[ovirt-users] Re: PKIX path error
On 2020-06-02 06:16, Martin Perina wrote: > Hi, > > could you please restart ovirt-engine service and share server.log and > engine.log from /var/log/ovirt-engine ? Greetings Martin, Thank you for the response. Sorry it took a while, I had a family issue come up and had to road-trip 10hours away for a few days. An update on the status, we were also struggling with an unrelated hardware problem. The new NVMe drives were giving my coworkers and myself issues on 7. My coworker tried CentOS8 just to see what happened, and it worked flawlessly. So we _just_ rebuilt the whole thing: CentOS8 + oVirt 4.4. We figured we might as well attempt to future-proof this install a little bit while it is still in the "build" stage. :-) One of my goals today is to get SSL and LDAP working on the fresh install. If I have issues, I will post back. Thank you again! ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3X2KFSZBY337N56T2YBWSHA7YDG3UXKU/
[ovirt-users] Re: PKIX path error
Hi, could you please restart ovirt-engine service and share server.log and engine.log from /var/log/ovirt-engine ? Thanks, Martin On Fri, May 29, 2020 at 4:36 PM Stack Korora wrote: > On 2020-05-29 08:08, Martin Perina wrote: > > Hi Stack, > > if I understand correctly your custom SSL certificates are working > correctly and you are able to login to webadmin using admin@internal, > right? > > Correct. > > If the problem is, that your aaa-ldap profile is not visible in the login > dialog, then there is some issue with aaa-ldap configuration. You have > mentioned that you used ovirt-engine-extension-aaa-ldap-setup tool to > create you aaa-ldap profile, have you executed login and search operation > at the end of setup tool? If so, were they successful? > > I did and yes they were. > > > Anyway right you can use following command to debug your aaa extensions > setup: > > # ovirt-engine-extensions-tool info list-extensions > > Using above command, could you see authn and authz instance of your > aaa-ldap profile? > > I do see both authz and authn. > > If so, please try below tests: > > 1. Checking is user search is working: > > # ovirt-engine-extensions-tool aaa search --extension-name= AUTHZ NAME> --entity-name= > > It does work and it returns valid information. > > 2. Checking if login is working > > # ovirt-engine-extensions-tool aaa login-user --profile= NAME> --user-name= > > A result=SUCCESS on that too! > However, I still don't see a second profile option on the web login. > > Thanks for responding and giving me some help! > -- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/TZ2LJCHYYTKLG6BHJVDNB5TWZLD4TOMY/
[ovirt-users] Re: PKIX path error
On 2020-05-29 07:03, Strahil Nikolov via Users wrote: > You mentioned that your certificates were different. Did you try converting > them to the type used in the example ? Yeah. So I will walk through the steps. Since I don't have a p12 format, the directions say "proceed to Replacing the Red Hat Virtualization Manager Apache SSL Certificate". Well, that isn't right. :-) Instead I skipped to "Replacing the oVirt Engine Apache SSL Certificate" I converted mine to PEM and did step #1 and I included not just my cert but the full chain. No issues there. I replaced the PEM per #2 and #3. Then backed up per #4. Step #5 & #6 require steps from the first section I skipped above. So I did those. If I do those steps exactly, I will get SSL errors about untrusted cert. However, if I add (>> vs >) to the original (which I backed up) then all the SSL errors go away. That was with apache.key.nopass and apache.cer. The rest of the steps I followed exactly. Not sure if that helps point out what I did wrong. Thanks for replying! ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5G27DGSCSFUJSQ7233WQ4ETH4EM32GLA/
[ovirt-users] Re: PKIX path error
On 2020-05-29 08:08, Martin Perina wrote: > Hi Stack, > > if I understand correctly your custom SSL certificates are working > correctly and you are able to login to webadmin using admin@internal, > right? Correct. > If the problem is, that your aaa-ldap profile is not visible in the > login dialog, then there is some issue with aaa-ldap configuration. > You have mentioned that you used ovirt-engine-extension-aaa-ldap-setup > tool to create you aaa-ldap profile, have you executed login and > search operation at the end of setup tool? If so, were they successful? I did and yes they were. > > Anyway right you can use following command to debug your aaa > extensions setup: > > # ovirt-engine-extensions-tool info list-extensions > > Using above command, could you see authn and authz instance of your > aaa-ldap profile? I do see both authz and authn. > If so, please try below tests: > > 1. Checking is user search is working: > > # ovirt-engine-extensions-tool aaa search --extension-name= PROFILE AUTHZ NAME> --entity-name= It does work and it returns valid information. > 2. Checking if login is working > > # ovirt-engine-extensions-tool aaa login-user --profile= NAME> --user-name= > A result=SUCCESS on that too! However, I still don't see a second profile option on the web login. Thanks for responding and giving me some help! ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/C2QPG6OPMUHW2IQJO2QDA3GB74DPWVYZ/
