subject:"\[ovirt\-users\] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4"

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

2016-11-05 Thread Kenneth Bingham

Do I understand correctly? This procedure allows the oVirt administrator to
install for the Manager HTTP UI a server certificate issued by an authority
other than the built-in certificate authority that is always created when
Manager is installed. It is not possible to also install for VDSM or the
console server a server certificate that is issued by such an external
certificate authority. Only certificates issued by the built-in authority
may be bound to the VDSM and console services, and so it is necessary to
import the signing certificate of that built-in authority into the admin's
browser trust store before connecting to the console server (e.g., novnc
websocket console).

If that is correct then I will propose that we make it more convenient to
obtain the signing cert in the browser and whether it might be possible to
at least install an externally issued server certificate for the console
service so that the explicit trust of Manager's built-in CA is unnecessary.


On Thu, Nov 3, 2016 at 2:09 AM Yedidyah Bar David <d...@redhat.com> wrote:

> On Wed, Nov 2, 2016 at 10:49 PM, Beckman, Daniel
> <daniel.beck...@ingramcontent.com> wrote:
> > Thanks very much for the detailed instructions! I was able to upgrade
> from
> > 3.6.7 to 4.0.4 successfully. Here are some additional notes for those
> (like
> > me) who were already using a custom HTTPS certificate in 3.6:
> >
> >
> >
> > On step #3 “b” -- mv YOUR-3RD-PART-CERT.p12
> > /etc/pki/ovirt-engine/keys/apache.p12 – I didn’t need to perform this as
> the
> > file was already there from my previous 3.6 configuration; setup had not
> > removed it.
> >
> >
> >
> > On step #4 – extracting private key and certificate – I didn’t need to
> > perform this either; existing files were left intact from version 3.6.
> >
> >
> >
> > Restarting Apache and oVirt service was not enough to bring up the web
> admin
> > portal in my case. I had to reboot the server running oVirt engine, after
> > which the web admin portal was accessible.
> >
> >
> >
> > I recommend backing up /etc/pki in addition to /etc/ovirt-engine prior to
> > running setup.
>
> Thanks a lot for the report!
>
> Perhaps you'd like to push a patch to github to update the following page?
>
> http://www.ovirt.org/develop/release-management/features/infra/pki/
>
> Best regards,
>
> >
> >
> >
> > Best,
> >
> > Daniel
> >
> >
> >
> > From: <users-boun...@ovirt.org> on behalf of Martin Perina
> > <mper...@redhat.com>
> > Date: Tuesday, November 1, 2016 at 6:29 AM
> > To: Kenneth Bingham <w...@qrk.us>
> > Cc: users <users@ovirt.org>
> > Subject: Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS
> > certificate signed by custom CA to oVirt 4
> >
> >
> >
> >
> >
> >
> >
> > On Tue, Nov 1, 2016 at 11:49 AM, Martin Perina <mper...@redhat.com>
> wrote:
> >
> > So first of all, we don't support replacing oVirt internal CA which is
> used
> > to sign host certificates. This internal CA is also used to sign HTTPS
> > certificate by default, but you can provided your own HTTPS certificate
> > signed by custom CA. The correct steps how to do that are (assuming you
> have
> > you custom CA certififcate in PEM format and HTTPS ceritificate along
> with
> > private key in PKCS12 format):
> >
> > 1.  Add your commercially issued certificate to the host-wide trust
> store.
> >cp YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ca-trust/source/anchors
> >update-ca-trust
> >
> > 2. Remove Apache CA link pointing to oVirt internal
> >rm /etc/pki/ovirt-engine/apache-ca.pem
> >
> > 3. Install your custom certificate (including complete certificate chain)
> >mv YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ovirt-engine/apache-ca.pem
> >
> >
> >
> >   mv YOUR-3RD-PART-CERT.p12 /etc/pki/ovirt-engine/keys/apache.p12
> >
> > The above command was missing in original steps, thanks Didi for pointing
> > this out.
> >
> >
> >
> >
> >
> > 4. Extract private key and certificate
> >
> >
> >
> >
> > openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes
> >
> > /etc/pki/ovirt-engine/keys/apache.key.nopass
> >
> >
> >
> > openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys >
> > /etc/pki/ovirt-engine/certs/apache.cer
> >
> > 5. Restart Apache
> >   service httpd restart
> >
> > 6. Create a new trust store confi

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

2016-11-03 Thread Yedidyah Bar David

On Wed, Nov 2, 2016 at 10:49 PM, Beckman, Daniel
<daniel.beck...@ingramcontent.com> wrote:
> Thanks very much for the detailed instructions! I was able to upgrade from
> 3.6.7 to 4.0.4 successfully. Here are some additional notes for those (like
> me) who were already using a custom HTTPS certificate in 3.6:
>
>
>
> On step #3 “b” -- mv YOUR-3RD-PART-CERT.p12
> /etc/pki/ovirt-engine/keys/apache.p12 – I didn’t need to perform this as the
> file was already there from my previous 3.6 configuration; setup had not
> removed it.
>
>
>
> On step #4 – extracting private key and certificate – I didn’t need to
> perform this either; existing files were left intact from version 3.6.
>
>
>
> Restarting Apache and oVirt service was not enough to bring up the web admin
> portal in my case. I had to reboot the server running oVirt engine, after
> which the web admin portal was accessible.
>
>
>
> I recommend backing up /etc/pki in addition to /etc/ovirt-engine prior to
> running setup.

