Hi all, I am trying to replace the ovirt certificate at ovirt 4.3 following this:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl I am doing the following: I have engine FQDN: manager.lab.local 1. Create root CA private key: openssl genrsa -des3 -out root.key 2048 2. Generate root certificate: (enter passphrase of root key) openssl req -x509 -new -nodes -key root.key -sha256 -days 3650 -out root.pem cp root.pem /tmp 3. Create key and CSR for engine: openssl genrsa -out manager.lab.local.key 2048 openssl req -new -out manager.lab.local.csr -key manager.lab.local.key 4. Generate a certificate for engine and sign with the root CA key: openssl x509 -req -in manager.lab.local.csr \ -CA root.pem \ -CAkey root.key \ -CAcreateserial \ -out manager.lab.local.crt \ -days 3650 \ -sha256 \ -extensions v3_req 5. Verify the trust chain and check the certificate details: openssl verify -CAfile root.pem manager.lab.local.crt openssl x509 -text -noout -in manager.lab.local.crt | head -15 6. Generate a P12 container: (with empty password) openssl pkcs12 -export -out /tmp/apache.p12 \ -inkey manager.lab.local.key \ -in manager.lab.local.crt 8. Export key and cert: openssl pkcs12 -in apache.p12 -nocerts -nodes > /tmp/apache.key openssl pkcs12 -in apache.p12 -nokeys > /tmp/apache.cer >From the above steps we should have the following: /tmp/root.pem /tmp/apache.p12 /tmp/apache.key /tmp/apache.cer 9. Place the certificates: hosted-engine --set-maintenance --mode=global cp -p /etc/pki/ovirt-engine/keys/apache.p12 /tmp/apache.p12.bck cp /tmp/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12 cp /tmp/root.pem /etc/pki/ca-trust/source/anchors update-ca-trust rm /etc/pki/ovirt-engine/apache-ca.pem cp /tmp/root.pem /etc/pki/ovirt-engine/apache-ca.pem Backup existing key and cert: cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.bck cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.bck cp /tmp/apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass cp /tmp/apache.cer /etc/pki/ovirt-engine/certs/apache.cer chown root:ovirt /etc/pki/ovirt-engine/keys/apache.key.nopass chmod 640 /etc/pki/ovirt-engine/keys/apache.key.nopass systemctl restart httpd.service 10. Create a new trust store configuration file: vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" 11. Edit /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf : vi /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass 12. Edit /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf: vi /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf # Key file for SSL connections ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass # Certificate file for SSL connections ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer 13. Import the certificate at system-wide java trust store update-ca-trust extract keytool -list -alias ovirt -keystore /etc/pki/java/cacerts 14. Restart services: systemctl restart httpd.service systemctl restart ovirt-provider-ovn.service systemctl restart ovirt-imageio-proxy systemctl restart ovirt-websocket-proxy systemctl restart ovirt-engine.service Following the above I get at engine GUI: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target I have tried also to run engine-setup in case it could fix anything (it renewed the cert due to missing subjectAltName), and the above error still persists. I have tried several other suggestions from similar issues reported at this list without any luck. I have run out of ideas. Am I missing anything? Thanx for any suggestions. Alex
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/FSIKZJWMW6KKBLCHGZWWXVGQYLPMW7PJ/