[ovirt-users] Re: [rhev-tech] ovirt-imageio-proxy not working after updating SSL certificates with a wildcard cert issued by AlphaSSL (intermediate)

2020-11-22 Thread pjay_inc--- via Users
Good day,

I am having exactly the same issue with oVirt 4.3.9.4-2 except that I am using 
IPA Ca in my environment. Is there a way of solving this issue without 
upgrading to 4.4? Could you please help me out? My imageio version is also 
1.5.3.

Thank you.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/V77D7Q6O3ZR63UVIGTOB75Z5M7OAPSEE/


[ovirt-users] Re: [rhev-tech] ovirt-imageio-proxy not working after updating SSL certificates with a wildcard cert issued by AlphaSSL (intermediate)

2020-08-08 Thread Nir Soffer
On Mon, Jul 27, 2020 at 6:40 PM Nir Soffer  wrote:

> On Sat, Jul 25, 2020 at 5:24 AM Lynn Dixon  wrote:
>
>> All,
>> I recently bought a wildcard certificate for my lab domain (shadowman.dev)
>> and I replaced all the certs on my RHV4.3 machine per our documentation.
>> The WebUI presents the certs successfully and without any issues, and
>> everything seemed to be fine, until I tried to upload a disk image (or an
>> ISO) to my storage domain.  I get this error in the events tab:
>>
>> https://share.getcloudapp.com/p9uPvegx
>> [image: image.png]
>>
>> I also see that the disk is showing up in my storage domain, but its
>> showing "Paused by System" and I can't do anything with it.  I cant even
>> delete it!
>>
>> I have tried following this document to fix the issue, but it didn't
>> work: https://access.redhat.com/solutions/4148361
>>
>> I am seeing this error pop into my engine.log:
>> https://pastebin.com/kDLSEq1A
>>
>> And I see this error in my image-proxy.log:
>> WARNING 2020-07-24 15:26:34,802 web:137:web:(log_error) ERROR
>> [172.17.0.30] PUT /tickets/ [403] Error verifying signed ticket: Invalid
>> ovirt ticket (data='--my_ticket_data-', reason=Untrusted
>> certificate) [request=0.002946/1]
>>
>
> This means ssl_* configuration in broken.
>
> We have 2 groups:
>
> Client ssl configuration:
>
> # Key file for SSL connections
> ssl_key_file = /etc/pki/ovirt-engine/keys/image-proxy.key.nopass
>
> # Certificate file for SSL connections
> ssl_cert_file = /etc/pki/ovirt-engine/certs/image-proxy.cer
>
> And engine SSL configuration:
>
> # Certificate file used when decoding signed token
> engine_cert_file = /etc/pki/ovirt-engine/certs/engine.cer
>
> # CA certificate file used to verify signed token
> engine_ca_cert_file = /etc/pki/ovirt-engine/ca.pem
>
> engine configuration is used to verify signed ticket used by engine when
> adding tickets to the proxy. This is internal flow that clients should not
> care
> about. You should not replace these unless you are using also custom
> certificate
> for engine itself - very unlikely and maybe unsupported.
> (Didi please correct me on this).
>
> SSL client configuration is used when communicating with clients, and does
> not depend on engine ssl configuration. You can replace these with your
> certificates.
>
> Can you share your /etc/ovirt-imageio/ovirt-imageio-proxy.conf?
>
> The main issue with the current configuration is that we don't have
> ssl_ca_cert configuration,
> assuming that ssl_cert_file is a self signed certificate that includes the
> CA certificate, since
> this is what engine is creating.
>
> In 4.4, we have more flexible configuration that should work for your case:
>
> $ cat /etc/ovirt-imageio/conf.d/50-engine.conf
> ...
> [tls]
> enable = true
> key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
> cert_file = /etc/pki/ovirt-engine/certs/apache.cer
> ca_file = /etc/pki/ovirt-engine/apache-ca.pem
>
> Adding ssl_ca_cert to imageio 1.5.3 looks simple enough, so I posted this
> completely untested patch:
> https://gerrit.ovirt.org/c/110498/
>
> You can try to upgrade your proxy to using this build:
>
> https://jenkins.ovirt.org/job/ovirt-imageio_standard-check-patch/3384/artifact/build-artifacts.el7.x86_64/
>
> Add a yum repo file with this baseurl=.
>
> Again this is untested, but you seem to be in the best place to test it,
> since I don't have any real certificates for testing.
>
> It would also be useful if you file a bug for this issue.
>

Lynn, did you resolve this issue?