[ovirt-users] Re: PKIX path error
Hi Stack, if I understand correctly your custom SSL certificates are working correctly and you are able to login to webadmin using admin@internal, right? If the problem is, that your aaa-ldap profile is not visible in the login dialog, then there is some issue with aaa-ldap configuration. You have mentioned that you used ovirt-engine-extension-aaa-ldap-setup tool to create you aaa-ldap profile, have you executed login and search operation at the end of setup tool? If so, were they successful? Anyway right you can use following command to debug your aaa extensions setup: # ovirt-engine-extensions-tool info list-extensions Using above command, could you see authn and authz instance of your aaa-ldap profile? If so, please try below tests: 1. Checking is user search is working: # ovirt-engine-extensions-tool aaa search --extension-name= --entity-name= 2. Checking if login is working # ovirt-engine-extensions-tool aaa login-user --profile= --user-name= You can find more informations in: https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html https://www.ovirt.org/develop/release-management/features/infra/extension-tester-tool.html Regards, Martin On Fri, May 29, 2020 at 9:32 AM Strahil Nikolov via Users wrote: > You mentioned that your certificates were different. Did you try > converting them to the type used in the example ? > > Best Regards, > Strahil Nikolov > > На 29 май 2020 г. 1:29:51 GMT+03:00, Stack Korora > написа: > >On 2020-05-28 16:07, Strahil Nikolov wrote: > >> Can you check > >https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html > > just in case you missed a step ? > >> > >> Best Regards, > >> Strahil Nikolov > > > >Greetings, > > > >Thanks for replying. > > > >I was going to argue a bit since the way my certs come are in different > >formats so my commands are a bit different then the directions. But I > >went through step by step. Got to the end, and the internal > >authentication was working with the right SSL cert! My LDAP > >authentication was missing though...it looks correct. > > > >So I redid all the steps for adding LDAP. At the end of the > >ovirt-engine-extension-aaa-ldap-setup script, I can test accounts and > >search so I know that is correct. My cert is in the right .jks file. > >Still nothing I do shows anything but internal. > > > >So I scrapped the changes and started over. Round three on a fresh > >reboot (just in case I missed a service) with the SSL certs and > >configuring LDAP. SSL works, internal works, ldap doesn't show up as a > >drop-down option for the profile. > > > >Grr...Reboot just in case I missed a service again...nope. SSL and > >internal work, ldap still not shown in the profile. Tried a different > >browser, same thing. Double Grr... > > > >Any suggestions on where I might be going wrong? > > > >Thanks! > > > > > > > >___ > >Users mailing list -- users@ovirt.org > >To unsubscribe send an email to users-le...@ovirt.org > >Privacy Statement: https://www.ovirt.org/privacy-policy.html > >oVirt Code of Conduct: > >https://www.ovirt.org/community/about/community-guidelines/ > >List Archives: > > > https://lists.ovirt.org/archives/list/users@ovirt.org/message/A4BKWITWPNPYYVLDVRN4XOSDTN4LPNB3/ > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/5ANRX472AJLRXMZBEDPF2QH5UG23GWQP/ > -- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3FFDYEN67WNWBWPVUHUB6IZEDT5GWD6U/
[ovirt-users] Re: PKIX path error
You mentioned that your certificates were different. Did you try converting them to the type used in the example ? Best Regards, Strahil Nikolov На 29 май 2020 г. 1:29:51 GMT+03:00, Stack Korora написа: >On 2020-05-28 16:07, Strahil Nikolov wrote: >> Can you check >https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html > just in case you missed a step ? >> >> Best Regards, >> Strahil Nikolov > >Greetings, > >Thanks for replying. > >I was going to argue a bit since the way my certs come are in different >formats so my commands are a bit different then the directions. But I >went through step by step. Got to the end, and the internal >authentication was working with the right SSL cert! My LDAP >authentication was missing though...it looks correct. > >So I redid all the steps for adding LDAP. At the end of the >ovirt-engine-extension-aaa-ldap-setup script, I can test accounts and >search so I know that is correct. My cert is in the right .jks file. >Still nothing I do shows anything but internal. > >So I scrapped the changes and started over. Round three on a fresh >reboot (just in case I missed a service) with the SSL certs and >configuring LDAP. SSL works, internal works, ldap doesn't show up as a >drop-down option for the profile. > >Grr...Reboot just in case I missed a service again...nope. SSL and >internal work, ldap still not shown in the profile. Tried a different >browser, same thing. Double Grr... > >Any suggestions on where I might be going wrong? > >Thanks! > > > >___ >Users mailing list -- users@ovirt.org >To unsubscribe send an email to users-le...