Seems that all services (imageio, ovn, web socket) are fine after following the above and importing the new self signed CA certificate. DId run also engine-setup as I was trying to fix the imageio cert issue, though seems that that was only fixed after importing the CA cert at browser and engine-setup might not be needed.
On Wed, Nov 18, 2020 at 3:07 PM Alex K <rightkickt...@gmail.com> wrote: > Seems I had a typo at > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf. > I will repeat the test to verify that all services are functional > following this process. > > On Wed, Nov 18, 2020 at 10:24 AM Alex K <rightkickt...@gmail.com> wrote: > >> Hi all, >> >> I am trying to replace the ovirt certificate at ovirt 4.3 following this: >> >> >> https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl >> >> I am doing the following: >> I have engine FQDN: manager.lab.local >> >> 1. Create root CA private key: >> openssl genrsa -des3 -out root.key 2048 >> >> 2. Generate root certificate: (enter passphrase of root key) >> openssl req -x509 -new -nodes -key root.key -sha256 -days 3650 -out >> root.pem >> cp root.pem /tmp >> >> 3. Create key and CSR for engine: >> openssl genrsa -out manager.lab.local.key 2048 >> openssl req -new -out manager.lab.local.csr -key manager.lab.local.key >> >> 4. Generate a certificate for engine and sign with the root CA key: >> >> openssl x509 -req -in manager.lab.local.csr \ >> -CA root.pem \ >> -CAkey root.key \ >> -CAcreateserial \ >> -out manager.lab.local.crt \ >> -days 3650 \ >> -sha256 \ >> -extensions v3_req >> >> 5. Verify the trust chain and check the certificate details: >> openssl verify -CAfile root.pem manager.lab.local.crt >> openssl x509 -text -noout -in manager.lab.local.crt | head -15 >> >> 6. Generate a P12 container: (with empty password) >> openssl pkcs12 -export -out /tmp/apache.p12 \ >> -inkey manager.lab.local.key \ >> -in manager.lab.local.crt >> >> 8. Export key and cert: >> openssl pkcs12 -in apache.p12 -nocerts -nodes > /tmp/apache.key >> openssl pkcs12 -in apache.p12 -nokeys > /tmp/apache.cer >> >> From the above steps we should have the following: >> >> /tmp/root.pem >> /tmp/apache.p12 >> /tmp/apache.key >> /tmp/apache.cer >> >> 9. Place the certificates: >> hosted-engine --set-maintenance --mode=global >> cp -p /etc/pki/ovirt-engine/keys/apache.p12 /tmp/apache.p12.bck >> cp /tmp/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12 >> cp /tmp/root.pem /etc/pki/ca-trust/source/anchors >> update-ca-trust >> rm /etc/pki/ovirt-engine/apache-ca.pem >> cp /tmp/root.pem /etc/pki/ovirt-engine/apache-ca.pem >> >> Backup existing key and cert: >> cp /etc/pki/ovirt-engine/keys/apache.key.nopass >> /etc/pki/ovirt-engine/keys/apache.key.nopass.bck >> cp /etc/pki/ovirt-engine/certs/apache.cer >> /etc/pki/ovirt-engine/certs/apache.cer.bck >> cp /tmp/apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass >> cp /tmp/apache.cer /etc/pki/ovirt-engine/certs/apache.cer >> chown root:ovirt /etc/pki/ovirt-engine/keys/apache.key.nopass >> chmod 640 /etc/pki/ovirt-engine/keys/apache.key.nopass >> systemctl restart httpd.service >> >> 10. Create a new trust store configuration file: >> vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf >> >> ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" >> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" >> >> 11. Edit /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf : >> vi /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf >> >> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer >> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass >> >> 12. Edit /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf: >> vi /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf >> >> # Key file for SSL connections >> ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass >> # Certificate file for SSL connections >> ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer >> >> 13. Import the certificate at system-wide java trust store >> >> update-ca-trust extract >> keytool -list -alias ovirt -keystore /etc/pki/java/cacerts >> >> 14. Restart services: >> systemctl restart httpd.service >> systemctl restart ovirt-provider-ovn.service >> systemctl restart ovirt-imageio-proxy >> systemctl restart ovirt-websocket-proxy >> systemctl restart ovirt-engine.service >> >> Following the above I get at engine GUI: >> >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >> valid certification path to requested target >> >> I have tried also to run engine-setup in case it could fix anything (it >> renewed the cert due to missing subjectAltName), and the above error still >> persists. >> I have tried several other suggestions from similar issues reported at >> this list without any luck. >> I have run out of ideas. Am I missing anything? >> Thanx for any suggestions. >> Alex >> >
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/Q6Z7JGNNUPQWW2U7JKW2CULL3EEEOXPU/