[ovirt-users] Re: Use public-signed SSL certs?
Once upon a time, Dominik Holler said: > Would > ovirt-ca-file=/etc/pki/tls/certs/ca-bundle.crt > work for you? Yes, that looks like it works correctly. Still chasing issues with a 3rd-party cert down... now it seems like there may be an SSL issue between ovirt-provider-ovn and ovsdb-server (seeing SSL and protocol errors in ovsdb-server-nb.log that weren't there before changing the cert). Also, I updated the engine from 4.3.4 to 4.3.5 and it overwrote the necessary changes in ovirt-imageio-proxy's config. -- Chris Adams ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/SME7XGJLCJ5YTMFQ2OBJKFT53WODEQOI/
[ovirt-users] Re: Use public-signed SSL certs?
On Fri, Aug 2, 2019 at 4:37 PM Dominik Holler wrote: > On Thu, 1 Aug 2019 20:45:56 -0500 > Chris Adams wrote: > > > I figured it out. When ovirt-provider-ovn attempts to connect back to > > the engine via HTTPS, it tells the python requests module to use the > > specified CA cert file... but that won't work with most 3rd-party certs > > because they have an intermediate cert as well. It appears that the > > requests module tries to validate both certs. > > > > Creating /etc/ovirt-provider-ovn/conf.d/99-custom-cert.conf that just > > has: > > > > [OVIRT] > > ovirt-ca-file= > > > > tells the module to use the regular system CA cert file(s), which works. > > > Thanks for your investigation! > Looks like the empty string is converted implicitly to Boolean in > > https://github.com/psf/requests/blob/75bdc998e2d430a35d869b2abf1779bd0d34890e/requests/adapters.py#L215 > Because bool('') is False in python, the certificate should be checked > at all. > > Because bool('') is False in python, the certificate should be* not *checked at all. > Would > ovirt-ca-file=/etc/pki/tls/certs/ca-bundle.crt > work for you? > (It works for https://helloworld.letsencrypt.org) > > > This should probably be added to the oVirt doc for using a 3rd-party > > cert. > > > > Once upon a time, Chris Adams said: > > > Circling back to an old email... > > > > > > Once upon a time, Yedidyah Bar David said: > > > > On Wed, Jan 30, 2019 at 10:28 PM Chris Adams > wrote: > > > > > However, while digging, I also noticed that now the engine is not > > > > > communicating with ovirt-provider-ovn, possibly due to a similar > issue? > > > > > It is having the reverse problem; it rejects the engine's cert. > > > > > > > > Didn't try this yet, adding Dominik. > > > > > > Was anybody able to look at this? I had to use my dev hardware for > > > something else for a bit, so re-installed with 4.3.5 yesterday. The > > > imageio SSL cert issue looks good, but I still can't figure out the > > > ovirt-provider-ovn CA usage. > > > > > > My little bit of digging seems to show that the engine connects to the > > > provider and is using an SSL client cert, and that cert is signed by > > > something... but I'm not sure what. I think the provider side is > trying > > > to validate with the following setting from > > > /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf > > > > > > [OVIRT] > > > ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem > > > > > > Following the general "3rd-party SSL", that is now the Let's Encrypt > CA. > > > I tried changing it to point to the original self-signed oVirt CA (same > > > directory, just "ca.pem"), but that didn't work either. > > > > > > Any suggestions? > > > > ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5HZ42UMK6RQFSETO5ED4ZUKSPFFO5TD4/
[ovirt-users] Re: Use public-signed SSL certs?
