On 2018-06-18 02:46, Yedidyah Bar David wrote:
On Mon, Jun 18, 2018 at 9:19 AM, Tomas Jelinek <tjeli...@redhat.com> wrote:
On Mon, Jun 18, 2018 at 8:01 AM, Yedidyah Bar David <d...@redhat.com> wrote:
On Sun, Jun 17, 2018 at 6:11 PM, John Florian <jflor...@doubledog.org>
wrote:
I followed the docs at
https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/ and
all
works well from the usual web portal. Went to test moVirt and ran into
a
snag. It wants to download the CA using
http://fqdn/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA,
I never tried movirt, but the user's guide [1] says it can import
user-supplied certs, so you can supply your own CA's cert, no?
correct, you can supply your own certificate, movirt just by default grabs
the one which is provided by engine at:
http://fqdn/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
@Ravi: is it correct that after you provide your own CA that the
http://fqdn/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
is still pointing to the old one?
Yes - check this:
https://ovirt.org/develop/release-management/features/infra/pki/#services
It does not have a resource "apache-certificate" or anything like that.
The assumption is that user that changes httpd's conf to use a 3rd-party CA,
is in control of it, not the engine - so the engine can't handle it. This is
even if the user followed the documentation, because in principle, the user
can do other things - e.g. point SSLCACertificateFile at a different file
instead of replacing the content of the existing apache-ca.pem (which defaults
to a symlink to ca.pem, which _is_ controlled by the engine (as in "we do not
have any documentation about how to replace it, and doing that will break many
flows").
Okay, this is what threw me. The docs are written in such a way that I
never touch httpd's conf, as if maybe I am not supposed to do that. The
docs have me change the target of a symlink and do other swaps and
avoids touching the conf, be it intentional or not. I may have inferred
too much based on the approach. So my presumption was that the API
should/might continue doing what it did before in providing the correct
CA certificate. It would be nice if it did, because entering URLs on a
phone is not my idea of fun and the moVirt feature to go fetch this
directly is really handy.
So, in my case where Puppet is co-managing my Engine, I take it that it
would be acceptable for me to manage httpd's ssl.conf file?
Anyway, patches (to either that web page or movirt, or both) are most
welcome!
Best regards,
[1] https://github.com/oVirt/moVirt/wiki/User%27s-guide
but that's grabbing the old CA issued by the engine rather than my
custom
CA. What else needs to be changed? I'm sure I can finagle my way to a
fix
here by telling moVirt to use a custom URL or file, but this looks like
a
bug in the docs that would probably best be fixed.
--
John Florian
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/2DUNW4Y24HW4S5K4VGLIZRVR2K7BF37Z/
--
Didi
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/EXKTGCRWIYIGLWFVMWOHBDLAZCEGIOJG/
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BP74SDAVQNA7IJVKAWYHFCNHWOEQYITQ/
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/KI3ZYUOEYKHMXHRA3ZBPEFEO46JIRHDK/