Thanks a lot for the report!

Perhaps you'd like to push a patch to github to update the following page?

http://www.ovirt.org/develop/release-management/features/infra/pki/

Best regards,

>
>
>
> Best,
>
> Daniel
>
>
>
> From: <users-boun...@ovirt.org> on behalf of Martin Perina
> <mper...@redhat.com>
> Date: Tuesday, November 1, 2016 at 6:29 AM
> To: Kenneth Bingham <w...@qrk.us>
> Cc: users <users@ovirt.org>
> Subject: Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS
> certificate signed by custom CA to oVirt 4
>
>
>
>
>
>
>
> On Tue, Nov 1, 2016 at 11:49 AM, Martin Perina <mper...@redhat.com> wrote:
>
> So first of all, we don't support replacing oVirt internal CA which is used
> to sign host certificates. This internal CA is also used to sign HTTPS
> certificate by default, but you can provided your own HTTPS certificate
> signed by custom CA. The correct steps how to do that are (assuming you have
> you custom CA certififcate in PEM format and HTTPS ceritificate along with
> private key in PKCS12 format):
>
> 1.  Add your commercially issued certificate to the host-wide trust store.
>cp YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ca-trust/source/anchors
>update-ca-trust
>
> 2. Remove Apache CA link pointing to oVirt internal
>rm /etc/pki/ovirt-engine/apache-ca.pem
>
> 3. Install your custom certificate (including complete certificate chain)
>mv YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ovirt-engine/apache-ca.pem
>
>
>
>   mv YOUR-3RD-PART-CERT.p12 /etc/pki/ovirt-engine/keys/apache.p12
>
> The above command was missing in original steps, thanks Didi for pointing
> this out.
>
>
>
>
>
> 4. Extract private key and certificate
>
>
>
>
> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes >
> /etc/pki/ovirt-engine/keys/apache.key.nopass
>
>
>
> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys >
> /etc/pki/ovirt-engine/certs/apache.cer
>
> 5. Restart Apache
>   service httpd restart
>
> 6. Create a new trust store configuration file.
>   vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
>
>Add the following content and save the file.
>
>   ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
>   ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
>
> 7. Restart the ovirt-engine service.
>   systemctl restart ovirt-engine.service
>
>
>
> Steps 1., 6. and 7. are new to 4.0, other steps are same as in oVirt 3.x
>
>
>
> Also it's expected that CA certificate (including whole CA chain) is
> properly installed in all clients that access oVirt using HTTP and/or Spice.
>
>
>
> Martin Perina
>
>
>
>
>
>
>
> On Thu, Oct 27, 2016 at 10:38 PM, Kenneth Bingham <w...@qrk.us> wrote:
>
> That makes sense, but it is also disappointing to realize that oVirt Manager
> will only trust certificates that itself has issued, and that there is no
> support for Manager to trust VDSM server certificates issued by another
> authority.
>
>
>
> If I understand you correctly, then the *only* way to install a VDSM host
> certificate is by registering with Manager at which time a certificate is
> automatically issued and installed by Manager's built-in certificate
> authority.
>
>
>
>
>
> On Thu, Oct 27, 2016 at 3:27 PM Ravi Nori <rn...@redhat.com> wrote:
>
> Since you replace ca.pem you need to replace the private key of ca.pem
>
> Please copy the private key of  /etc/pki/ovirt-engine/ca.pem to
> /etc/pki/ovirt-engine/private/ca.pem and let me know if everythi

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

2016-11-01 Thread Martin Perina

On Tue, Nov 1, 2016 at 11:49 AM, Martin Perina  wrote:

> So first of all, we don't support replacing oVirt internal CA which is
> used to sign host certificates. This internal CA is also used to sign HTTPS
> certificate by default, but you can provided your own HTTPS certificate
> signed by custom CA. The correct steps how to do that are (assuming you
> have you custom CA certififcate in PEM format and HTTPS ceritificate along
> with private key in PKCS12 format):
>
> 1.  Add your commercially issued certificate to the host-wide trust store.
>cp YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ca-trust/source/anchors
>update-ca-trust
>
> 2. Remove Apache CA link pointing to oVirt internal
>rm /etc/pki/ovirt-engine/apache-ca.pem
>
> 3. Install your custom certificate (including complete certificate chain)
>mv YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ovirt-engine/apache-ca.pem
>

  mv YOUR-3RD-PART-CERT.p12
/etc/pki/ovirt-engine/keys/apache.p12

The above command was missing in original steps, thanks Didi for pointing
this out.



