Re: [ovirt-users] ovirt 3.5 engine web certificate
On Tue, Sep 1, 2015 at 1:36 PM, Baptiste Agasse < baptiste.aga...@lyra-network.com> wrote: > Hi, > > - Le 1 Sep 15, à 9:43, Sandro Bonazzola a écrit > : > > > > On Mon, Aug 31, 2015 at 6:08 PM, Alon Bar-Lev wrote: > >> >> >> - Original Message - >> > From: "Baptiste Agasse" >> > To: "users" >> > Sent: Monday, August 31, 2015 6:54:28 PM >> > Subject: [ovirt-users] ovirt 3.5 engine web certificate >> > >> > Hi all, >> > >> > I've followed the procedure to replace self signed certificate to one >> issued >> > by our internal PKI to avoid security failure when users access to the >> webui >> > ( >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https >> ). >> > The connection to the webui now works fine without any security warning >> (the >> > internal PKI CA is in the trusted CA of our clients OS). But on the >> other >> > hand, i've some troubles: >> > >> > * I've to specify the --ca-file option for ovirt-shell and >> > engine-iso-uploader (i didn't test the engine-image-upload command), it >> will >> > be nice if the documentation provide a way to replace this by default >> (or >> > use the trusted ca store of the OS ?). This is not a bug just some >> feedback >> > on the certificate change procedure that don't cover these side effects. >> >> This is [1], probably you want to modify the configuration files of these >> tools at /etc so you will have proper defaults. >> >> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1146710 >> > > Thank you for this link. > > >> > * I can't add new ovirt-node anymore. >> >> If ovirt-node was added using previous certificate it "Remembers" that >> certificate. >> You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to >> register again. >> >> > * The ovirt-hosted-engine --deploy fails >> > on new nodes with an SSL error. To workaround this i've to modify the >> file >> > "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around >> line >> > 233 to make an insecure connection to the engine and add the new node. I >> > didn't have tested to add a new node from the ovirt engine cli/webui >> but i >> > think it will be the same issue because the error occurs on the vdsm >> > activation that is common to the 'new hosted engine node' and 'new node' >> > deployment. I've seen >> https://bugzilla.redhat.com/show_bug.cgi?id=1059952 >> > but the workaround noted in the comment #8 didn't work for me. >> >> CC sandro for this. >> > > Can you please share full sos report? > > > The report is a little bit big (about 57MB) to be sent by mail, have you > any procedure i can use to send it to you ? > Can you share it on google drive / dropbox any other file sharing service? > > >> > >> > Someone have more info on this issue or have the same problem ? >> > >> > This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes). >> > >> > Have a nice day. >> > >> > Regards. >> > >> > -- >> > Baptiste >> > ___ >> > Users mailing list >> > Users@ovirt.org >> > http://lists.ovirt.org/mailman/listinfo/users >> > >> > > > > -- > Sandro Bonazzola > Better technology. Faster innovation. Powered by community collaboration. > See how it works at redhat.com > > > -- > Baptiste > -- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] ovirt 3.5 engine web certificate
Hi, - Le 1 Sep 15, à 9:43, Sandro Bonazzola a écrit : > On Mon, Aug 31, 2015 at 6:08 PM, Alon Bar-Lev < alo...@redhat.com > wrote: >> - Original Message - >> > From: "Baptiste Agasse" < baptiste.aga...@lyra-network.com > >> > To: "users" < users@ovirt.org > >> > Sent: Monday, August 31, 2015 6:54:28 PM >> > Subject: [ovirt-users] ovirt 3.5 engine web certificate >> > Hi all, >> > I've followed the procedure to replace self signed certificate to one >> > issued >> > by our internal PKI to avoid security failure when users access to the >> > webui >>> ( >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https >> > ). >> > The connection to the webui now works fine without any security warning >> > (the >> > internal PKI CA is in the trusted CA of our clients OS). But on the other >> > hand, i've some troubles: >> > * I've to specify the --ca-file option for ovirt-shell and >> > engine-iso-uploader (i didn't test the engine-image-upload command), it >> > will >> > be nice if the documentation provide a way to replace this by default (or >> > use the trusted ca store of the OS ?). This is not a bug just some feedback >> > on the certificate change procedure that don't cover these side effects. >> This is [1], probably you want to modify the configuration files of these >> tools >> at /etc so you will have proper defaults. >> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1146710 Thank you for this link. >> > * I can't add new ovirt-node anymore. >> If ovirt-node was added using previous certificate it "Remembers" that >> certificate. >> You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to register >> again. >> > * The ovirt-hosted-engine --deploy fails >> > on new nodes with an SSL error. To workaround this i've to modify the file >> > "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around line >> > 233 to make an insecure connection to the engine and add the new node. I >> > didn't have tested to add a new node from the ovirt engine cli/webui but i >> > think it will be the same issue because the error occurs on the vdsm >> > activation that is common to the 'new hosted engine node' and 'new node' >> > deployment. I've seen https://bugzilla.redhat.com/show_bug.cgi?id=1059952 >> > but the workaround noted in the comment #8 didn't work for me. >> CC sandro for this. > Can you please share full sos report? The report is a little bit big (about 57MB) to be sent by mail, have you any procedure i can use to send it to you ? >> > Someone have more info on this issue or have the same problem ? >> > This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes). >> > Have a nice day. >> > Regards. >> > -- >> > Baptiste >> > ___ >> > Users mailing list >> > Users@ovirt.org >> > http://lists.ovirt.org/mailman/listinfo/users > -- > Sandro Bonazzola > Better technology. Faster innovation. Powered by community collaboration. > See how it works at redhat.com -- Baptiste ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] ovirt 3.5 engine web certificate
