[ovirt-users] Re: Failed to upload ISO oVirt 4.4.0 - imageio unable to verify certificate

2020-07-13 Thread Nir Soffer 
On Mon, Jul 13, 2020 at 5:46 PM Nir Soffer  wrote:
>
> On Fri, Jul 10, 2020 at 10:56 AM Erez Zarum  wrote:
> >
> > Replying to myself again, i managed to "solve" this.
>
> You actually solved it, no quotes required :-)
>
> > in /etc/ovirt-imageio/conf.d/50-engine.conf it uses the key_file and 
> > cert_file of the apache by default.
> > For the CA cert it is indeed using the apache-ca.pem as expected (?), it 
> > seems to use the same CA when trying to reach the VDSM imageio daemon 
> > running on each host for obvious reasons those are two different CA, the 
> > apache-ca.pem is used by the Engine "frontend".
> > Changing the ca_file to /etc/pki/ovirt-engine/ca.pem and restart the 
> > imageio daemon on the ovirt-engine solved this issue.
>
> Right, you need to change the ovirt-imgeio configuration to replace the CA.
>
> But note that you should not touch:
>
> /etc/ovirt-imageio/conf.d/50-engine.conf
>
> This file is owned by engine and your changes will be dropped silently
> on the next
> upgrade.
>
> You need to add your own configuration file, maybe:
>
> /etc/ovirt-imageio/99-local.conf
>
> Where you can override what you need:
>
> [tls]
> ca_file = ...
>
> This is documented in the top of 50-vdsm.conf:
>
> # Configuration overrides for vdsm.
> #
> # WARNING: This file owned by vdsm. If you modify this file your changes will
> # be overwritten in the next vdsm upgrade.
> #
> # To change the configuration create a new drop-in file with a higher prefix,
> # so your setting will override vdsm and builtin configuration:
> #
> # $ cat /etc/ovirt-imageio/conf.d/99-locl.conf
> # [logger_root]
> # level = DEBUG
> #
> # This example overrides ovirt-imageio service log level to DEBUG.
>
> But the documentation is missing on engine side.
> Please file engine bug for this.

Sorry, this is already documented also on engine side:

# Configuration overrides for ovirt-engine.
#
# WARNING: This file owned by ovirt-engine. If you modify this file your
# changes will be overwritten in the next ovirt-engine upgrade.
#
# To change the configuration create a new drop-in file with higher prefix,
# so your setting will override ovirt-engine configuration:
#
# $ cat /etc/ovirt-imageio/conf.d/99-locl.conf
# [tls]
# ca_file =
#
# This example overrides ca_file to be empty string. This can be useful if
# the host certificates are signed by a trusted CA.

There are some typos but it is very clear.
Typos fixed here:
https://gerrit.ovirt.org/c/110265/
https://gerrit.ovirt.org/c/110266/

> > The information here: http://ovirt.github.io/ovirt-imageio/overview.html is 
> > misleading.
>
> Please file ovirt-imageio Documentation bug for this.
>
> Nir
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7XR35WEVOYML3OP2ZPI6LDSYH5WBCNUT/

[ovirt-users] Re: Failed to upload ISO oVirt 4.4.0 - imageio unable to verify certificate

2020-07-13 Thread Nir Soffer 
On Fri, Jul 10, 2020 at 10:56 AM Erez Zarum  wrote:
>
> Replying to myself again, i managed to "solve" this.

You actually solved it, no quotes required :-)

> in /etc/ovirt-imageio/conf.d/50-engine.conf it uses the key_file and 
> cert_file of the apache by default.
> For the CA cert it is indeed using the apache-ca.pem as expected (?), it 
> seems to use the same CA when trying to reach the VDSM imageio daemon running 
> on each host for obvious reasons those are two different CA, the 
> apache-ca.pem is used by the Engine "frontend".
> Changing the ca_file to /etc/pki/ovirt-engine/ca.pem and restart the imageio 
> daemon on the ovirt-engine solved this issue.

Right, you need to change the ovirt-imgeio configuration to replace the CA.