>
> 4. Extract private key and certificate
>
>  
> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes
> > /etc/pki/ovirt-engine/keys/apache.key.nopass
>    
> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys >
> /etc/pki/ovirt-engine/certs/apache.cer
>
> 5. Restart Apache
>   service httpd restart
>
> 6. Create a new trust store configuration file.
>   vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
>
>Add the following content and save the file.
>
>   ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
>   ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
>
> 7. Restart the ovirt-engine service.
>   systemctl restart ovirt-engine.service
>
>
> Steps 1., 6. and 7. are new to 4.0, other steps are same as in oVirt 3.x
>
> Also it's expected that CA certificate (including whole CA chain) is
> properly installed in all clients that access oVirt using HTTP and/or
> Spice.
>
> Martin Perina
>
>
>
>
> On Thu, Oct 27, 2016 at 10:38 PM, Kenneth Bingham  wrote:
>
>> That makes sense, but it is also disappointing to realize that oVirt
>> Manager will only trust certificates that itself has issued, and that there
>> is no support for Manager to trust VDSM server certificates issued by
>> another authority.
>>
>> If I understand you correctly, then the *only* way to install a VDSM host
>> certificate is by registering with Manager at which time a certificate is
>> automatically issued and installed by Manager's built-in certificate
>> authority.
>>
>>
>> On Thu, Oct 27, 2016 at 3:27 PM Ravi Nori  wrote:
>>
>> Since you replace ca.pem you need to replace the private key of ca.pem
>>
>> Please copy the private key of  /etc/pki/ovirt-engine/ca.pem to
>> /etc/pki/ovirt-engine/private/ca.pem and let me know if everything works
>>
>> On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham  wrote:
>>
>>
>> Thanks Ravi, that's helpful and I appreciate the precision and attention
>> to detail. I performed similar steps to install a custom certificate for
>> the oVirt Manager GUI. But what about configuring ovirt-engine to trust a
>> certificate issued by the same CA and presented by the VDSM host? On the
>> hypervisor host, I used the existing private key to generate the CSR,
>> issued the server certificate, and installed in three locations before
>> bouncing vdsmd.
>>
>> On the hypervisor Host server (not the Manager/engine server):
>> /etc/pki/vdsm/certs/vdsmcert.pem
>> /etc/pki/vdsm/libvirt-spice/server-cert.pem
>> /etc/pki/libvirt/clientcert.pem
>>
>> Now, that host is "non responsive" in Manager because ovirt-engine does
>> not trust the new certificate even though I already performed all of the
>> steps that you describe above except that I installed the issuer's CA
>> certificate as the trusted entity. I've documented all of the steps I took in
>> this Gist
>> .
>>
>>
>>
>> On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori  wrote:
>>
>> Here is a complete set of instructions that works for me
>>
>> You can skip the first few steps of generating the certificate.
>>
>> Ravi
>>
>>
>> Generate a self-signed certificate using openssl
>> ==
>> openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout
>> privateKey.key -out certificate.pem
>>
>> Convert a PEM certificate file and a private key to PKCS#12 (.p12)
>> =
>> openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in
>> certificate.pem
>>
>> Extract the key from the bundle
>> =
>> openssl pkcs12 -in  certificate.p12 -nocerts -nodes > apache.key.nopass
>>
>> Extract the certificate from the bundle
>> ==
>> openssl pkcs12 -in

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

2016-11-01 Thread Martin Perina

So first of all, we don't support replacing oVirt internal CA which is used
to sign host certificates. This internal CA is also used to sign HTTPS
certificate by default, but you can provided your own HTTPS certificate
signed by custom CA. The correct steps how to do that are (assuming you
have you custom CA certififcate in PEM format and HTTPS ceritificate along
with private key in PKCS12 format):

1.  Add your commercially issued certificate to the host-wide trust store.
   cp YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ca-trust/source/anchors
   update-ca-trust

2. Remove Apache CA link pointing to oVirt internal
   rm /etc/pki/ovirt-engine/apache-ca.pem

3. Install your custom certificate (including complete certificate chain)
   mv YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ovirt-engine/apache-ca.pem

4. Extract private key and certificate

openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes >
/etc/pki/ovirt-engine/keys/apache.key.nopass

openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys >
/etc/pki/ovirt-engine/certs/apache.cer

5. Restart Apache
  service httpd restart

6. Create a new trust store configuration file.
  vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf

   Add the following content and save the file.

  ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
  ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""

7. Restart the ovirt-engine service.
  systemctl restart ovirt-engine.service

Steps 1., 6. and 7. are new to 4.0, other steps are same as in oVirt 3.x

Also it's expected that CA certificate (including whole CA chain) is
properly installed in all clients that access oVirt using HTTP and/or
Spice.

