Re: [ovirt-users] SSL Workflow for oVirt

2018-01-29 Thread Piotr Kliczewski
Gabriel,

I suggest to follow steps from [1]. It should help you to understand
why get "General SSLEngine problem".

Thanks,
Piotr

[1] http://lists.ovirt.org/pipermail/users/2017-September/084320.html

On Tue, Jan 23, 2018 at 1:54 PM, Gabriel Stein  wrote:
> Hi all,
>
> I think that I found a way to solve the problem from:
> http://lists.ovirt.org/pipermail/users/2018-January/086441.html and I'm
> trying to fix it.
>
> But my servers are in Production(50%) and I found that are some errors with
> my SSL Certificates.
>
> ## What I need now? Fixes all certificates problems using my Freeipa
> generated certificates: vdsmclient* on hosts, ovirt-engine communication ssl
> certificates on  hosted-engine.
>
> I made with Freeipa(internal) the certificates for ovirt-engine( only apache
> - self hosted) and Hosts(vsdmclient and vdsmkey) and replaced using this
> howto:
>
> https://gist.github.com/qrkourier/9c9ac3e8b190dcb91d3767179d5a39ea
>
> ## Now ovirt-engine can't contact a Host(Non Responsive) with the
> errors(Yes, I have a Backup from all old certificates):
>
> VDSM host.domain.tld command GetCapabilitiesVDS failed: General SSLEngine
> problem
>
> On engine.log:
>
> 2018-01-23 13:33:40,160+01 ERROR
> [org.ovirt.engine.core.vdsbroker.vdsbroker.GetAllVmStatsVDSCommand]
> (EE-ManagedThreadFactory-engineScheduled-Thread-23) [] Command
> 'GetAllVmStatsVDSCommand(HostName = host.domain.tld,
> VdsIdVDSCommandParametersBase:{hostId='d6bc650b-7edd-4019-b316-54313217880f'})'
> execution failed: VDSGenericException: VDSNetworkException: General
> SSLEngine problem
> 2018-01-23 13:33:40,160+01 INFO
> [org.ovirt.engine.core.vdsbroker.monitoring.PollVmStatsRefresher]
> (EE-ManagedThreadFactory-engineScheduled-Thread-23) [] Failed to fetch vms
> info for host 'host.domain.tld' - skipping VMs monitoring.
>
>
> ## I read, that ovirt-engine generates certificates for all hosts and it
> uses his own CA.
>
>
> Questions:
>
> - How can I fix the communication from hosted-engine and vsdm on hosts?
> Should I copy my Freeipa ca.crt and replace the ca.der file on
> /etc/pki/ovirt-engine/certs?
>
> - Should I  change the engine.cer certificate from
> /etc/pki/ovirt-engine/certs with my Certificate made using Freeipa?
>
> - How to do that properly?
>
> - Where can I find a complete workflow from SSL Certificates from oVirt?
> What certificates should I change?
>
> ## I found some links that to me are confusing(or I'm just dumb), I will
> take my end solution and do a howto to all:
>
> - https://www.ovirt.org/develop/release-management/features/infra/pki/ - how
> updated is that? I can't overwrite a ca from ovirt-engine?
>
> - https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/ -
> Note: Using a commercially issued certificate for HTTPS connections does not
> affect the certificate used for authentication between your Engine and
> hosts. They will continue to use the self-signed certificate generated by
> the Engine...
>
> ... Well, why I keep receiving errors with the self-signed CA from
> ovirt-engine and the disk uploads?(Unable to upload image to disk a-b-c-d-e
> due to a network error. Make sure ovirt-imageio-proxy service is installed
> and configured, and ovirt-engine's certificate is registered as a valid CA
> in the browser. The certificate can be fetched from
> https:///ovirt-engine/services/pki-resource?resource=ca-certificate=X509-PEM-CA)
>
> Thanks in Advance!
>
> Best Regards,
>
> Gabriel
> PS: I would help with the oVirt Wiki if needed, I would follow the rhce path
> and do the rhcs certification too, will be nice to study a lot.
>
>
>
>
>
>
>
>
>
>
> Gabriel Stein
> --
> Gabriel Ferraz Stein
> Tel.: +49 (0)  170 2881531
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] SSL Workflow for oVirt

2018-01-23 Thread Gabriel Stein
Hi all,

I think that I found a way to solve the problem from:
http://lists.ovirt.org/pipermail/users/2018-January/086441.html and I'm
trying to fix it.

