On Wed, May 10, 2017 at 2:06 PM, Martin Perina <mper...@redhat.com> wrote: > > > On Wed, May 10, 2017 at 9:13 AM, Juan Hernández <jhern...@redhat.com> wrote: >> >> On 05/10/2017 09:07 AM, Yaniv Kaul wrote: >> > >> > >> > On Wed, May 10, 2017 at 9:35 AM, Martin Perina <mper...@redhat.com >> > <mailto:mper...@redhat.com>> wrote: >> > >> > Does this mean that we need to create new CA for all existing oVirt >> > installations which are not using custom HTTPS certificate signed by >> > external CA? >> > >> > >> > No, just a new certificate for Engine, I believe. >> > Y. >> > >> >> Probably not even for the engine, but just for the web server. > > > @Sandro/@Didi: do we > > have some documentation how to create new engine HTTPS certificate signed by > oVirt internal CA with subjectAltName properly set?
I don't think so, and didn't try that myself. Adding Dominik. The doc will likely be a(n almost?) subset of bz 1420577. I suggest to open a bug for this, and make 1449503 depend on it. Also it might be not-very-hard to do by engine-setup instead of doc. Perhaps open another bug for that if you want. > >> >> > >> > On Sun, May 7, 2017 at 7:37 PM, Nir Soffer <nsof...@redhat.com >> > <mailto:nsof...@redhat.com>> wrote: >> > >> > On Sun, May 7, 2017 at 8:27 PM Dan Kenigsberg <dan...@redhat.com >> > <mailto:dan...@redhat.com>> wrote: >> > >> > On Sun, May 7, 2017 at 8:22 PM, Nir Soffer >> > <nsof...@redhat.com <mailto:nsof...@redhat.com>> wrote: >> > > I imported the certificate from my engine into chrome[1], >> > but Chrome >> > > refuses to use it because: >> > > >> > > This server could not prove that it is ...; its >> > security >> > > certificate is from [missing_subjectAltName]. >> > > >> > > Same certificate used to work 2 weeks ago, looks like new >> > Chrome >> > > version changed the rules. >> > > >> > > Without importing engine CA, there is no way to upload >> > images >> > > via engine. >> > > >> > > Tested on engine 4.1.1 and 4.1.2 on Centos 7.3. >> > > >> > > Is this known issue? >> > > >> > > [1] from >> > > >> > >> > http://<engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA >> > > >> > > Nir >> > >> > https://gerrit.ovirt.org/#/c/74614/ >> > <https://gerrit.ovirt.org/#/c/74614/> >> > >> > "This patch is not yet working, but can be used for >> > discussion." >> > >> > >> > Thanks! >> > >> > Do you know how to manually fix engine certificates until we >> > have a working >> > patch? >> > >> > Nir >> > >> > _______________________________________________ >> > Devel mailing list >> > Devel@ovirt.org <mailto:Devel@ovirt.org> >> > http://lists.ovirt.org/mailman/listinfo/devel >> > <http://lists.ovirt.org/mailman/listinfo/devel> >> > >> > >> > >> > _______________________________________________ >> > Devel mailing list >> > Devel@ovirt.org <mailto:Devel@ovirt.org> >> > http://lists.ovirt.org/mailman/listinfo/devel >> > <http://lists.ovirt.org/mailman/listinfo/devel> >> > >> > >> > >> > >> > _______________________________________________ >> > Devel mailing list >> > Devel@ovirt.org >> > http://lists.ovirt.org/mailman/listinfo/devel >> > >> > -- Didi _______________________________________________ Devel mailing list Devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/devel