Martin Perina

On Thu, Oct 27, 2016 at 10:38 PM, Kenneth Bingham  wrote:

> That makes sense, but it is also disappointing to realize that oVirt
> Manager will only trust certificates that itself has issued, and that there
> is no support for Manager to trust VDSM server certificates issued by
> another authority.
>
> If I understand you correctly, then the *only* way to install a VDSM host
> certificate is by registering with Manager at which time a certificate is
> automatically issued and installed by Manager's built-in certificate
> authority.
>
>
> On Thu, Oct 27, 2016 at 3:27 PM Ravi Nori  wrote:
>
> Since you replace ca.pem you need to replace the private key of ca.pem
>
> Please copy the private key of  /etc/pki/ovirt-engine/ca.pem to
> /etc/pki/ovirt-engine/private/ca.pem and let me know if everything works
>
> On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham  wrote:
>
>
> Thanks Ravi, that's helpful and I appreciate the precision and attention
> to detail. I performed similar steps to install a custom certificate for
> the oVirt Manager GUI. But what about configuring ovirt-engine to trust a
> certificate issued by the same CA and presented by the VDSM host? On the
> hypervisor host, I used the existing private key to generate the CSR,
> issued the server certificate, and installed in three locations before
> bouncing vdsmd.
>
> On the hypervisor Host server (not the Manager/engine server):
> /etc/pki/vdsm/certs/vdsmcert.pem
> /etc/pki/vdsm/libvirt-spice/server-cert.pem
> /etc/pki/libvirt/clientcert.pem
>
> Now, that host is "non responsive" in Manager because ovirt-engine does
> not trust the new certificate even though I already performed all of the
> steps that you describe above except that I installed the issuer's CA
> certificate as the trusted entity. I've documented all of the steps I took in
> this Gist
> .
>
>
>
> On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori  wrote:
>
> Here is a complete set of instructions that works for me
>
> You can skip the first few steps of generating the certificate.
>
> Ravi
>
>
> Generate a self-signed certificate using openssl
> ==
> openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout
> privateKey.key -out certificate.pem
>
> Convert a PEM certificate file and a private key to PKCS#12 (.p12)
> =
> openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in
> certificate.pem
>
> Extract the key from the bundle
> =
> openssl pkcs12 -in  certificate.p12 -nocerts -nodes > apache.key.nopass
>
> Extract the certificate from the bundle
> ==
> openssl pkcs12 -in certificate.p12 -nokeys > apache.cer
>
> Create a new Keystore for testing
> ==
> keytool -keystore clientkeystore -genkey -alias client
>
> Convert .pem to .der
> 
> openssl x509 -outform der -in certificate.pem -out certificate.der
>
> Import certificates to keystore
> ===
> keytool -import -alias apache -keystore ./clientkeystore -file
>

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

2016-10-27 Thread Kenneth Bingham

That makes sense, but it is also disappointing to realize that oVirt
Manager will only trust certificates that itself has issued, and that there
is no support for Manager to trust VDSM server certificates issued by
another authority.

If I understand you correctly, then the *only* way to install a VDSM host
certificate is by registering with Manager at which time a certificate is
automatically issued and installed by Manager's built-in certificate
authority.


On Thu, Oct 27, 2016 at 3:27 PM Ravi Nori  wrote:

Since you replace ca.pem you need to replace the private key of ca.pem

Please copy the private key of  /etc/pki/ovirt-engine/ca.pem to
/etc/pki/ovirt-engine/private/ca.pem and let me know if everything works

On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham  wrote:


Thanks Ravi, that's helpful and I appreciate the precision and attention to
detail. I performed similar steps to install a custom certificate for the
oVirt Manager GUI. But what about configuring ovirt-engine to trust a
certificate issued by the same CA and presented by the VDSM host? On the
hypervisor host, I used the existing private key to generate the CSR,
issued the server certificate, and installed in three locations before
bouncing vdsmd.

On the hypervisor Host server (not the Manager/engine server):
/etc/pki/vdsm/certs/vdsmcert.pem
/etc/pki/vdsm/libvirt-spice/server-cert.pem
/etc/pki/libvirt/clientcert.pem

Now, that host is "non responsive" in Manager because ovirt-engine does not
trust the new certificate even though I already performed all of the steps
that you describe above except that I installed the issuer's CA certificate
as the trusted entity. I've documented all of the steps I took in this Gist
.



On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori  wrote:

Here is a complete set of instructions that works for me

You can skip the first few steps of generating the certificate.