On Thu, 1 Aug 2019 20:45:56 -0500 Chris Adams wrote: > I figured it out. When ovirt-provider-ovn attempts to connect back to > the engine via HTTPS, it tells the python requests module to use the > specified CA cert file... but that won't work with most 3rd-party certs > because they have an intermediate cert as well. It appears that the > requests module tries to validate both certs. > > Creating /etc/ovirt-provider-ovn/conf.d/99-custom-cert.conf that just > has: > > [OVIRT] > ovirt-ca-file= > > tells the module to use the regular system CA cert file(s), which works. Thanks for your investigation! Looks like the empty string is converted implicitly to Boolean in https://github.com/psf/requests/blob/75bdc998e2d430a35d869b2abf1779bd0d34890e/requests/adapters.py#L215 Because bool('') is False in python, the certificate should be checked at all. Would ovirt-ca-file=/etc/pki/tls/certs/ca-bundle.crt work for you? (It works for https://helloworld.letsencrypt.org) > This should probably be added to the oVirt doc for using a 3rd-party > cert. > > Once upon a time, Chris Adams said: > > Circling back to an old email... > > > > Once upon a time, Yedidyah Bar David said: > > > On Wed, Jan 30, 2019 at 10:28 PM Chris Adams wrote: > > > > However, while digging, I also noticed that now the engine is not > > > > communicating with ovirt-provider-ovn, possibly due to a similar issue? > > > > It is having the reverse problem; it rejects the engine's cert. > > > > > > Didn't try this yet, adding Dominik. > > > > Was anybody able to look at this? I had to use my dev hardware for > > something else for a bit, so re-installed with 4.3.5 yesterday. The > > imageio SSL cert issue looks good, but I still can't figure out the > > ovirt-provider-ovn CA usage. > > > > My little bit of digging seems to show that the engine connects to the > > provider and is using an SSL client cert, and that cert is signed by > > something... but I'm not sure what. I think the provider side is trying > > to validate with the following setting from > > /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf > > > > [OVIRT] > > ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem > > > > Following the general "3rd-party SSL", that is now the Let's Encrypt CA. > > I tried changing it to point to the original self-signed oVirt CA (same > > directory, just "ca.pem"), but that didn't work either. > > > > Any suggestions? > ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/BDVMCNCD7AHEBNFJ7QADJ7Y4ARNHQO3Y/
[ovirt-users] Re: Use public-signed SSL certs?
I figured it out. When ovirt-provider-ovn attempts to connect back to the engine via HTTPS, it tells the python requests module to use the specified CA cert file... but that won't work with most 3rd-party certs because they have an intermediate cert as well. It appears that the requests module tries to validate both certs. Creating /etc/ovirt-provider-ovn/conf.d/99-custom-cert.conf that just has: [OVIRT] ovirt-ca-file= tells the module to use the regular system CA cert file(s), which works. This should probably be added to the oVirt doc for using a 3rd-party cert. Once upon a time, Chris Adams said: > Circling back to an old email... > > Once upon a time, Yedidyah Bar David said: > > On Wed, Jan 30, 2019 at 10:28 PM Chris Adams wrote: > > > However, while digging, I also noticed that now the engine is not > > > communicating with ovirt-provider-ovn, possibly due to a similar issue? > > > It is having the reverse problem; it rejects the engine's cert. > > > > Didn't try this yet, adding Dominik. > > Was anybody able to look at this? I had to use my dev hardware for > something else for a bit, so re-installed with 4.3.5 yesterday. The > imageio SSL cert issue looks good, but I still can't figure out the > ovirt-provider-ovn CA usage. > > My little bit of digging seems to show that the engine connects to the > provider and is using an SSL client cert, and that cert is signed by > something... but I'm not sure what. I think the provider side is trying > to validate with the following setting from > /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf > > [OVIRT] > ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem > > Following the general "3rd-party SSL", that is now the Let's Encrypt CA. > I tried changing it to point to the original self-signed oVirt CA (same > directory, just "ca.pem"), but that didn't work either. > > Any suggestions? -- Chris Adams ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/AG3IN73YZ2WLBLNCA2V42LE5V72XQ6Y6/
[ovirt-users] Re: Use public-signed SSL certs?
Circling back to an old email... Once upon a time, Yedidyah Bar David said: > On Wed, Jan 30, 2019 at 10:28 PM Chris Adams wrote: > > However, while digging, I also noticed that now the engine is not > > communicating with ovirt-provider-ovn, possibly due to a similar issue? > > It is having the reverse problem; it rejects the engine's cert. > > Didn't try this yet, adding Dominik. Was anybody able to look at this? I had to use my dev hardware for something else for a bit, so re-installed with 4.3.5 yesterday. The imageio SSL cert issue looks good, but I still can't figure out the ovirt-provider-ovn CA usage. My little bit of digging seems to show that the engine connects to the provider and is using an SSL client cert, and that cert is signed by something... but I'm not sure what. I think the provider side is trying to validate with the following setting from /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf [OVIRT] ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem Following the general "3rd-party SSL", that is now the Let's Encrypt CA. I tried changing it to point to the original self-signed oVirt CA (same directory, just "ca.pem"), but that didn't work either. Any suggestions? -- Chris Adams ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/VBM4JSHX2IC2DLEZJB2O3FBPRILPU3HV/
[ovirt-users] Re: Use public-signed SSL certs?
