Re: [ovirt-devel] [missing_subjectAltName] in engine ca certificate?

Martin Perina Wed, 10 May 2017 04:06:50 -0700

On Wed, May 10, 2017 at 9:13 AM, Juan Hernández <[email protected]> wrote:


> On 05/10/2017 09:07 AM, Yaniv Kaul wrote:
> >
> >
> > On Wed, May 10, 2017 at 9:35 AM, Martin Perina <[email protected]
> > <mailto:[email protected]>> wrote:
> >
> >     Does this mean that we need to create new CA for all existing oVirt
> >     installations which are not using custom HTTPS certificate signed by
> >     external CA?
> >
> >
> > No, just a new certificate for Engine, I believe.
> > Y.
> >
>
> Probably not even for the engine, but just for the web server.
>

@Sandro/@Didi: do we

have some documentation how to create new engine HTTPS certificate signed
by oVirt internal CA with subjectAltName properly set?


> >
> >     On Sun, May 7, 2017 at 7:37 PM, Nir Soffer <[email protected]
> >     <mailto:[email protected]>> wrote:
> >
> >         On Sun, May 7, 2017 at 8:27 PM Dan Kenigsberg <[email protected]
> >         <mailto:[email protected]>> wrote:
> >
> >             On Sun, May 7, 2017 at 8:22 PM, Nir Soffer
> >             <[email protected] <mailto:[email protected]>> wrote:
> >             > I imported the certificate from my engine into chrome[1],
> >             but Chrome
> >             > refuses to use it because:
> >             >
> >             >     This server could not prove that it is ...; its
> security
> >             >     certificate is from [missing_subjectAltName].
> >             >
> >             > Same certificate used to work 2 weeks ago, looks like new
> >             Chrome
> >             > version changed the rules.
> >             >
> >             > Without importing engine CA, there is no way to upload
> images
> >             > via engine.
> >             >
> >             > Tested on engine 4.1.1 and 4.1.2 on Centos 7.3.
> >             >
> >             > Is this  known issue?
> >             >
> >             > [1] from
> >             >
> >             http://<engine_url>/ovirt-engine/services/pki-resource?
> resource=ca-certificate&format=X509-PEM-CA
> >             >
> >             > Nir
> >
> >             https://gerrit.ovirt.org/#/c/74614/
> >             <https://gerrit.ovirt.org/#/c/74614/>
> >
> >             "This patch is not yet working, but can be used for
> discussion."
> >
> >
> >         Thanks!
> >
> >         Do you know how to manually fix engine certificates until we
> >         have a working
> >         patch?
> >
> >         Nir
> >
> >         _______________________________________________
> >         Devel mailing list
> >         [email protected] <mailto:[email protected]>
> >         http://lists.ovirt.org/mailman/listinfo/devel
> >         <http://lists.ovirt.org/mailman/listinfo/devel>
> >
> >
> >
> >     _______________________________________________
> >     Devel mailing list
> >     [email protected] <mailto:[email protected]>
> >     http://lists.ovirt.org/mailman/listinfo/devel
> >     <http://lists.ovirt.org/mailman/listinfo/devel>
> >
> >
> >
> >
> > _______________________________________________
> > Devel mailing list
> > [email protected]
> > http://lists.ovirt.org/mailman/listinfo/devel
> >
>
>

_______________________________________________
Devel mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/devel

Re: [ovirt-devel] [missing_subjectAltName] in engine ca certificate?

Reply via email to