign HTTPS > certificate by default, but you can provided your own HTTPS certificate > signed by custom CA. The correct steps how to do that are (assuming you have > you custom CA certififcate in PEM format and HTTPS ceritificate along with > private key in PKCS12 format): > > 1. Add your commercially issued certificate to the host-wide trust store. > cp YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ca-trust/source/anchors > update-ca-trust > > 2. Remove Apache CA link pointing to oVirt internal > rm /etc/pki/ovirt-engine/apache-ca.pem > > 3. Install your custom certificate (including complete certificate chain) > mv YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ovirt-engine/apache-ca.pem > > > > mv YOUR-3RD-PART-CERT.p12 /etc/pki/ovirt-engine/keys/apache.p12 > > The above command was missing in original steps, thanks Didi for pointing > this out. > > > > > > 4. Extract private key and certificate > > > > > openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > > /etc/pki/ovirt-engine/keys/apache.key.nopass > > > > openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > > /etc/pki/ovirt-engine/certs/apache.cer > > 5. Restart Apache > service httpd restart > > 6. Create a new trust store configuration file. > vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf > > Add the following content and save the file. > > ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" > ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" > > 7. Restart the ovirt-engine service. > systemctl restart ovirt-engine.service > > > > Steps 1., 6. and 7. are new to 4.0, other steps are same as in oVirt 3.x > > > > Also it's expected that CA certificate (including whole CA chain) is > properly installed in all clients that access oVirt using HTTP and/or Spice. > > > > Martin Perina > > > > > > > > On Thu, Oct 27, 2016 at 10:38 PM, Kenneth Bingham <w...@qrk.us> wrote: > > That makes sense, but it is also disappointing to realize that oVirt Manager > will only trust certificates that itself has issued, and that there is no > support for Manager to trust VDSM server certificates issued by another > authority. > > > > If I understand you correctly, then the *only* way to install a VDSM host > certificate is by registering with Manager at which time a certificate is > automatically issued and installed by Manager's built-in certificate > authority. > > > > > > On Thu, Oct 27, 2016 at 3:27 PM Ravi Nori <rn...@redhat.com> wrote: > > Since you replace ca.pem you need to replace the private key of ca.pem > > Please copy the private key of /etc/pki/ovirt-engine/ca.pem to > /etc/pki/ovirt-engine/private/ca.pem and let me know if everything works > > > > On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham <w...@qrk.us> wrote: > > > > Thanks Ravi, that's helpful and I appreciate the precision and attention to > detail. I performed similar steps to install a custom certificate for the > oVirt Manager GUI. But what about configuring ovirt-engine to trust a > certificate issued by the same CA and presented by the VDSM host? On the > hypervisor host, I used the existing private key to generate the CSR, issued > the server certificate, and installed in three locations before bouncing > vdsmd. > > > > On the hypervisor Host server (not the Manager/engine server): > > /etc/pki/vdsm/certs/vdsmcert.pem > > /etc/pki/vdsm/libvirt-spice/server-cert.pem > > /etc/pki/libvirt/clientcert.pem > > > > Now, that host is "non responsive" in Manager because ovirt-engine does not > trust the new certificate even though I already performed all of the steps > that you describe above except that I installed the issuer's CA certificate > as the trusted entity. I've documented all of the steps I took in this Gist. > > > > > > > > On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori <rn...@redhat.com> wrote: > > Here is a complete set of instructions that works for me > > You can skip the first few steps of generating the certificate. > > > > Ravi > > > > Generate a self-signed certificate using openssl > ====================================== > openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout > privateKey.key -out certificate.pem > > Convert a PEM certificate file and a private key to PKCS#12 (.p12) > ===================================================== > openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in > certificate.pem > > Extract the key from the bundle > ========================= > openssl pkcs12 -in certificate.p12 -nocerts -nodes > apache.key.nopass > > Extract the certificate from the bundle > ============================== > openssl pkcs12 -in certificate.p12 -nokeys > apache.cer > > Create a new Keystore for testing > ========================== > keytool -keystore clientkeystore -genkey -alias client > > Convert .pem to .der > ================ > openssl x509 -outform der -in certificate.pem -out certificate.der > > Import certificates to keystore > ======================= > keytool -import -alias apache -keystore ./clientkeystore -file > ./certificate.der > > Create Custom conf for ovirt > ====================== > vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf > > Set location of truststore and its password > ================================= > ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore" > ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456" > > Copy the custom certificates > ====================== > rm /etc/pki/ovirt-engine/apache-ca.pem > cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem > cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12 > cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer > cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass > > Restart engine and httpd > =================== > service httpd restart > service ovirt-engine restart > > > > On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot <nico...@ecarnot.net> > wrote: > > Le 27/10/2016 à 00:14, Kenneth Bingham a écrit : > > I did install a server certificate from a private CA on the engine > server for the oVirt 4 Manager GUI, but haven't figured out how to > configure engine to trust the same CA which also issued the server > certificate presented by vdsm. This is important for us because this is > the same server certificate presented by the host when using the console > (e.g. websocket console falls silently if the user agent doesn't trust > the console server's certificate). > > > Hello, > > Maybe related bug : on an oVirt 4, I followed the same procedure below to > install a custom CA, with *SUCCESS*. > > Today, I had to reinstall one of the hosts, and it is failing with : > "CA certificate and CA private key do not match" : > > http://pastebin.com/9JS05JtJ > > Which certificate did we (Kenneth and I) did we mis-used? > What did we do wrong? > > Regards, > > Nicolas ECARNOT > > > > On Wed, Oct 26, 2016, 16:58 Beckman, Daniel > <daniel.beck...@ingramcontent.com > <mailto:daniel.beck...@ingramcontent.com>> wrote: > > We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release. > I read the release notes (https://www.ovirt.org/release/4.0.4/) and > noted comment #4 under “Install / Upgrade from previous version”:____ > > __ __ > > /If you are using HTTPS certificate signed by custom certificate > authority, please take a look at https://bugzilla.redhat.com/1336838 > for steps which need to be done after migration to 4.0. Also please > consult https://bugzilla.redhat.com/1313379 how to setup this custom > CA for use with virt-viewer clients.____/ > > /__ __/ > > So I referred to the first bugzilla > (https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it > states as follows:____ > > __ __ > > If customer wants to use custom HTTPS certificate signed by > different CA, then he has to perform following steps: ____ > > __ __ > > 1. Install custom CA (that signed HTTPS certificate) into host wide > trustore (more info can be found in update-ca-trust man page) ____ > > __ __ > > 2. Configure HTTPS certificate in Apache (this step is same as in > previous versions) ____ > > __ __ > > 3. Create new configuration file (for example > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with > following content: ____ > > ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" > ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" ____ > > __ __ > > 4. Restart ovirt-engine service____ > > __ __ > > I find it humorous that step # 1 suggests reading the “man page” > which is only slightly better than suggesting to “google” it. ____ > > __ __ > > Has anyone using a custom CA for their HTTPS certificate > successfully upgraded to oVirt 4? If so could you share your > detailed steps? Or can anyone point me to an actual example of this > procedure? I’m a little nervous about the upgrade if you can’t > already tell. ____ > > __ __ > > Thanks,____ > > Daniel____ > > _______________________________________________ > Users mailing list > Users@ovirt.org <mailto:Users@ovirt.org> > http://lists.ovirt.org/mailman/listinfo/users > > > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > > > > -- > Nicolas ECARNOT > > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > > > > > > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > > > > > > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > -- Didi _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users