>
> Nir
>
> Now, when I bought my wildcard, I was given a root certificate for the CA,
>> as well as a separate intermediate CA certificate from the provider.
>> Likewise, they gave me a certificate and a private key of course. The root
>> and intermediate CA's certificates have been added
>> to /etc/pki/ca-trust/source/anchors/ and I did an update-ca-trust.
>>
>> I also started experiencing issues with the ovpn network provider at the
>> same time I replaced the SSL certs, but I disregarded it at the time, but
>> now I am thinking its related.  Any advice on what to look for to fix the
>> ovirt-imageio-proxy?
>>
>> Thanks!
>>
>>
>> *Lynn Dixon* | Red Hat Certified Architect #100-006-188
>> *Solutions Architect* | NA Commercial
>> Google Voice: 423-618-1414
>> Cell/Text: 423-774-3188
>> Click here to view my Certification Portfolio 
>>
>>
>>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/RITYEGP7J3BO2IMIQ7YEXZWV3STKEXLF/


[ovirt-users] Re: [rhev-tech] ovirt-imageio-proxy not working after updating SSL certificates with a wildcard cert issued by AlphaSSL (intermediate)

2020-07-28 Thread Yedidyah Bar David
On Mon, Jul 27, 2020 at 6:40 PM Nir Soffer  wrote:
>
> On Sat, Jul 25, 2020 at 5:24 AM Lynn Dixon  wrote:
>>
>> All,
>> I recently bought a wildcard certificate for my lab domain (shadowman.dev) 
>> and I replaced all the certs on my RHV4.3 machine per our documentation.  
>> The WebUI presents the certs successfully and without any issues, and 
>> everything seemed to be fine, until I tried to upload a disk image (or an 
>> ISO) to my storage domain.  I get this error in the events tab:
>>
>> https://share.getcloudapp.com/p9uPvegx
>>
>>
>> I also see that the disk is showing up in my storage domain, but its showing 
>> "Paused by System" and I can't do anything with it.  I cant even delete it!
>>
>> I have tried following this document to fix the issue, but it didn't work: 
>> https://access.redhat.com/solutions/4148361
>>
>> I am seeing this error pop into my engine.log:  https://pastebin.com/kDLSEq1A
>>
>> And I see this error in my image-proxy.log:
>> WARNING 2020-07-24 15:26:34,802 web:137:web:(log_error) ERROR [172.17.0.30] 
>> PUT /tickets/ [403] Error verifying signed ticket: Invalid ovirt ticket 
>> (data='--my_ticket_data-', reason=Untrusted certificate) 
>> [request=0.002946/1]
>
>
> This means ssl_* configuration in broken.
>
> We have 2 groups:
>
> Client ssl configuration:
>
> # Key file for SSL connections
> ssl_key_file = /etc/pki/ovirt-engine/keys/image-proxy.key.nopass
>
> # Certificate file for SSL connections
> ssl_cert_file = /etc/pki/ovirt-engine/certs/image-proxy.cer
>
> And engine SSL configuration:
>
> # Certificate file used when decoding signed token
> engine_cert_file = /etc/pki/ovirt-engine/certs/engine.cer
>
> # CA certificate file used to verify signed token
> engine_ca_cert_file = /etc/pki/ovirt-engine/ca.pem
>
> engine configuration is used to verify signed ticket used by engine when
> adding tickets to the proxy. This is internal flow that clients should not 
> care
> about. You should not replace these unless you are using also custom 
> certificate
> for engine itself - very unlikely and maybe unsupported.
> (Didi please correct me on this).

This is correct - it's unsupported.