On Mon, Feb 4, 2019 at 1:21 PM Yedidyah Bar David wrote: > > On Wed, Jan 30, 2019 at 10:28 PM Chris Adams wrote: > > > > Digging a little deeper... if I add the Let's Encrypt CA to > > /etc/pki/ovirt-engine/.truststore, imageio-proxy works (I can > > successfully upload an ISO), so I guess the issue is that imageio-proxy > > uses the same cert for web and engine communication and the engine > > wasn't happy with the public-CA-signed cert. > > I think I agree with your analysis. > > I now reproduced this on a test env. > > I started with ovirt-system-tests basic suite deploy, made sure I > can upload an image. > > Then I followed the docs about replacing certs, using a temporarily- > created CA for testing (using openssl, actually using a copy of the > engine's pki scripts), including adding 99-custom-truststore.conf, > imported the CA's cert to the browser, and: > > 1. Connecting with the browser worked, all is green. > > 2. Logged in, pressed "Disks -> Upload -> Start -> Test Connection", > and it failed. > > 3. Edited the ovirt-imageio-proxy conf to point key and cert to a > key and cert I created and signed using my temp ca, restarted it, > "Test Connection" worked. > > 4. Actually uploading the image failed as you describe. > > 5. Imported my CA's cert to /etc/pki/ovirt-engine/.truststore, > using: > > keytool -importcert -trustcacerts -keystore > /etc/pki/ovirt-engine/.truststore -storepass mypass -file > /etc/pki/ovirt-engine/apache-ca.pem > > and restarted the engine, and then upload works. > > Adding Martin and Nir. > > > > > > So, rather than point part of the engine at a separate trust store (as > > the docs recommend), maybe just add the public CA to the engine's > > existing trust store? > > I admit I still didn't try to fully analyze this myself, but I tend > to agree with you. Or rather: Our docs should probably support both > options - tell the engine to trust (and use?) the system-wide store, > or manually add a specific cert. Because I guess you can find people > that will prefer either option. Decided that only the first makes sense, opened this bug, should be fixed in 4.3.2: https://bugzilla.redhat.com/1687301 This is obviously just one step. The next will be: https://bugzilla.redhat.com/show_bug.cgi?id=1637809 Then, hopefully, following the existing doc to use 3rd-party CA will "just work" also for imageio. BTW, of course you can also create another custom truststore only for https access to the engine, and point ENGINE_HTTPS_PKI_TRUST_STORE at it - but I wouldn't add this to the docs before we have automated testing that makes sure this does not break in the future. Best regards, > > > > > However, while digging, I also noticed that now the engine is not > > communicating with ovirt-provider-ovn, possibly due to a similar issue? > > It is having the reverse problem; it rejects the engine's cert. > > Didn't try this yet, adding Dominik. > > > > > This is all on 4.2.8 BTW. > > I personally tried this on: > > ovirt-engine-4.3.0-0.8.master.20190122121624.git9a8a519.el7.noarch > > I guess the behavior didn't change much between them. > > Thanks for your debugging and report! > > Best regards, > -- > Didi -- Didi ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/JB2DV6MH6G3UUKSRSUYL4ASO4HJHKCDD/
[ovirt-users] Re: Use public-signed SSL certs?
