Re: [ovirt-users] Replacing engine SSL cert

2017-09-10 Thread Yedidyah Bar David
On Sat, Sep 9, 2017 at 9:48 PM, Chris Adams  wrote:
> I'm writing a script to install a new SSL key/cert pair (from Let's
> Encrypt) for the engine web UI on oVirt 4.1.  I'm looking at this, but
> it's a little confusing.
>
> https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/

You might want to check recent RHV docs:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl

ovirt.org is still not updated, sorry. Patches are welcome :-)

>
> It sounds like steps 1 and 3 are referring to the CA-supplied
> intermediate cert(s), not the actual issue cert for the server.  Is that
> right?

Correct.

>
> Does anything actually use the PCKS12 format file referred to in step 4?

Currently, AFAIK, no.

> I don't normally see that format from regular CAs; they usually provide
> cert+intermediate(s) in PEM format.

Indeed, that's why in above rhv docs we split it up to two procedures.

>
> With Apache 2.4, it is normal to just put the cert+intermediate(s) chain
> in one file and configure Apache with SSLCertificateFile.  You aren't
> supposed to put the CA-supplied cert in the SSLCACertificateFile like
> oVirt appears to do; that's intended to be used for validating client
> certs, not the intermediate(s) for the server cert.

Searching the net I also find:

https://stackoverflow.com/questions/1899983/difference-between-sslcacertificatefile-and-sslcertificatechainfile

Seems like this was changed in:

https://gerrit.ovirt.org/15837

But no idea why. Perhaps we wanted the option to allow authentication
by client certs? See e.g.:

http://machacekondra.blogspot.co.il/2016/02/client-certificate-authentication-with.html

If you think that's a problem, please open a bug. Thanks!

>
> It really just looks like the cert+intermediate(s) should go in
> /etc/pki/ovirt-engine/certs/apache.cer, the corresponding key put in
> /etc/pki/ovirt-engine/keys/apache.key.nopass, and then Apache needs to
> be restarted.  Since oVirt doesn't use the engine web UI cert for
> anything internally (right?),

Mostly right

> do any of the other steps on the above
> page matter?

For step 8, you can searching for 'site:bugzilla.redhat.com
ENGINE_HTTPS_PKI_TRUST_STORE'.
There were several bugs about this.

The log collector always _does_ use the https interface, even on local machine.

Best,
-- 
Didi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] Replacing engine SSL cert

2017-09-09 Thread Chris Adams
I'm writing a script to install a new SSL key/cert pair (from Let's
Encrypt) for the engine web UI on oVirt 4.1.  I'm looking at this, but
it's a little confusing.

https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/

It sounds like steps 1 and 3 are referring to the CA-supplied
intermediate cert(s), not the actual issue cert for the server.  Is that
right?

Does anything actually use the PCKS12 format file referred to in step 4?
I don't normally see that format from regular CAs; they usually provide
cert+intermediate(s) in PEM format.

With Apache 2.4, it is normal to just put the cert+intermediate(s) chain
in one file and configure Apache with SSLCertificateFile.  You aren't
supposed to put the CA-supplied cert in the SSLCACertificateFile like
oVirt appears to do; that's intended to be used for validating client
certs, not the intermediate(s) for the server cert.

It really just looks like the cert+intermediate(s) should go in
/etc/pki/ovirt-engine/certs/apache.cer, the corresponding key put in
/etc/pki/ovirt-engine/keys/apache.key.nopass, and then Apache needs to
be restarted.  Since oVirt doesn't use the engine web UI cert for
anything internally (right?), do any of the other steps on the above
page matter?

-- 
Chris Adams 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users