On Thu, 1 Aug 2019 20:45:56 -0500 Chris Adams <c...@cmadams.net> wrote:
> I figured it out. When ovirt-provider-ovn attempts to connect back to > the engine via HTTPS, it tells the python requests module to use the > specified CA cert file... but that won't work with most 3rd-party certs > because they have an intermediate cert as well. It appears that the > requests module tries to validate both certs. > > Creating /etc/ovirt-provider-ovn/conf.d/99-custom-cert.conf that just > has: > > [OVIRT] > ovirt-ca-file= > > tells the module to use the regular system CA cert file(s), which works. Thanks for your investigation! Looks like the empty string is converted implicitly to Boolean in https://github.com/psf/requests/blob/75bdc998e2d430a35d869b2abf1779bd0d34890e/requests/adapters.py#L215 Because bool('') is False in python, the certificate should be checked at all. Would ovirt-ca-file=/etc/pki/tls/certs/ca-bundle.crt work for you? (It works for https://helloworld.letsencrypt.org) > This should probably be added to the oVirt doc for using a 3rd-party > cert. > > Once upon a time, Chris Adams <c...@cmadams.net> said: > > Circling back to an old email... > > > > Once upon a time, Yedidyah Bar David <d...@redhat.com> said: > > > On Wed, Jan 30, 2019 at 10:28 PM Chris Adams <c...@cmadams.net> wrote: > > > > However, while digging, I also noticed that now the engine is not > > > > communicating with ovirt-provider-ovn, possibly due to a similar issue? > > > > It is having the reverse problem; it rejects the engine's cert. > > > > > > Didn't try this yet, adding Dominik. > > > > Was anybody able to look at this? I had to use my dev hardware for > > something else for a bit, so re-installed with 4.3.5 yesterday. The > > imageio SSL cert issue looks good, but I still can't figure out the > > ovirt-provider-ovn CA usage. > > > > My little bit of digging seems to show that the engine connects to the > > provider and is using an SSL client cert, and that cert is signed by > > something... but I'm not sure what. I think the provider side is trying > > to validate with the following setting from > > /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf > > > > [OVIRT] > > ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem > > > > Following the general "3rd-party SSL", that is now the Let's Encrypt CA. > > I tried changing it to point to the original self-signed oVirt CA (same > > directory, just "ca.pem"), but that didn't work either. > > > > Any suggestions? > _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/BDVMCNCD7AHEBNFJ7QADJ7Y4ARNHQO3Y/