We used to have an bug to make this pluggable, but it was never
handled and eventually closed:

https://bugzilla.redhat.com/1134219

>
>
> SSL client configuration is used when communicating with clients, and does
> not depend on engine ssl configuration. You can replace these with your 
> certificates.
>
> Can you share your /etc/ovirt-imageio/ovirt-imageio-proxy.conf?
>
> The main issue with the current configuration is that we don't have 
> ssl_ca_cert configuration,
> assuming that ssl_cert_file is a self signed certificate that includes the CA 
> certificate, since
> this is what engine is creating.
>
> In 4.4, we have more flexible configuration that should work for your case:
>
> $ cat /etc/ovirt-imageio/conf.d/50-engine.conf
> ...
> [tls]
> enable = true
> key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
> cert_file = /etc/pki/ovirt-engine/certs/apache.cer
> ca_file = /etc/pki/ovirt-engine/apache-ca.pem
>
> Adding ssl_ca_cert to imageio 1.5.3 looks simple enough, so I posted this
> completely untested patch:
> https://gerrit.ovirt.org/c/110498/
>
> You can try to upgrade your proxy to using this build:
> https://jenkins.ovirt.org/job/ovirt-imageio_standard-check-patch/3384/artifact/build-artifacts.el7.x86_64/
>
> Add a yum repo file with this baseurl=.
>
> Again this is untested, but you seem to be in the best place to test it,
> since I don't have any real certificates for testing.
>
> It would also be useful if you file a bug for this issue.
>
> Nir
>
>> Now, when I bought my wildcard, I was given a root certificate for the CA, 
>> as well as a separate intermediate CA certificate from the provider.  
>> Likewise, they gave me a certificate and a private key of course. The root 
>> and intermediate CA's certificates have been added to 
>> /etc/pki/ca-trust/source/anchors/ and I did an update-ca-trust.
>>
>> I also started experiencing issues with the ovpn network provider at the 
>> same time I replaced the SSL certs, but I disregarded it at the time, but 
>> now I am thinking its related.  Any advice on what to look for to fix the 
>> ovirt-imageio-proxy?
>>
>> Thanks!
>>
>>
>> Lynn Dixon | Red Hat Certified Architect #100-006-188
>> Solutions Architect | NA Commercial
>> Google Voice: 423-618-1414
>> Cell/Text: 423-774-3188
>> Click here to view my Certification Portfolio
>>
>>


-- 
Didi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/EO5MQMHXLPMW3TFDQFVZURURRYLSKLXI/


[ovirt-users] Re: [rhev-tech] ovirt-imageio-proxy not working after updating SSL certificates with a wildcard cert issued by AlphaSSL (intermediate)

2020-07-28 Thread Lynn Dixon
I am running 1.5.3 of all of the imageio-* packages.  THe test button in
RHVM for the uploader comes back successfully with no errors.

I am at a loss here.


*Lynn Dixon* | Red Hat Certified Architect #100-006-188
*Solutions Architect* | NA Commercial
Google Voice: 423-618-1414
Cell/Text: 423-774-3188
Click here to view my Certification Portfolio 




On Sat, Jul 25, 2020 at 12:53 AM Greg Scott  wrote:

> Make sure you have the right imageio versions. We spent around two months
> troubleshooting a similar problem and eventually found my customer had
> imageio 1.0.0 when they should have had something like 1.4.4. Do an rpm -
> qa | grep imageio on both your RHVM and RHV-H systems and see what it looks
> like.
>
> Also try that test button in RHVM and see how it behaves. Does it fail
> right away or does it take a couple seconds?
>
> - Greg
>
> On Fri, Jul 24, 2020 at 9:24 PM Lynn Dixon  wrote:
>
>> All,
>> I recently bought a wildcard certificate for my lab domain (shadowman.dev)
>> and I replaced all the certs on my RHV4.3 machine per our documentation.
>> The WebUI presents the certs successfully and without any issues, and
>> everything seemed to be fine, until I tried to upload a disk image (or an
>> ISO) to my storage domain.  I get this error in the events tab:
>>
>> https://share.getcloudapp.com/p9uPvegx
>> [image: image.png]
>>
>> I also see that the disk is showing up in my storage domain, but its
>> showing "Paused by System" and I can't do anything with it.  I cant even
>> delete it!
>>
>> I have tried following this document to fix the issue, but it didn't
>> work: https://access.redhat.com/solutions/4148361
>>
>> I am seeing this error pop into my engine.log:
>> https://pastebin.com/kDLSEq1A
>>
>> And I see this error in my image-proxy.log:
>> WARNING 2020-07-24 15:26:34,802 web:137:web:(log_error) ERROR
>> [172.17.0.30] PUT /tickets/ [403] Error verifying signed ticket: Invalid
>> ovirt ticket (data='--my_ticket_data-', reason=Untrusted
>> certificate) [request=0.002946/1]
>>
>> Now, when I bought my wildcard, I was given a root certificate for the
>> CA, as well as a separate intermediate CA certificate from the provider.
>> Likewise, they gave me a certificate and a private key of course. The root
>> and intermediate CA's certificates have been added
>> to /etc/pki/ca-trust/source/anchors/ and I did an update-ca-trust.
>>
>> I also started experiencing issues with the ovpn network provider at the
>> same time I replaced the SSL certs, but I disregarded it at the time, but
>> now I am thinking its related.  Any advice on what to look for to fix the
>> ovirt-imageio-proxy?
>>
>> Thanks!
>>
>>
>> *Lynn Dixon* | Red Hat Certified Architect #100-006-188
>> *Solutions Architect* | NA Commercial
>> Google Voice: 423-618-1414
>> Cell/Text: 423-774-3188
>> Click here to view my Certification Portfolio 
>>
>>
>>
>
> --
> Greg Scott
> Red Hat Senior Technical Account Manager
> mobile 1-651-260-1051
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ADOZRMPSNXLZ4LUODFLGD7XKOMI7DDQM/


[ovirt-users] Re: [rhev-tech] ovirt-imageio-proxy not working after updating SSL certificates with a wildcard cert issued by AlphaSSL (intermediate)

2020-07-27 Thread Nir Soffer
On Sat, Jul 25, 2020 at 5:24 AM Lynn Dixon  wrote:

> All,
> I recently bought a wildcard certificate for my lab domain (shadowman.dev)
> and I replaced all the certs on my RHV4.3 machine per our documentation.
> The WebUI presents the certs successfully and without any issues, and
> everything seemed to be fine, until I tried to upload a disk image (or an
> ISO) to my storage domain.  I get this error in the events tab:
>
> https://share.getcloudapp.com/p9uPvegx
> [image: image.png]
>
> I also see that the disk is showing up in my storage domain, but its
> showing "Paused by System" and I can't do anything with it.  I cant even
> delete it!
>
> I have tried following this document to fix the issue, but it didn't work:
> https://access.redhat.com/solutions/4148361
>
> I am seeing this error pop into my engine.log:
> https://pastebin.com/kDLSEq1A
>
> And I see this error in my image-proxy.log:
> WARNING 2020-07-24 15:26:34,802 web:137:web:(log_error) ERROR
> [172.17.0.30] PUT /tickets/ [403] Error verifying signed ticket: Invalid
> ovirt ticket (data='--my_ticket_data-', reason=Untrusted
> certificate) [request=0.002946/1]
>

This means ssl_* configuration in broken.

We have 2 groups:

Client ssl configuration:

# Key file for SSL connections
ssl_key_file = /etc/pki/ovirt-engine/keys/image-proxy.key.nopass

# Certificate file for SSL connections
ssl_cert_file = /etc/pki/ovirt-engine/certs/image-proxy.cer

And engine SSL configuration:

# Certificate file used when decoding signed token
engine_cert_file = /etc/pki/ovirt-engine/certs/engine.cer

# CA certificate file used to verify signed token
engine_ca_cert_file = /etc/pki/ovirt-engine/ca.pem

engine configuration is used to verify signed ticket used by engine when
adding tickets to the proxy. This is internal flow that clients should not
care
about. You should not replace these unless you are using also custom
certificate
for engine itself - very unlikely and maybe unsupported.
(Didi please correct me on this).

SSL client configuration is used when communicating with clients, and does
not depend on engine ssl configuration. You can replace these with your
certificates.