Ravi


Generate a self-signed certificate using openssl
==
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout
privateKey.key -out certificate.pem

Convert a PEM certificate file and a private key to PKCS#12 (.p12)
=
openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in
certificate.pem

Extract the key from the bundle
=
openssl pkcs12 -in  certificate.p12 -nocerts -nodes > apache.key.nopass

Extract the certificate from the bundle
==
openssl pkcs12 -in certificate.p12 -nokeys > apache.cer

Create a new Keystore for testing
==
keytool -keystore clientkeystore -genkey -alias client

Convert .pem to .der

openssl x509 -outform der -in certificate.pem -out certificate.der

Import certificates to keystore
===
keytool -import -alias apache -keystore ./clientkeystore -file
./certificate.der

Create Custom conf for ovirt
==
vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf

Set location of truststore and its password
=
ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456"

Copy the custom certificates
==
rm /etc/pki/ovirt-engine/apache-ca.pem
cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem
cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12
cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer
cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass

Restart engine and httpd
===
service httpd restart
service ovirt-engine restart

On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot 
wrote:

Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :

I did install a server certificate from a private CA on the engine
server for the oVirt 4 Manager GUI, but haven't figured out how to
configure engine to trust the same CA which also issued the server
certificate presented by vdsm. This is important for us because this is
the same server certificate presented by the host when using the console
(e.g. websocket console falls silently if the user agent doesn't trust
the console server's certificate).


Hello,

Maybe related bug : on an oVirt 4, I followed the same procedure below to
install a custom CA, with *SUCCESS*.

Today, I had to reinstall one of the hosts, and it is failing with :
"CA certificate and CA private key do not match" :

http://pastebin.com/9JS05JtJ

Which certificate did we (Kenneth and I) did we mis-used?
What did we do wrong?

Regards,

Nicolas ECARNOT



On Wed, Oct 26, 2016, 16:58 Beckman, Daniel
> wrote:

We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release.
I read the release notes

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

2016-10-27 Thread Ravi Nori

Since you replace ca.pem you need to replace the private key of ca.pem

Please copy the private key of  /etc/pki/ovirt-engine/ca.pem to
/etc/pki/ovirt-engine/private/ca.pem and let me know if everything works

On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham  wrote:

>
> Thanks Ravi, that's helpful and I appreciate the precision and attention
> to detail. I performed similar steps to install a custom certificate for
> the oVirt Manager GUI. But what about configuring ovirt-engine to trust a
> certificate issued by the same CA and presented by the VDSM host? On the
> hypervisor host, I used the existing private key to generate the CSR,
> issued the server certificate, and installed in three locations before
> bouncing vdsmd.
>
> On the hypervisor Host server (not the Manager/engine server):
> /etc/pki/vdsm/certs/vdsmcert.pem
> /etc/pki/vdsm/libvirt-spice/server-cert.pem
> /etc/pki/libvirt/clientcert.pem
>
> Now, that host is "non responsive" in Manager because ovirt-engine does
> not trust the new certificate even though I already performed all of the
> steps that you describe above except that I installed the issuer's CA
> certificate as the trusted entity. I've documented all of the steps I took in
> this Gist
> .
>
>
>
> On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori  wrote:
>
>> Here is a complete set of instructions that works for me
>>
>> You can skip the first few steps of generating the certificate.
>>
>> Ravi
>>
>>
>> Generate a self-signed certificate using openssl
>> ==
>> openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout
>> privateKey.key -out certificate.pem
>>
>> Convert a PEM certificate file and a private key to PKCS#12 (.p12)
>> =
>> openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in
>> certificate.pem
>>
>> Extract the key from the bundle
>> =
>> openssl pkcs12 -in  certificate.p12 -nocerts -nodes > apache.key.nopass
>>
>> Extract the certificate from the bundle
>> ==
>> openssl pkcs12 -in certificate.p12 -nokeys > apache.cer
>>
>> Create a new Keystore for testing
>> ==
>> keytool -keystore clientkeystore -genkey -alias client
>>
>> Convert .pem to .der
>> 
>> openssl x509 -outform der -in certificate.pem -out certificate.der
>>
>> Import certificates to keystore
>> ===
>> keytool -import -alias apache -keystore ./clientkeystore -file
>> ./certificate.der
>>
>> Create Custom conf for ovirt
>> ==
>> vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
>>
>> Set location of truststore and its password
>> =
>> ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore"
>> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456"
>>
>> Copy the custom certificates
>> ==
>> rm /etc/pki/ovirt-engine/apache-ca.pem
>> cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem
>> cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12
>> cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer
>> cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass
>>
>> Restart engine and httpd
>> ===
>> service httpd restart
>> service ovirt-engine restart
>>
>> On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot 
>> wrote:
>>
>> Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :
>>
>> I did install a server certificate from a private CA on the engine
>> server for the oVirt 4 Manager GUI, but haven't figured out how to
>> configure engine to trust the same CA which also issued the server
>> certificate presented by vdsm. This is important for us because this is
>> the same server certificate presented by the host when using the console
>> (e.g. websocket console falls silently if the user agent doesn't trust
>> the console server's certificate).
>>
>>
>> Hello,
>>
>> Maybe related bug : on an oVirt 4, I followed the same procedure below to
>> install a custom CA, with *SUCCESS*.
>>
>> Today, I had to reinstall one of the hosts, and it is failing with :
>> "CA certificate and CA private key do not match" :
>>
>> http://pastebin.com/9JS05JtJ
>>
>> Which certificate did we (Kenneth and I) did we mis-used?
>> What did we do wrong?
>>
>> Regards,
>>
>> Nicolas ECARNOT
>>
>>
>>
>> On Wed, Oct 26, 2016, 16:58 Beckman, Daniel
>> > > wrote:
>>
>> We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release.
>> I read the release notes (https://www.ovirt.org/release/4.0.4/) and
>> noted comment #4 under “Install / Upgrade from previous version”:
>>
>> __ __
>>
>> /If you are using HTTPS certificate signed by custom certificate
>> authority, please take a look at