But note that you should not touch:

/etc/ovirt-imageio/conf.d/50-engine.conf

This file is owned by engine and your changes will be dropped silently
on the next
upgrade.

You need to add your own configuration file, maybe:

/etc/ovirt-imageio/99-local.conf

Where you can override what you need:

[tls]
ca_file = ...

This is documented in the top of 50-vdsm.conf:

# Configuration overrides for vdsm.
#
# WARNING: This file owned by vdsm. If you modify this file your changes will
# be overwritten in the next vdsm upgrade.
#
# To change the configuration create a new drop-in file with a higher prefix,
# so your setting will override vdsm and builtin configuration:
#
# $ cat /etc/ovirt-imageio/conf.d/99-locl.conf
# [logger_root]
# level = DEBUG
#
# This example overrides ovirt-imageio service log level to DEBUG.

But the documentation is missing on engine side.
Please file engine bug for this.

> The information here: http://ovirt.github.io/ovirt-imageio/overview.html is 
> misleading.

Please file ovirt-imageio Documentation bug for this.

Nir
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HXZNMKSZD6MW2NS2OBXXRTV3UPQV5VII/

[ovirt-users] Re: Failed to upload ISO oVirt 4.4.0 - imageio unable to verify certificate

2020-07-13 Thread Sandro Bonazzola 
+Yedidyah Bar David  , +Nir Soffer
 , +Eyal
Shenitzkycan you please have a look here?

Il giorno ven 10 lug 2020 alle ore 09:56 Erez Zarum  ha
scritto:

> Replying to myself again, i managed to "solve" this.
> in /etc/ovirt-imageio/conf.d/50-engine.conf it uses the key_file and
> cert_file of the apache by default.
> For the CA cert it is indeed using the apache-ca.pem as expected (?), it
> seems to use the same CA when trying to reach the VDSM imageio daemon
> running on each host for obvious reasons those are two different CA, the
> apache-ca.pem is used by the Engine "frontend".
> Changing the ca_file to /etc/pki/ovirt-engine/ca.pem and restart the
> imageio daemon on the ovirt-engine solved this issue.
> The information here: http://ovirt.github.io/ovirt-imageio/overview.html
> is misleading.
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/FUV7B43YSWAG6E3VO3IEXXJLDJ3DJWND/
>


-- 

Sandro Bonazzola

MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV

Red Hat EMEA 

sbona...@redhat.com


*Red Hat respects your work life balance. Therefore there is no need to
answer this email out of your office hours.
*
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/TVHOQIUXGG5OA7RX3BL65M72WSBM33T2/

[ovirt-users] Re: Failed to upload ISO oVirt 4.4.0 - imageio unable to verify certificate

2020-07-10 Thread Erez Zarum 
Replying to myself again, i managed to "solve" this.
in /etc/ovirt-imageio/conf.d/50-engine.conf it uses the key_file and cert_file 
of the apache by default.
For the CA cert it is indeed using the apache-ca.pem as expected (?), it seems 
to use the same CA when trying to reach the VDSM imageio daemon running on each 
host for obvious reasons those are two different CA, the apache-ca.pem is used 
by the Engine "frontend".
Changing the ca_file to /etc/pki/ovirt-engine/ca.pem and restart the imageio 
daemon on the ovirt-engine solved this issue.
The information here: http://ovirt.github.io/ovirt-imageio/overview.html is 
misleading.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/FUV7B43YSWAG6E3VO3IEXXJLDJ3DJWND/

[ovirt-users] Re: Failed to upload ISO oVirt 4.4.0 - imageio unable to verify certificate

2020-07-10 Thread Erez Zarum 
There is a lot of misinformation, I don't have the ovirt-imageio-proxy service 
and only ovirt-imageio, can i assume this is the same?
I have tried to follow every workaround i have found (including many bugs that 
were closed) but none helped me to solve it.
I can confirm that this worked well in 4.3.10.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MIBC72NTFPF36I2O57R42HYH3CBFNYEO/