Can you share your /etc/ovirt-imageio/ovirt-imageio-proxy.conf?

The main issue with the current configuration is that we don't have
ssl_ca_cert configuration,
assuming that ssl_cert_file is a self signed certificate that includes the
CA certificate, since
this is what engine is creating.

In 4.4, we have more flexible configuration that should work for your case:

$ cat /etc/ovirt-imageio/conf.d/50-engine.conf
...
[tls]
enable = true
key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
cert_file = /etc/pki/ovirt-engine/certs/apache.cer
ca_file = /etc/pki/ovirt-engine/apache-ca.pem

Adding ssl_ca_cert to imageio 1.5.3 looks simple enough, so I posted this
completely untested patch:
https://gerrit.ovirt.org/c/110498/

You can try to upgrade your proxy to using this build:
https://jenkins.ovirt.org/job/ovirt-imageio_standard-check-patch/3384/artifact/build-artifacts.el7.x86_64/

Add a yum repo file with this baseurl=.

Again this is untested, but you seem to be in the best place to test it,
since I don't have any real certificates for testing.

It would also be useful if you file a bug for this issue.

Nir

Now, when I bought my wildcard, I was given a root certificate for the CA,
> as well as a separate intermediate CA certificate from the provider.
> Likewise, they gave me a certificate and a private key of course. The root
> and intermediate CA's certificates have been added
> to /etc/pki/ca-trust/source/anchors/ and I did an update-ca-trust.
>
> I also started experiencing issues with the ovpn network provider at the
> same time I replaced the SSL certs, but I disregarded it at the time, but
> now I am thinking its related.  Any advice on what to look for to fix the
> ovirt-imageio-proxy?
>
> Thanks!
>
>
> *Lynn Dixon* | Red Hat Certified Architect #100-006-188
> *Solutions Architect* | NA Commercial
> Google Voice: 423-618-1414
> Cell/Text: 423-774-3188
> Click here to view my Certification Portfolio 
>
>
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IT7OWF7WZ6LTLLLP4TSSPBNKMTCDNG2H/


[ovirt-users] Re: [rhev-tech] ovirt-imageio-proxy not working after updating SSL certificates with a wildcard cert issued by AlphaSSL (intermediate)

2020-07-27 Thread Greg Scott
Imageio 1.5.3 on both RHVM and your hypervisors, right? And the test
returned success - that eliminates what I saw then.


On Mon, Jul 27, 2020 at 9:44 AM Lynn Dixon  wrote:

> I am running 1.5.3 of all of the imageio-* packages.  THe test button in
> RHVM for the uploader comes back successfully with no errors.
>
> I am at a loss here.
>
> *Lynn Dixon* | Red Hat Certified Architect #100-006-188
> *Solutions Architect* | NA Commercial
> Google Voice: 423-618-1414
> Cell/Text: 423-774-3188
> Click here to view my Certification Portfolio 
>
>
>
>
> On Sat, Jul 25, 2020 at 12:53 AM Greg Scott  wrote:
>
>> Make sure you have the right imageio versions. We spent around two months
>> troubleshooting a similar problem and eventually found my customer had
>> imageio 1.0.0 when they should have had something like 1.4.4. Do an rpm -
>> qa | grep imageio on both your RHVM and RHV-H systems and see what it looks
>> like.
>>
>> Also try that test button in RHVM and see how it behaves. Does it fail
>> right away or does it take a couple seconds?
>>
>> - Greg
>>
>> On Fri, Jul 24, 2020 at 9:24 PM Lynn Dixon  wrote:
>>
>>> All,
>>> I recently bought a wildcard certificate for my lab domain (
>>> shadowman.dev) and I replaced all the certs on my RHV4.3 machine per
>>> our documentation.  The WebUI presents the certs successfully and without
>>> any issues, and everything seemed to be fine, until I tried to upload a
>>> disk image (or an ISO) to my storage domain.  I get this error in the
>>> events tab:
>>>
>>> https://share.getcloudapp.com/p9uPvegx
>>> [image: image.png]
>>>
>>> I also see that the disk is showing up in my storage domain, but its
>>> showing "Paused by System" and I can't do anything with it.  I cant even
>>> delete it!
>>>
>>> I have tried following this document to fix the issue, but it didn't
>>> work: https://access.redhat.com/solutions/4148361
>>>
>>> I am seeing this error pop into my engine.log:
>>> https://pastebin.com/kDLSEq1A
>>>
>>> And I see this error in my image-proxy.log:
>>> WARNING 2020-07-24 15:26:34,802 web:137:web:(log_error) ERROR
>>> [172.17.0.30] PUT /tickets/ [403] Error verifying signed ticket: Invalid
>>> ovirt ticket (data='--my_ticket_data-', reason=Untrusted
>>> certificate) [request=0.002946/1]
>>>
>>> Now, when I bought my wildcard, I was given a root certificate for the
>>> CA, as well as a separate intermediate CA certificate from the provider.
>>> Likewise, they gave me a certificate and a private key of course. The root
>>> and intermediate CA's certificates have been added
>>> to /etc/pki/ca-trust/source/anchors/ and I did an update-ca-trust.
>>>
>>> I also started experiencing issues with the ovpn network provider at the
>>> same time I replaced the SSL certs, but I disregarded it at the time, but
>>> now I am thinking its related.  Any advice on what to look for to fix the
>>> ovirt-imageio-proxy?
>>>
>>> Thanks!
>>>
>>>
>>> *Lynn Dixon* | Red Hat Certified Architect #100-006-188
>>> *Solutions Architect* | NA Commercial
>>> Google Voice: 423-618-1414
>>> Cell/Text: 423-774-3188
>>> Click here to view my Certification Portfolio 
>>>
>>>
>>>
>>
>> --
>> Greg Scott
>> Red Hat Senior Technical Account Manager
>> mobile 1-651-260-1051
>>
>

-- 
Greg Scott
Red Hat Senior Technical Account Manager
mobile 1-651-260-1051
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/QMS3CTP2FGWCG4ELC6SW4YICMA2O22ND/


[ovirt-users] Re: [rhev-tech] ovirt-imageio-proxy not working after updating SSL certificates with a wildcard cert issued by AlphaSSL (intermediate)

2020-07-27 Thread Lynn Dixon
I am running 1.5.3 of all of the imageio-* packages.  THe test button in
RHVM for the uploader comes back successfully with no errors.

I am at a loss here.

*Lynn Dixon* | Red Hat Certified Architect #100-006-188
*Solutions Architect* | NA Commercial
Google Voice: 423-618-1414
Cell/Text: 423-774-3188
Click here to view my Certification Portfolio 




On Sat, Jul 25, 2020 at 12:53 AM Greg Scott  wrote:

> Make sure you have the right imageio versions. We spent around two months
> troubleshooting a similar problem and eventually found my customer had
> imageio 1.0.0 when they should have had something like 1.4.4. Do an rpm -
> qa | grep imageio on both your RHVM and RHV-H systems and see what it looks
> like.
>
> Also try that test button in RHVM and see how it behaves. Does it fail
> right away or does it take a couple seconds?
>
> - Greg
>
> On Fri, Jul 24, 2020 at 9:24 PM Lynn Dixon  wrote:
>
>> All,
>> I recently bought a wildcard certificate for my lab domain (shadowman.dev)
>> and I replaced all the certs on my RHV4.3 machine per our documentation.
>> The WebUI presents the certs successfully and without any issues, and
>> everything seemed to be fine, until I tried to upload a disk image (or an
>> ISO) to my storage domain.  I get this error in the events tab:
>>
>> https://share.getcloudapp.com/p9uPvegx
>> [image: image.png]
>>
>> I also see that the disk is showing up in my storage domain, but its
>> showing "Paused by System" and I can't do anything with it.  I cant even
>> delete it!
>>
>> I have tried following this document to fix the issue, but it didn't
>> work: https://access.redhat.com/solutions/4148361
>>
>> I am seeing this error pop into my engine.log:
>> https://pastebin.com/kDLSEq1A
>>
>> And I see this error in my image-proxy.log:
>> WARNING 2020-07-24 15:26:34,802 web:137:web:(log_error) ERROR
>> [172.17.0.30] PUT /tickets/ [403] Error verifying signed ticket: Invalid
>> ovirt ticket (data='--my_ticket_data-', reason=Untrusted
>> certificate) [request=0.002946/1]
>>
>> Now, when I bought my wildcard, I was given a root certificate for the
>> CA, as well as a separate intermediate CA certificate from the provider.
>> Likewise, they gave me a certificate and a private key of course. The root
>> and intermediate CA's certificates have been added
>> to /etc/pki/ca-trust/source/anchors/ and I did an update-ca-trust.
>>
>> I also started experiencing issues with the ovpn network provider at the
>> same time I replaced the SSL certs, but I disregarded it at the time, but
>> now I am thinking its related.  Any advice on what to look for to fix the
>> ovirt-imageio-proxy?
>>
>> Thanks!
>>
>>
>> *Lynn Dixon* | Red Hat Certified Architect #100-006-188
>> *Solutions Architect* | NA Commercial
>> Google Voice: 423-618-1414
>> Cell/Text: 423-774-3188
>> Click here to view my Certification Portfolio 
>>
>>
>>
>
> --
> Greg Scott
> Red Hat Senior Technical Account Manager
> mobile 1-651-260-1051
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/LDJXJZWADLMDZNEEUI6XIPE3G4GAJARJ/