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

2016-10-27 Thread Kenneth Bingham

Thanks Ravi, that's helpful and I appreciate the precision and attention to
detail. I performed similar steps to install a custom certificate for the
oVirt Manager GUI. But what about configuring ovirt-engine to trust a
certificate issued by the same CA and presented by the VDSM host? On the
hypervisor host, I used the existing private key to generate the CSR,
issued the server certificate, and installed in three locations before
bouncing vdsmd.

On the hypervisor Host server (not the Manager/engine server):
/etc/pki/vdsm/certs/vdsmcert.pem
/etc/pki/vdsm/libvirt-spice/server-cert.pem
/etc/pki/libvirt/clientcert.pem

Now, that host is "non responsive" in Manager because ovirt-engine does not
trust the new certificate even though I already performed all of the steps
that you describe above except that I installed the issuer's CA certificate
as the trusted entity. I've documented all of the steps I took in this Gist
.



On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori  wrote:

> Here is a complete set of instructions that works for me
>
> You can skip the first few steps of generating the certificate.
>
> Ravi
>
>
> Generate a self-signed certificate using openssl
> ==
> openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout
> privateKey.key -out certificate.pem
>
> Convert a PEM certificate file and a private key to PKCS#12 (.p12)
> =
> openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in
> certificate.pem
>
> Extract the key from the bundle
> =
> openssl pkcs12 -in  certificate.p12 -nocerts -nodes > apache.key.nopass
>
> Extract the certificate from the bundle
> ==
> openssl pkcs12 -in certificate.p12 -nokeys > apache.cer
>
> Create a new Keystore for testing
> ==
> keytool -keystore clientkeystore -genkey -alias client
>
> Convert .pem to .der
> 
> openssl x509 -outform der -in certificate.pem -out certificate.der
>
> Import certificates to keystore
> ===
> keytool -import -alias apache -keystore ./clientkeystore -file
> ./certificate.der
>
> Create Custom conf for ovirt
> ==
> vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
>
> Set location of truststore and its password
> =
> ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore"
> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456"
>
> Copy the custom certificates
> ==
> rm /etc/pki/ovirt-engine/apache-ca.pem
> cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem
> cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12
> cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer
> cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass
>
> Restart engine and httpd
> ===
> service httpd restart
> service ovirt-engine restart
>
> On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot 
> wrote:
>
> Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :
>
> I did install a server certificate from a private CA on the engine
> server for the oVirt 4 Manager GUI, but haven't figured out how to
> configure engine to trust the same CA which also issued the server
> certificate presented by vdsm. This is important for us because this is
> the same server certificate presented by the host when using the console
> (e.g. websocket console falls silently if the user agent doesn't trust
> the console server's certificate).
>
>
> Hello,
>
> Maybe related bug : on an oVirt 4, I followed the same procedure below to
> install a custom CA, with *SUCCESS*.
>
> Today, I had to reinstall one of the hosts, and it is failing with :
> "CA certificate and CA private key do not match" :
>
> http://pastebin.com/9JS05JtJ
>
> Which certificate did we (Kenneth and I) did we mis-used?
> What did we do wrong?
>
> Regards,
>
> Nicolas ECARNOT
>
>
>
> On Wed, Oct 26, 2016, 16:58 Beckman, Daniel
>  > wrote:
>
> We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release.
> I read the release notes (https://www.ovirt.org/release/4.0.4/) and
> noted comment #4 under “Install / Upgrade from previous version”:
>
> __ __
>
> /If you are using HTTPS certificate signed by custom certificate
> authority, please take a look at https://bugzilla.redhat.com/1336838
> for steps which need to be done after migration to 4.0. Also please
> consult https://bugzilla.redhat.com/1313379 how to setup this custom
> CA for use with virt-viewer clients./
>
> /__ __/
>
> So I referred to the first bugzilla
> (https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it
> states as follows:
>
> __ __
>
> If customer wants to

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

2016-10-27 Thread Ravi Nori

Here is a complete set of instructions that works for me

You can skip the first few steps of generating the certificate.