On Mon, 4 Feb 2019 13:21:56 +0200 Yedidyah Bar David wrote: > On Wed, Jan 30, 2019 at 10:28 PM Chris Adams wrote: > > > > Digging a little deeper... if I add the Let's Encrypt CA to > > /etc/pki/ovirt-engine/.truststore, imageio-proxy works (I can > > successfully upload an ISO), so I guess the issue is that imageio-proxy > > uses the same cert for web and engine communication and the engine > > wasn't happy with the public-CA-signed cert. > > I think I agree with your analysis. > > I now reproduced this on a test env. > > I started with ovirt-system-tests basic suite deploy, made sure I > can upload an image. > > Then I followed the docs about replacing certs, using a temporarily- > created CA for testing (using openssl, actually using a copy of the > engine's pki scripts), including adding 99-custom-truststore.conf, > imported the CA's cert to the browser, and: > > 1. Connecting with the browser worked, all is green. > > 2. Logged in, pressed "Disks -> Upload -> Start -> Test Connection", > and it failed. > > 3. Edited the ovirt-imageio-proxy conf to point key and cert to a > key and cert I created and signed using my temp ca, restarted it, > "Test Connection" worked. > > 4. Actually uploading the image failed as you describe. > > 5. Imported my CA's cert to /etc/pki/ovirt-engine/.truststore, > using: > > keytool -importcert -trustcacerts -keystore > /etc/pki/ovirt-engine/.truststore -storepass mypass -file > /etc/pki/ovirt-engine/apache-ca.pem > > and restarted the engine, and then upload works. > > Adding Martin and Nir. > > > > > > So, rather than point part of the engine at a separate trust store (as > > the docs recommend), maybe just add the public CA to the engine's > > existing trust store? > > I admit I still didn't try to fully analyze this myself, but I tend > to agree with you. Or rather: Our docs should probably support both > options - tell the engine to trust (and use?) the system-wide store, > or manually add a specific cert. Because I guess you can find people > that will prefer either option. > > > > > However, while digging, I also noticed that now the engine is not > > communicating with ovirt-provider-ovn, possibly due to a similar issue? > > It is having the reverse problem; it rejects the engine's cert. > > Didn't try this yet, adding Dominik. > Please ensure that the configured certificates in /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf especially ovirt-ca-file, points to the expected files and restart ovirt-provider-ovn. If this does not solve the issue, please share ovirt-provider-ovn.log. > > > > This is all on 4.2.8 BTW. > > I personally tried this on: > > ovirt-engine-4.3.0-0.8.master.20190122121624.git9a8a519.el7.noarch > > I guess the behavior didn't change much between them. > > Thanks for your debugging and report! > > Best regards, ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/AKV4FL2B4CLZC6VQ3JUC3D55JRNULNHI/
[ovirt-users] Re: Use public-signed SSL certs?
On Wed, Jan 30, 2019 at 10:28 PM Chris Adams wrote: > > Digging a little deeper... if I add the Let's Encrypt CA to > /etc/pki/ovirt-engine/.truststore, imageio-proxy works (I can > successfully upload an ISO), so I guess the issue is that imageio-proxy > uses the same cert for web and engine communication and the engine > wasn't happy with the public-CA-signed cert. I think I agree with your analysis. I now reproduced this on a test env. I started with ovirt-system-tests basic suite deploy, made sure I can upload an image. Then I followed the docs about replacing certs, using a temporarily- created CA for testing (using openssl, actually using a copy of the engine's pki scripts), including adding 99-custom-truststore.conf, imported the CA's cert to the browser, and: 1. Connecting with the browser worked, all is green. 2. Logged in, pressed "Disks -> Upload -> Start -> Test Connection", and it failed. 3. Edited the ovirt-imageio-proxy conf to point key and cert to a key and cert I created and signed using my temp ca, restarted it, "Test Connection" worked. 4. Actually uploading the image failed as you describe. 5. Imported my CA's cert to /etc/pki/ovirt-engine/.truststore, using: keytool -importcert -trustcacerts -keystore /etc/pki/ovirt-engine/.truststore -storepass mypass -file /etc/pki/ovirt-engine/apache-ca.pem and restarted the engine, and then upload works. Adding Martin and Nir. > > So, rather than point part of the engine at a separate trust store (as > the docs recommend), maybe just add the public CA to the engine's > existing trust store? I admit I still didn't try to fully analyze this myself, but I tend to agree with you. Or rather: Our docs should probably support both options - tell the engine to trust (and use?) the system-wide store, or manually add a specific cert. Because I guess you can find people that will prefer either option. > > However, while digging, I also noticed that now the engine is not > communicating with ovirt-provider-ovn, possibly due to a similar issue? > It is having the reverse problem; it rejects the engine's cert. Didn't try this yet, adding Dominik. > > This is all on 4.2.8 BTW. I personally tried this on: ovirt-engine-4.3.0-0.8.master.20190122121624.git9a8a519.el7.noarch I guess the behavior didn't change much between them. Thanks for your debugging and report! Best regards, -- Didi ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/MSEUGUHVCXWESA7SOLYQHGYB6LVN77KE/
[ovirt-users] Re: Use public-signed SSL certs?