[ovirt-users] Re: [rhev-tech] ovirt-imageio-proxy not working after updating SSL certificates with a wildcard cert issued by AlphaSSL (intermediate)

2020-07-24 Thread Greg Scott
Make sure you have the right imageio versions. We spent around two months
troubleshooting a similar problem and eventually found my customer had
imageio 1.0.0 when they should have had something like 1.4.4. Do an rpm -
qa | grep imageio on both your RHVM and RHV-H systems and see what it looks
like.

Also try that test button in RHVM and see how it behaves. Does it fail
right away or does it take a couple seconds?

- Greg

On Fri, Jul 24, 2020 at 9:24 PM Lynn Dixon  wrote:

> All,
> I recently bought a wildcard certificate for my lab domain (shadowman.dev)
> and I replaced all the certs on my RHV4.3 machine per our documentation.
> The WebUI presents the certs successfully and without any issues, and
> everything seemed to be fine, until I tried to upload a disk image (or an
> ISO) to my storage domain.  I get this error in the events tab:
>
> https://share.getcloudapp.com/p9uPvegx
> [image: image.png]
>
> I also see that the disk is showing up in my storage domain, but its
> showing "Paused by System" and I can't do anything with it.  I cant even
> delete it!
>
> I have tried following this document to fix the issue, but it didn't work:
> https://access.redhat.com/solutions/4148361
>
> I am seeing this error pop into my engine.log:
> https://pastebin.com/kDLSEq1A
>
> And I see this error in my image-proxy.log:
> WARNING 2020-07-24 15:26:34,802 web:137:web:(log_error) ERROR
> [172.17.0.30] PUT /tickets/ [403] Error verifying signed ticket: Invalid
> ovirt ticket (data='--my_ticket_data-', reason=Untrusted
> certificate) [request=0.002946/1]
>
> Now, when I bought my wildcard, I was given a root certificate for the CA,
> as well as a separate intermediate CA certificate from the provider.
> Likewise, they gave me a certificate and a private key of course. The root
> and intermediate CA's certificates have been added
> to /etc/pki/ca-trust/source/anchors/ and I did an update-ca-trust.
>
> I also started experiencing issues with the ovpn network provider at the
> same time I replaced the SSL certs, but I disregarded it at the time, but
> now I am thinking its related.  Any advice on what to look for to fix the
> ovirt-imageio-proxy?
>
> Thanks!
>
>
> *Lynn Dixon* | Red Hat Certified Architect #100-006-188
> *Solutions Architect* | NA Commercial
> Google Voice: 423-618-1414
> Cell/Text: 423-774-3188
> Click here to view my Certification Portfolio 
>
>
>

-- 
Greg Scott
Red Hat Senior Technical Account Manager
mobile 1-651-260-1051
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/2QLLTX7U4PNQNEFS4AWHLZANK6KCN5HC/