Ravi


Generate a self-signed certificate using openssl
==
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout
privateKey.key -out certificate.pem

Convert a PEM certificate file and a private key to PKCS#12 (.p12)
=
openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in
certificate.pem

Extract the key from the bundle
=
openssl pkcs12 -in  certificate.p12 -nocerts -nodes > apache.key.nopass

Extract the certificate from the bundle
==
openssl pkcs12 -in certificate.p12 -nokeys > apache.cer

Create a new Keystore for testing
==
keytool -keystore clientkeystore -genkey -alias client

Convert .pem to .der

openssl x509 -outform der -in certificate.pem -out certificate.der

Import certificates to keystore
===
keytool -import -alias apache -keystore ./clientkeystore -file
./certificate.der

Create Custom conf for ovirt
==
vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf

Set location of truststore and its password
=
ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456"

Copy the custom certificates
==
rm /etc/pki/ovirt-engine/apache-ca.pem
cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem
cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12
cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer
cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass

Restart engine and httpd
===
service httpd restart
service ovirt-engine restart

On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot 
wrote:

> Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :
>
>> I did install a server certificate from a private CA on the engine
>> server for the oVirt 4 Manager GUI, but haven't figured out how to
>> configure engine to trust the same CA which also issued the server
>> certificate presented by vdsm. This is important for us because this is
>> the same server certificate presented by the host when using the console
>> (e.g. websocket console falls silently if the user agent doesn't trust
>> the console server's certificate).
>>
>
> Hello,
>
> Maybe related bug : on an oVirt 4, I followed the same procedure below to
> install a custom CA, with *SUCCESS*.
>
> Today, I had to reinstall one of the hosts, and it is failing with :
> "CA certificate and CA private key do not match" :
>
> http://pastebin.com/9JS05JtJ
>
> Which certificate did we (Kenneth and I) did we mis-used?
> What did we do wrong?
>
> Regards,
>
> Nicolas ECARNOT
>
>
>>
>> On Wed, Oct 26, 2016, 16:58 Beckman, Daniel
>> > > wrote:
>>
>> We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release.
>> I read the release notes (https://www.ovirt.org/release/4.0.4/) and
>> noted comment #4 under “Install / Upgrade from previous version”:
>>
>> __ __
>>
>> /If you are using HTTPS certificate signed by custom certificate
>> authority, please take a look at https://bugzilla.redhat.com/1336838
>> for steps which need to be done after migration to 4.0. Also please
>> consult https://bugzilla.redhat.com/1313379 how to setup this custom
>> CA for use with virt-viewer clients./
>>
>> /__ __/
>>
>> So I referred to the first bugzilla
>> (https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it
>> states as follows:
>>
>> __ __
>>
>> If customer wants to use custom HTTPS certificate signed by
>> different CA, then he has to perform following steps: 
>>
>> __ __
>>
>> 1. Install custom CA (that signed HTTPS certificate) into host wide
>> trustore (more info can be found in update-ca-trust man page) 
>>
>> __ __
>>
>> 2. Configure HTTPS certificate in Apache (this step is same as in
>> previous versions) 
>>
>> __ __
>>
>> 3. Create new configuration file (for example
>> /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with
>> following content: 
>>
>> ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
>> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" 
>>
>> __ __
>>
>> 4. Restart ovirt-engine service
>>
>> __ __
>>
>> I find it humorous that step # 1 suggests reading the “man page”
>> which is only slightly better than suggesting to “google” it. 
>>
>> __ __
>>
>> Has anyone using a custom CA for their HTTPS certificate
>> successfully upgraded to oVirt 4? If so could you share your
>> detailed steps? Or can anyone point me to an actual example of this
>>

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

2016-10-27 Thread Nicolas Ecarnot


Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :

I did install a server certificate from a private CA on the engine
server for the oVirt 4 Manager GUI, but haven't figured out how to
configure engine to trust the same CA which also issued the server
certificate presented by vdsm. This is important for us because this is
the same server certificate presented by the host when using the console
(e.g. websocket console falls silently if the user agent doesn't trust
the console server's certificate).


Hello,

Maybe related bug : on an oVirt 4, I followed the same procedure below 
to install a custom CA, with *SUCCESS*.


Today, I had to reinstall one of the hosts, and it is failing with :
"CA certificate and CA private key do not match" :

http://pastebin.com/9JS05JtJ

Which certificate did we (Kenneth and I) did we mis-used?
What did we do wrong?