I got it working by changing the SSL certs pointed out in the /etc/imageio-proxy/imageio-proxy.conf. BR Chris Adams schrieb am Mi., 30. Jan. 2019, 21:28: > Digging a little deeper... if I add the Let's Encrypt CA to > /etc/pki/ovirt-engine/.truststore, imageio-proxy works (I can > successfully upload an ISO), so I guess the issue is that imageio-proxy > uses the same cert for web and engine communication and the engine > wasn't happy with the public-CA-signed cert. > > So, rather than point part of the engine at a separate trust store (as > the docs recommend), maybe just add the public CA to the engine's > existing trust store? > > However, while digging, I also noticed that now the engine is not > communicating with ovirt-provider-ovn, possibly due to a similar issue? > It is having the reverse problem; it rejects the engine's cert. > > This is all on 4.2.8 BTW. > -- > Chris Adams > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/FC6FNKINSVQFA7FDO2D6FBSHP2U5D7WI/ > ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/JJB7EQNSF37RDAZXDIIGHBKX7C2DKPE5/
[ovirt-users] Re: Use public-signed SSL certs?
Digging a little deeper... if I add the Let's Encrypt CA to /etc/pki/ovirt-engine/.truststore, imageio-proxy works (I can successfully upload an ISO), so I guess the issue is that imageio-proxy uses the same cert for web and engine communication and the engine wasn't happy with the public-CA-signed cert. So, rather than point part of the engine at a separate trust store (as the docs recommend), maybe just add the public CA to the engine's existing trust store? However, while digging, I also noticed that now the engine is not communicating with ovirt-provider-ovn, possibly due to a similar issue? It is having the reverse problem; it rejects the engine's cert. This is all on 4.2.8 BTW. -- Chris Adams ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/FC6FNKINSVQFA7FDO2D6FBSHP2U5D7WI/
[ovirt-users] Re: Use public-signed SSL certs?
Once upon a time, Yedidyah Bar David said: > On Tue, Jan 29, 2019 at 6:05 PM Chris Adams wrote: > > I installed an SSL cert from a public CA (Let's Encrypt) on my engine, > > following this: > > > > https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_CA_Certificate > > > > That gets the regular web UI working, but I can't upload an ISO. I > > assume that I need to do something with the imageio-proxy service on the > > engine, but not sure what... I tried replacing imageio-proxy.cer and > > imageio-proxy.key.nopass, but that didn't work. > > Did you restart the imageio-proxy? > > What didn't work? What happened? I did restart the service. When I then try to upload an ISO image, I get "Paused by System" and this in engine.log: 2019-01-30 08:12:15,871-06 ERROR [org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-52) [0052c7ad-38d7-429d-be3a-eb0e496d5ee8] Failed to add image ticket to ovirt-imageio-proxy: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) [jsse.jar:1.8.0_191] at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) [jsse.jar:1.8.0_191] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316) [jsse.jar:1.8.0_191] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) [jsse.jar:1.8.0_191] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) [jsse.jar:1.8.0_191] at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) [jsse.jar:1.8.0_191] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) [jsse.jar:1.8.0_191] at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) [jsse.jar:1.8.0_191] at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) [jsse.jar:1.8.0_191] at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) [jsse.jar:1.8.0_191] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) [jsse.jar:1.8.0_191] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) [jsse.jar:1.8.0_191] at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) [rt.jar:1.8.0_191] at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) [rt.jar:1.8.0_191] at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334) [rt.jar:1.8.0_191] at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309) [rt.jar:1.8.0_191] at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259) [rt.jar:1.8.0_191] at org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.addImageTicketToProxy(TransferImageCommand.java:654) [bll.jar:] at org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.startImageTransferSession(TransferImageCommand.java:579) [bll.jar:] at org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.handleImageIsReadyForTransfer(TransferImageCommand.java:261) [bll.jar:] at org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.handleInitializing(TransferImageCommand.java:232) [bll.jar:] at org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.executeStateHandler(TransferImageCommand.java:167) [bll.jar:] at org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.proceedCommandExecution(TransferImageCommand.java:154) [bll.jar:] at org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommandCallback.doPolling(TransferImageCommandCallback.java:21) [bll.jar:] at org.ovirt.engine.core.bll.tasks.CommandCallbacksPoller.invokeCallbackMethodsImpl(CommandCallbacksPoller.java:146) [bll.jar:] at org.ovirt.engine.core.bll.tasks.CommandCallbacksPoller.invokeCallbackMethods(CommandCallbacksPoller.java:107) [bll.jar:] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [rt.jar:1.8.0_191] at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [rt.jar:1.8.0_191] at org.glassfish.enterprise.concurrent.internal.ManagedScheduledThreadPoolExecutor$ManagedScheduledFutureTask.access$201(ManagedScheduledThreadPoolExecutor.java:383) [javax.enterprise.concurrent-1.0.jar:] at org.glassfish.enterprise.concurrent.intern
[ovirt-users] Re: Use public-signed SSL certs?
