On Fri, Oct 4, 2019 at 3:34 PM Evgheni Dereveanchin (oVirt JIRA) <[email protected]> wrote: > > > [ > https://ovirt-jira.atlassian.net/browse/OVIRT-2809?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=39885#comment-39885 > ] > > Evgheni Dereveanchin edited comment on OVIRT-2809 at 10/4/19 12:33 PM: > ----------------------------------------------------------------------- > > The error in engine.log seems to point to a certificate mismatch when engine > connects to the proxy: > > 2019-10-04 05:37:45,533-04 ERROR > \[org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand] > (EE-ManagedThreadFactory-engineScheduled-Thread-48) > \[b643d084-99fb-4105-86c9-1e87b60349b6] Failed to add image ticket to > ovirt-imageio-proxy: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > > > The following software versions are currently installed: > ovirt-engine-4.3.5.4-1.el7.noarch > ovirt-imageio-proxy-1.5.1-0.el7.noarch > > > /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf contains the standard > values: > > > use_ssl = true > ssl_key_file = /etc/pki/ovirt-engine/keys/imageio-proxy.key.nopass > ssl_cert_file = /etc/pki/ovirt-engine/certs/imageio-proxy.cer > engine_cert_file = /etc/pki/ovirt-engine/certs/engine.cer > engine_ca_cert_file = /etc/pki/ovirt-engine/ca.pem > verify_certificate = true > > > On engine side, /etc/ovirt-engine/engine.conf.d/10-setup-pki.conf also looks > standard: > > ENGINE_PKI="/etc/pki/ovirt-engine" > ENGINE_PKI_CA="/etc/pki/ovirt-engine/ca.pem" > ENGINE_PKI_ENGINE_CERT="/etc/pki/ovirt-engine/certs/engine.cer" > ENGINE_PKI_TRUST_STORE="/etc/pki/ovirt-engine/.truststore" > ENGINE_PKI_ENGINE_STORE="/etc/pki/ovirt-engine/keys/engine.p12" > > > I also see that /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf has > the following override: > > ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" > > We use Let’s Encrypt on the Apache front-end and this may be the reason as > this step is described in the docs: > > [https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html|https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html] > > [https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl|https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl] > > > > I did have a certificate mismatch on the proxy itself so configuring > {{ssl_key_file and ssl_cert_file}} values according to the docs may help in > this situation. > > > was (Author: ederevea): > The error in engine.log seems to point to a certificate mismatch when engine > connects to the proxy: > > 2019-10-04 05:37:45,533-04 ERROR > \[org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand] > (EE-ManagedThreadFactory-engineScheduled-Thread-48) > \[b643d084-99fb-4105-86c9-1e87b60349b6] Failed to add image ticket to > ovirt-imageio-proxy: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > > > The following software versions are currently installed: > ovirt-engine-4.3.5.4-1.el7.noarch > ovirt-imageio-proxy-1.5.1-0.el7.noarch > > > /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf contains the standard > values: > > > use_ssl = true > ssl_key_file = /etc/pki/ovirt-engine/keys/imageio-proxy.key.nopass > ssl_cert_file = /etc/pki/ovirt-engine/certs/imageio-proxy.cer > engine_cert_file = /etc/pki/ovirt-engine/certs/engine.cer > engine_ca_cert_file = /etc/pki/ovirt-engine/ca.pem > verify_certificate = true > > > On engine side, /etc/ovirt-engine/engine.conf.d/10-setup-pki.conf also looks > standard: > > ENGINE_PKI="/etc/pki/ovirt-engine" > ENGINE_PKI_CA="/etc/pki/ovirt-engine/ca.pem" > ENGINE_PKI_ENGINE_CERT="/etc/pki/ovirt-engine/certs/engine.cer" > ENGINE_PKI_TRUST_STORE="/etc/pki/ovirt-engine/.truststore" > ENGINE_PKI_ENGINE_STORE="/etc/pki/ovirt-engine/keys/engine.p12" > > > {{I also see that /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf > has the following override:}} > > {{ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"}} > > We use Let’s Encrypt on the Apache front-end and this may be the reason as > this step is described in the docs: > > [https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html|https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html] > > [https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl|https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl] > > > > I did have a certificate mismatch on the proxy itself so configuring > {{ssl_key_file and ssl_cert_file}} values according to the docs may help in > this situation.
Indeed. Or try to upgrade to 4.3.6, engine-setup should do that for you: https://bugzilla.redhat.com/show_bug.cgi?id=1637809 Please ping me if needed. Good luck and best regards, > > > imageio not working in PHX > > -------------------------- > > > > Key: OVIRT-2809 > > URL: https://ovirt-jira.atlassian.net/browse/OVIRT-2809 > > Project: oVirt - virtualization made easy > > Issue Type: Bug > > Reporter: Evgheni Dereveanchin > > Assignee: infra > > > > I tried to import an image into the PHX oVirt instance and this fails with > > a "paused by system" message in UI. Logging a ticket to see if it's a bug > > in oVirt or a misconfiguration in our particular deployment > > > > -- > This message was sent by Atlassian Jira > (v1001.0.0-SNAPSHOT#100111) > _______________________________________________ > Infra mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/[email protected]/message/WRZGLRTL43SDLM3FVTAZ4ZJ57XXHAV23/ -- Didi _______________________________________________ Infra mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/LTZKEDEXS7BO7QWCTTPUUGYQ23LHNYIU/