But my servers are in Production(50%) and I found that are some errors with
my SSL Certificates.

## What I need now? Fixes all certificates problems using my Freeipa
generated certificates: vdsmclient* on hosts, ovirt-engine communication
ssl certificates on  hosted-engine.

I made with Freeipa(internal) the certificates for ovirt-engine( only
apache - self hosted) and Hosts(vsdmclient and vdsmkey) and replaced
using this howto:

https://gist.github.com/qrkourier/9c9ac3e8b190dcb91d3767179d5a39ea

## Now ovirt-engine can't contact a Host(Non Responsive) with the
errors(Yes, I have a Backup from all old certificates):


*VDSM host.domain.tld command GetCapabilitiesVDS failed: General SSLEngine
problem*

On engine.log:

*2018-01-23 13:33:40,160+01 ERROR
[org.ovirt.engine.core.vdsbroker.vdsbroker.GetAllVmStatsVDSCommand]
(EE-ManagedThreadFactory-engineScheduled-Thread-23) [] Command
'GetAllVmStatsVDSCommand(HostName = host.domain.tld,
VdsIdVDSCommandParametersBase:{hostId='d6bc650b-7edd-4019-b316-54313217880f'})'
execution failed: VDSGenericException: VDSNetworkException: General
SSLEngine problem*
*2018-01-23 13:33:40,160+01 INFO
[org.ovirt.engine.core.vdsbroker.monitoring.PollVmStatsRefresher]
(EE-ManagedThreadFactory-engineScheduled-Thread-23) [] Failed to fetch vms
info for host 'host.domain.tld' - skipping VMs monitoring.*


## I read, that ovirt-engine generates certificates for all hosts and it
uses his own CA.


Questions:

- How can I fix the communication from hosted-engine and vsdm on hosts?
Should I copy my Freeipa ca.crt and replace the ca.der file on
*/etc/pki/ovirt-engine/certs*?

- Should I  change the engine.cer certificate from */etc/pki/ovirt-engine/certs
*with my Certificate made using Freeipa?

- How to do that properly?

- Where can I find a complete workflow from SSL Certificates from oVirt?
What certificates should I change?

## I found some links that to me are confusing(or I'm just dumb), I will
take my end solution and do a howto to all:

- https://www.ovirt.org/develop/release-management/features/infra/pki/ -
how updated is that? I can't overwrite a ca from ovirt-engine?

- https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/ *- *
*Note:** Using a commercially issued certificate for HTTPS connections does
not affect the certificate used for authentication between your Engine and
hosts. They will continue to use the self-signed certificate generated by
the Engine... *

... Well, why I keep receiving errors with the self-signed CA from
ovirt-engine and the disk uploads?(*Unable to upload image to disk
a-b-c-d-e due to a network error. Make sure ovirt-imageio-proxy service is
installed and configured, and ovirt-engine's certificate is registered as a
valid CA in the browser. The certificate can be fetched from
https:///ovirt-engine/services/pki-resource?resource=ca-certificate=X509-PEM-CA*
)

Thanks in Advance!

Best Regards,

Gabriel
PS: I would help with the oVirt Wiki if needed, I would follow the rhce
path and do the rhcs certification too, will be nice to study a lot.










Gabriel Stein
--
Gabriel Ferraz Stein
Tel.: +49 (0)  170 2881531
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users