On Tue, Jan 29, 2019 at 6:05 PM Chris Adams wrote: > > I installed an SSL cert from a public CA (Let's Encrypt) on my engine, > following this: > > https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_CA_Certificate > > That gets the regular web UI working, but I can't upload an ISO. I > assume that I need to do something with the imageio-proxy service on the > engine, but not sure what... I tried replacing imageio-proxy.cer and > imageio-proxy.key.nopass, but that didn't work. Did you restart the imageio-proxy? What didn't work? What happened? > > I'm trying to avoid ever needing to install a special CA cert in > browsers. Makes sense. This is known bug: https://bugzilla.redhat.com/show_bug.cgi?id=1637809 Before opening it, we had a bug about fixing the documentation you point at: https://bugzilla.redhat.com/show_bug.cgi?id=1385617 As mentioned there, what you tried to do should have worked. Best regards, -- Didi ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZYR3ZJU5V57356DFSZ6BNCWBGX5Q6PP5/
[ovirt-users] Re: Use public-signed SSL certs?
Did you try running engine-setup ? Regards, Paul S. From: Chris Adams Sent: 29 January 2019 15:51 To: users@ovirt.org Subject: [ovirt-users] Use public-signed SSL certs? I installed an SSL cert from a public CA (Let's Encrypt) on my engine, following this: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_CA_Certificate That gets the regular web UI working, but I can't upload an ISO. I assume that I need to do something with the imageio-proxy service on the engine, but not sure what... I tried replacing imageio-proxy.cer and imageio-proxy.key.nopass, but that didn't work. I'm trying to avoid ever needing to install a special CA cert in browsers. -- Chris Adams ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/NZBGRCKW6WA4WISTCRDJIFUCMNIKJ2CG/ To view the terms under which this email is distributed, please go to:- http://leedsbeckett.ac.uk/disclaimer/email/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/VY3FEC5VFBDP5OMCENB2FZTSEAX43ONX/
[ovirt-users] Re: Use public-signed SSL certs?
Once upon a time, John Florian said: > Just to follow up on this Chris, I have my puppet drop my CA cert in > /etc/pki/ca-trust/source/anchors/, my self-signed cert > in/etc/pki/ovirt-engine/certs/ and my key in > /etc/pki/ovirt-engine/keys. I also manage > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf to have: > > ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" > ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" > > I believe this gives me everything you seek. That works to get the core engine UI using a new cert (that and a little more are in the Red Hat URL in my original message). It doesn't handle the imageio-proxy however. -- Chris Adams ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/SPQLME4PMHRXM6LCVSX4V5GNZLFOIF4W/
[ovirt-users] Re: Use public-signed SSL certs?
