[
https://ovirt-jira.atlassian.net/browse/OVIRT-2809?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=39885#comment-39885
]
Evgheni Dereveanchin commented on OVIRT-2809:
---------------------------------------------
The error in engine.log seems to point to a certificate mismatch when engine
connects to the proxy:
2019-10-04 05:37:45,533-04 ERROR
\[org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand]
(EE-ManagedThreadFactory-engineScheduled-Thread-48)
\[b643d084-99fb-4105-86c9-1e87b60349b6] Failed to add image ticket to
ovirt-imageio-proxy: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
The following software versions are currently installed:
ovirt-engine-4.3.5.4-1.el7.noarch
ovirt-imageio-proxy-1.5.1-0.el7.noarch
/etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf contains the standard values:
use_ssl = true
ssl_key_file = /etc/pki/ovirt-engine/keys/imageio-proxy.key.nopass
ssl_cert_file = /etc/pki/ovirt-engine/certs/imageio-proxy.cer
engine_cert_file = /etc/pki/ovirt-engine/certs/engine.cer
engine_ca_cert_file = /etc/pki/ovirt-engine/ca.pem
verify_certificate = true
On engine side, /etc/ovirt-engine/engine.conf.d/10-setup-pki.conf also looks
standard:
ENGINE_PKI="/etc/pki/ovirt-engine"
ENGINE_PKI_CA="/etc/pki/ovirt-engine/ca.pem"
ENGINE_PKI_ENGINE_CERT="/etc/pki/ovirt-engine/certs/engine.cer"
ENGINE_PKI_TRUST_STORE="/etc/pki/ovirt-engine/.truststore"
ENGINE_PKI_ENGINE_STORE="/etc/pki/ovirt-engine/keys/engine.p12"
{{I also see that /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf has
the following override:}}
{{ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"}}
We use Let’s Encrypt on the Apache front-end and this may be the reason as this
step is described in the docs:
[https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html|https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html]
[https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl|https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl]
I did have a certificate mismatch on the proxy itself so configuring
{{ssl_key_file and ssl_cert_file}} values according to the docs may help in
this situation.
> imageio not working in PHX
> --------------------------
>
> Key: OVIRT-2809
> URL: https://ovirt-jira.atlassian.net/browse/OVIRT-2809
> Project: oVirt - virtualization made easy
> Issue Type: Bug
> Reporter: Evgheni Dereveanchin
> Assignee: infra
>
> I tried to import an image into the PHX oVirt instance and this fails with a
> "paused by system" message in UI. Logging a ticket to see if it's a bug in
> oVirt or a misconfiguration in our particular deployment
--
This message was sent by Atlassian Jira
(v1001.0.0-SNAPSHOT#100111)
_______________________________________________
Infra mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/[email protected]/message/2TFWPPYPEXPO6JI4DNG5QQEKSDC66IVB/