On Mon, Aug 31, 2015 at 6:08 PM, Alon Bar-Lev wrote: > > > - Original Message - > > From: "Baptiste Agasse" > > To: "users" > > Sent: Monday, August 31, 2015 6:54:28 PM > > Subject: [ovirt-users] ovirt 3.5 engine web certificate > > > > Hi all, > > > > I've followed the procedure to replace self signed certificate to one > issued > > by our internal PKI to avoid security failure when users access to the > webui > > ( > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https > ). > > The connection to the webui now works fine without any security warning > (the > > internal PKI CA is in the trusted CA of our clients OS). But on the other > > hand, i've some troubles: > > > > * I've to specify the --ca-file option for ovirt-shell and > > engine-iso-uploader (i didn't test the engine-image-upload command), it > will > > be nice if the documentation provide a way to replace this by default (or > > use the trusted ca store of the OS ?). This is not a bug just some > feedback > > on the certificate change procedure that don't cover these side effects. > > This is [1], probably you want to modify the configuration files of these > tools at /etc so you will have proper defaults. > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1146710 > > > * I can't add new ovirt-node anymore. > > If ovirt-node was added using previous certificate it "Remembers" that > certificate. > You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to register > again. > > > * The ovirt-hosted-engine --deploy fails > > on new nodes with an SSL error. To workaround this i've to modify the > file > > "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around line > > 233 to make an insecure connection to the engine and add the new node. I > > didn't have tested to add a new node from the ovirt engine cli/webui but > i > > think it will be the same issue because the error occurs on the vdsm > > activation that is common to the 'new hosted engine node' and 'new node' > > deployment. I've seen > https://bugzilla.redhat.com/show_bug.cgi?id=1059952 > > but the workaround noted in the comment #8 didn't work for me. > > CC sandro for this. > Can you please share full sos report? > > > > > Someone have more info on this issue or have the same problem ? > > > > This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes). > > > > Have a nice day. > > > > Regards. > > > > -- > > Baptiste > > ___ > > Users mailing list > > Users@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > > -- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] ovirt 3.5 engine web certificate
- Original Message - > From: "Baptiste Agasse" > To: "users" > Sent: Monday, August 31, 2015 6:54:28 PM > Subject: [ovirt-users] ovirt 3.5 engine web certificate > > Hi all, > > I've followed the procedure to replace self signed certificate to one issued > by our internal PKI to avoid security failure when users access to the webui > (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https). > The connection to the webui now works fine without any security warning (the > internal PKI CA is in the trusted CA of our clients OS). But on the other > hand, i've some troubles: > > * I've to specify the --ca-file option for ovirt-shell and > engine-iso-uploader (i didn't test the engine-image-upload command), it will > be nice if the documentation provide a way to replace this by default (or > use the trusted ca store of the OS ?). This is not a bug just some feedback > on the certificate change procedure that don't cover these side effects. This is [1], probably you want to modify the configuration files of these tools at /etc so you will have proper defaults. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1146710 > * I can't add new ovirt-node anymore. If ovirt-node was added using previous certificate it "Remembers" that certificate. You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to register again. > * The ovirt-hosted-engine --deploy fails > on new nodes with an SSL error. To workaround this i've to modify the file > "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around line > 233 to make an insecure connection to the engine and add the new node. I > didn't have tested to add a new node from the ovirt engine cli/webui but i > think it will be the same issue because the error occurs on the vdsm > activation that is common to the 'new hosted engine node' and 'new node' > deployment. I've seen https://bugzilla.redhat.com/show_bug.cgi?id=1059952 > but the workaround noted in the comment #8 didn't work for me. CC sandro for this. > > Someone have more info on this issue or have the same problem ? > > This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes). > > Have a nice day. > > Regards. > > -- > Baptiste > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] ovirt 3.5 engine web certificate
Hi all, I've followed the procedure to replace self signed certificate to one issued by our internal PKI to avoid security failure when users access to the webui (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https). The connection to the webui now works fine without any security warning (the internal PKI CA is in the trusted CA of our clients OS). But on the other hand, i've some troubles: * I've to specify the --ca-file option for ovirt-shell and engine-iso-uploader (i didn't test the engine-image-upload command), it will be nice if the documentation provide a way to replace this by default (or use the trusted ca store of the OS ?). This is not a bug just some feedback on the certificate change procedure that don't cover these side effects. * I can't add new ovirt-node anymore. The ovirt-hosted-engine --deploy fails on new nodes with an SSL error. To workaround this i've to modify the file "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around line 233 to make an insecure connection to the engine and add the new node. I didn't have tested to add a new node from the ovirt engine cli/webui but i think it will be the same issue because the error occurs on the vdsm activation that is common to the 'new hosted engine node' and 'new node' deployment. I've seen https://bugzilla.redhat.com/show_bug.cgi?id=1059952 but the workaround noted in the comment #8 didn't work for me. Someone have more info on this issue or have the same problem ? This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes). Have a nice day. Regards. -- Baptiste ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