On 1/29/19 3:13 PM, John Florian wrote: > On 1/29/19 2:47 PM, Chris Adams wrote: >> Once upon a time, John Florian said: >>> On 1/29/19 1:30 PM, Chris Adams wrote: Can that be run non-interactively to do whatever is needed? I'm using a Let's Encrypt cert, which needs to have a 100% automated deployment. >>> Yes, I believe so. Look at the whole biz with the "answers" file >>> and the --config-append=file option. You should already have a >>> generated answers file laying around from when you ran engine-setup >>> before. See /var/lib/ovirt-engine/setup/answers IIRC. >> Hmm, that won't work - it looks like you can't run engine-setup on a >> hosted engine unless you first set hosted-engine HA to global >> maintenance. >> >> Is running engine-setup necessary to install/update certificates, or >> maybe is there a simpler way? > > I'm quite certain you can do it w/o engine-setup if you hit all the > right file locations. Just to follow up on this Chris, I have my puppet drop my CA cert in /etc/pki/ca-trust/source/anchors/, my self-signed cert in/etc/pki/ovirt-engine/certs/ and my key in /etc/pki/ovirt-engine/keys. I also manage /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf to have: ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" I believe this gives me everything you seek. -- John Florian ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/QHWEL244HI4ZNZXDMSSG23UOL7RIBVGF/
[ovirt-users] Re: Use public-signed SSL certs?
On 1/29/19 2:47 PM, Chris Adams wrote: Once upon a time, John Florian said: On 1/29/19 1:30 PM, Chris Adams wrote: Can that be run non-interactively to do whatever is needed? I'm using a Let's Encrypt cert, which needs to have a 100% automated deployment. Yes, I believe so. Look at the whole biz with the "answers" file and the --config-append=file option. You should already have a generated answers file laying around from when you ran engine-setup before. See /var/lib/ovirt-engine/setup/answers IIRC. Hmm, that won't work - it looks like you can't run engine-setup on a hosted engine unless you first set hosted-engine HA to global maintenance. Is running engine-setup necessary to install/update certificates, or maybe is there a simpler way? I'm quite certain you can do it w/o engine-setup if you hit all the right file locations. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/23CSSA5MA22MFA7NZMOKA7RVRHQAHYUC/
[ovirt-users] Re: Use public-signed SSL certs?
Once upon a time, John Florian said: > On 1/29/19 1:30 PM, Chris Adams wrote: > >Can that be run non-interactively to do whatever is needed? > >I'm using a Let's Encrypt cert, which needs to have a 100% automated > >deployment. > > Yes, I believe so. Look at the whole biz with the "answers" file > and the --config-append=file option. You should already have a > generated answers file laying around from when you ran engine-setup > before. See /var/lib/ovirt-engine/setup/answers IIRC. Hmm, that won't work - it looks like you can't run engine-setup on a hosted engine unless you first set hosted-engine HA to global maintenance. Is running engine-setup necessary to install/update certificates, or maybe is there a simpler way? -- Chris Adams ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/OLWCGI5DFDPGZMACRH4CLEAA57MM6KDF/
[ovirt-users] Re: Use public-signed SSL certs?
On 1/29/19 1:30 PM, Chris Adams wrote: Can that be run non-interactively to do whatever is needed? I'm using a Let's Encrypt cert, which needs to have a 100% automated deployment. Yes, I believe so. Look at the whole biz with the "answers" file and the --config-append=file option. You should already have a generated answers file laying around from when you ran engine-setup before. See /var/lib/ovirt-engine/setup/answers IIRC. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/4V7XPHN63OD5LON365IBXH4KCBAV7XID/
[ovirt-users] Re: Use public-signed SSL certs?
I had not. Can that be run non-interactively to do whatever is needed? I'm using a Let's Encrypt cert, which needs to have a 100% automated deployment. Once upon a time, Staniforth, Paul said: > Did you try running engine-setup ? > > Regards, > Paul S. > > From: Chris Adams > Sent: 29 January 2019 15:51 > To: users@ovirt.org > Subject: [ovirt-users] Use public-signed SSL certs? > > I installed an SSL cert from a public CA (Let's Encrypt) on my engine, > following this: > > https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_CA_Certificate > > That gets the regular web UI working, but I can't upload an ISO. I > assume that I need to do something with the imageio-proxy service on the > engine, but not sure what... I tried replacing imageio-proxy.cer and > imageio-proxy.key.nopass, but that didn't work. > > I'm trying to avoid ever needing to install a special CA cert in > browsers. > -- > Chris Adams > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/NZBGRCKW6WA4WISTCRDJIFUCMNIKJ2CG/ > To view the terms under which this email is distributed, please go to:- > http://leedsbeckett.ac.uk/disclaimer/email/ -- Chris Adams ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/MO64G3S2MXF5HA54E5PSHNDAZU2OPIYL/