@ovirt.org >Privacy Statement: https://www.ovirt.org/privacy-policy.html >oVirt Code of Conduct: >https://www.ovirt.org/community/about/community-guidelines/ >List Archives: >https://lists.ovirt.org/archives/list/users@ovirt.org/message/A4BKWITWPNPYYVLDVRN4XOSDTN4LPNB3/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5ANRX472AJLRXMZBEDPF2QH5UG23GWQP/
[ovirt-users] Re: PKIX path error
On 2020-05-28 16:07, Strahil Nikolov wrote: > Can you check > https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html just > in case you missed a step ? > > Best Regards, > Strahil Nikolov Greetings, Thanks for replying. I was going to argue a bit since the way my certs come are in different formats so my commands are a bit different then the directions. But I went through step by step. Got to the end, and the internal authentication was working with the right SSL cert! My LDAP authentication was missing though...it looks correct. So I redid all the steps for adding LDAP. At the end of the ovirt-engine-extension-aaa-ldap-setup script, I can test accounts and search so I know that is correct. My cert is in the right .jks file. Still nothing I do shows anything but internal. So I scrapped the changes and started over. Round three on a fresh reboot (just in case I missed a service) with the SSL certs and configuring LDAP. SSL works, internal works, ldap doesn't show up as a drop-down option for the profile. Grr...Reboot just in case I missed a service again...nope. SSL and internal work, ldap still not shown in the profile. Tried a different browser, same thing. Double Grr... Any suggestions on where I might be going wrong? Thanks! ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/A4BKWITWPNPYYVLDVRN4XOSDTN4LPNB3/
[ovirt-users] Re: PKIX path error
Can you check https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html just in case you missed a step ? Best Regards, Strahil Nikolov На 27 май 2020 г. 23:10:53 GMT+03:00, Stack Korora написа: >Greetings, >I have a running oVirt install that's been working for almost 2 years. >I'm building a _completely_ new install. I mention it because it is >useful for me to compare configurations when I run into issues like >this >one. > >Right now there are three physical hosts: >1x management where I run the engine and db >2x hypervisor nodes. > >I had it up and installed and running smooth this morning on >4.3.9.4-1.el7 on Scientific Linux 7.8 (fully patched). > >I copied over our 3rd party certs from the running system and restarted >httpd. Perfect. SSL is running! >/etc/pki/ovirt-engine/apache-ca.pem >/etc/pki/ovirt-engine/certs/apache.cer >/etc/pki/ovirt-engine/keys/apache.key.nopass > >Next I used ovirt-engine-extension-aaa-ldap-setup to point to our ldap >server. I did the login and search test and both passed on the command >line! Horray! > >Then I went to the web interface... > >sun.security.validator.ValidatorException: PKIX path building failed: >sun.security.provider.certpath.SunCertPathBuilderException: unable to >find valid certification path to requested target > >I'm digging through logs and I don't see anything close to this error >except nearly the identical message in engine.log. > >ERROR [org.ovirt.engine.core.aaa.servlet.SslPostLoginServlet] (default >task-2) [] server_error: sun.security.validator.ValidatorException: >PKIX >path building failed: >sun.security.provider.certpath.SunCertPathBuilderException: unable to >find valid certification path to requested target > >I can't log in via the web at all, I only get that message (so I can't >even test out the local admin). The aaa ldap configuration it generated >is darn near perfectly identical (just a name change). The certs are >the >same. Even when I look in the keystore, the sha1 hashes are the same >between the two environments! > >After over an hour poking at this, I'm completely stumped. > >Can someone please give me a pointer on what I should try next? > >Thanks! >~Stack~ >___ >Users mailing list -- users@ovirt.org >To unsubscribe send an email to users-le...@ovirt.org >Privacy Statement: https://www.ovirt.org/privacy-policy.html >oVirt Code of Conduct: >https://www.ovirt.org/community/about/community-guidelines/ >List Archives: >https://lists.ovirt.org/archives/list/users@ovirt.org/message/YOR3ATLII3LYIBEYVOKTEE4RIYZGJR76/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/23P3SRYRF2JXPLMSRRR3H5EED4427DCG/