Regards,

Nicolas ECARNOT




On Wed, Oct 26, 2016, 16:58 Beckman, Daniel
> wrote:

We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release.
I read the release notes (https://www.ovirt.org/release/4.0.4/) and
noted comment #4 under “Install / Upgrade from previous version”:

__ __

/If you are using HTTPS certificate signed by custom certificate
authority, please take a look at https://bugzilla.redhat.com/1336838
for steps which need to be done after migration to 4.0. Also please
consult https://bugzilla.redhat.com/1313379 how to setup this custom
CA for use with virt-viewer clients./

/__ __/

So I referred to the first bugzilla
(https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it
states as follows:

__ __

If customer wants to use custom HTTPS certificate signed by
different CA, then he has to perform following steps: 

__ __

1. Install custom CA (that signed HTTPS certificate) into host wide
trustore (more info can be found in update-ca-trust man page) 

__ __

2. Configure HTTPS certificate in Apache (this step is same as in
previous versions) 

__ __

3. Create new configuration file (for example
/etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with
following content: 

ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" 

__ __

4. Restart ovirt-engine service

__ __

I find it humorous that step # 1 suggests reading the “man page”
which is only slightly better than suggesting to “google” it. 

__ __

Has anyone using a custom CA for their HTTPS certificate
successfully upgraded to oVirt 4? If so could you share your
detailed steps? Or can anyone point me to an actual example of this
procedure? I’m a little nervous about the upgrade if you can’t
already tell. 

__ __

Thanks,

Daniel

___
Users mailing list
Users@ovirt.org 
http://lists.ovirt.org/mailman/listinfo/users



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users




--
Nicolas ECARNOT
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

2016-10-26 Thread Kenneth Bingham

I did install a server certificate from a private CA on the engine server
for the oVirt 4 Manager GUI, but haven't figured out how to configure
engine to trust the same CA which also issued the server certificate
presented by vdsm. This is important for us because this is the same server
certificate presented by the host when using the console (e.g. websocket
console falls silently if the user agent doesn't trust the console server's
certificate).

On Wed, Oct 26, 2016, 16:58 Beckman, Daniel <
daniel.beck...@ingramcontent.com> wrote:

> We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release. I read
> the release notes (https://www.ovirt.org/release/4.0.4/) and noted
> comment #4 under “Install / Upgrade from previous version”:
>
>
>
> *If you are using HTTPS certificate signed by custom certificate
> authority, please take a look at https://bugzilla.redhat.com/1336838
>  for steps which need to be done after
> migration to 4.0. Also please consult https://bugzilla.redhat.com/1313379
>  how to setup this custom CA for use
> with virt-viewer clients.*
>
>
>
> So I referred to the first bugzilla (
> https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it states as
> follows:
>
>
>
> If customer wants to use custom HTTPS certificate signed by different CA,
> then he has to perform following steps:
>
>
>
> 1. Install custom CA (that signed HTTPS certificate) into host wide
> trustore (more info can be found in update-ca-trust man page)
>
>
>
> 2. Configure HTTPS certificate in Apache (this step is same as in previous
> versions)
>
>
>
> 3. Create new configuration file (for example
> /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with following
> content:
>
> ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
>
>
>
> 4. Restart ovirt-engine service
>
>
>
> I find it humorous that step # 1 suggests reading the “man page” which is
> only slightly better than suggesting to “google” it.
>
>
>
> Has anyone using a custom CA for their HTTPS certificate successfully
> upgraded to oVirt 4? If so could you share your detailed steps? Or can
> anyone point me to an actual example of this procedure? I’m a little
> nervous about the upgrade if you can’t already tell.
>
>
>
> Thanks,
>
> Daniel
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

2016-10-26 Thread Beckman, Daniel

We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release. I read the 
release notes (https://www.ovirt.org/release/4.0.4/) and noted comment #4 under 
“Install / Upgrade from previous version”:

If you are using HTTPS certificate signed by custom certificate authority, 
please take a look at https://bugzilla.redhat.com/1336838 for steps which need 
to be done after migration to 4.0. Also please consult 
https://bugzilla.redhat.com/1313379 how to setup this custom CA for use with 
virt-viewer clients.

So I referred to the first bugzilla 
(https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it states as 
follows:

If customer wants to use custom HTTPS certificate signed by different CA, then 
he has to perform following steps:

1. Install custom CA (that signed HTTPS certificate) into host wide trustore 
(more info can be found in update-ca-trust man page)

2. Configure HTTPS certificate in Apache (this step is same as in previous 
versions)

3. Create new configuration file (for example 
/etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with following 
content:
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" 
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""

4. Restart ovirt-engine service

I find it humorous that step # 1 suggests reading the “man page” which is only 
slightly better than suggesting to “google” it.

Has anyone using a custom CA for their HTTPS certificate successfully upgraded 
to oVirt 4? If so could you share your detailed steps? Or can anyone point me 
to an actual example of this procedure? I’m a little nervous about the upgrade 
if you can’t already tell.

Thanks,
Daniel
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

[ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

11 matches

Site Navigation

Mail list logo

Footer information