Re: [ovirt-users] Issue with 4.2.1 RC and SSL

2018-02-11 Thread Yedidyah Bar David
On Sun, Feb 11, 2018 at 11:41 PM, ~Stack~  wrote:
> On 02/11/2018 02:41 AM, Yedidyah Bar David wrote:
>> On Sun, Feb 11, 2018 at 10:26 AM, Yaniv Kaul  wrote:
>>>
>>>
>>> On Sun, Feb 11, 2018 at 2:43 AM, ~Stack~  wrote:
>
> [snip]
>
 We decided to just start from scratch and my coworker watched and
 confirmed every step. It works! No problems at all this time. Further
 evidence that I goofed _something_ up the first time.
>>>
>>>
>>> We should really have an Ansible role that performs the conversion to
>>> self-signed certificates.
>>> That would make the conversion easier and safer.
>>
>> +1
>>
>> Not sure "self-signed" is the correct term here. Also the internal
>> engine CA's cert is self-signed.
>>
>> I guess you refer to this:
>>
>> https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/
>>
>> I'd call it "configure-3rd-party-CA" or something like that.
>
> Greetings,
>
> Another +1 from me (obviously! :-).
>
> I also agree in that we are not doing a self-signed cert, but rather
> we've purchased a cert from one of the big-name-CA-vendors that is valid
> for our domain. "configure-3rd-party-CA" makes more sense to me.

Nit: This big-name-CA-vendors CA's cert is most likely also self-signed,
so it's not a mistake to call it "self-signed". The difference between
"self-signed by _me_" and "self-signed by big-name" is mainly a matter of
trust and business relations (between that big-name and you, big-name and
the OS/browser vendors, etc.) and not a technical one.

If you loan a friend $100 for a month, the difference between you and a
big bank is very similar to that above difference...

>
> Lastly, that is the link that I used for a guide.
>
> Thanks!
> ~Stack~
>
>
>



-- 
Didi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Issue with 4.2.1 RC and SSL

2018-02-11 Thread ~Stack~
On 02/11/2018 02:41 AM, Yedidyah Bar David wrote:
> On Sun, Feb 11, 2018 at 10:26 AM, Yaniv Kaul  wrote:
>>
>>
>> On Sun, Feb 11, 2018 at 2:43 AM, ~Stack~  wrote:

[snip]

>>> We decided to just start from scratch and my coworker watched and
>>> confirmed every step. It works! No problems at all this time. Further
>>> evidence that I goofed _something_ up the first time.
>>
>>
>> We should really have an Ansible role that performs the conversion to
>> self-signed certificates.
>> That would make the conversion easier and safer.
> 
> +1
> 
> Not sure "self-signed" is the correct term here. Also the internal
> engine CA's cert is self-signed.
> 
> I guess you refer to this:
> 
> https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/
> 
> I'd call it "configure-3rd-party-CA" or something like that.

Greetings,

Another +1 from me (obviously! :-).

I also agree in that we are not doing a self-signed cert, but rather
we've purchased a cert from one of the big-name-CA-vendors that is valid
for our domain. "configure-3rd-party-CA" makes more sense to me.

Lastly, that is the link that I used for a guide.

Thanks!
~Stack~





signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Issue with 4.2.1 RC and SSL

2018-02-11 Thread Yedidyah Bar David
On Sun, Feb 11, 2018 at 10:26 AM, Yaniv Kaul  wrote:
>
>
> On Sun, Feb 11, 2018 at 2:43 AM, ~Stack~  wrote:
>>
>> On 02/08/2018 06:42 AM, Petr Kotas wrote:
>> > Hi Stack,
>>
>> Greetings Petr
>>
>> > have you tried it on other linux distributions? Scientific is not
>> > officially supported.
>>
>> No, but SL isn't really any different than CentOS. If anything, we've
>> found it adheres closer to RH than CentOS does.
>>
>> > My guess based on your log is there are somewhere missing certificates,
>> > maybe different path?.
>> > You can check the paths by the documentation:
>> >
>> > https://www.ovirt.org/develop/release-management/features/infra/pki/#vdsm
>> >
>> > Hope this helps.
>>
>>
>> Thanks for the suggestion. It took a while but we dug into it and I
>> *think* the problem was because I may have over-written the wrong cert
>> file in one of my steps. I'm only about 80% certain of that, but it
>> seems to match what we found when we were digging through the log files.
>>
>> We decided to just start from scratch and my coworker watched and
>> confirmed every step. It works! No problems at all this time. Further
>> evidence that I goofed _something_ up the first time.
>
>
> We should really have an Ansible role that performs the conversion to
> self-signed certificates.
> That would make the conversion easier and safer.

+1

Not sure "self-signed" is the correct term here. Also the internal
engine CA's cert is self-signed.

I guess you refer to this:

https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/

I'd call it "configure-3rd-party-CA" or something like that.

> Y.
>
>>
>>
>> Thank you for the suggestion!
>> ~Stack~
>>
>>
>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>



-- 
Didi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Issue with 4.2.1 RC and SSL

2018-02-11 Thread Yaniv Kaul
On Sun, Feb 11, 2018 at 2:43 AM, ~Stack~  wrote:

> On 02/08/2018 06:42 AM, Petr Kotas wrote:
> > Hi Stack,
>
> Greetings Petr
>
> > have you tried it on other linux distributions? Scientific is not
> > officially supported.
>
> No, but SL isn't really any different than CentOS. If anything, we've
> found it adheres closer to RH than CentOS does.
>
> > My guess based on your log is there are somewhere missing certificates,
> > maybe different path?.
> > You can check the paths by the documentation:
> > https://www.ovirt.org/develop/release-management/features/
> infra/pki/#vdsm
> >
> > Hope this helps.
>
>
> Thanks for the suggestion. It took a while but we dug into it and I
> *think* the problem was because I may have over-written the wrong cert
> file in one of my steps. I'm only about 80% certain of that, but it
> seems to match what we found when we were digging through the log files.
>
> We decided to just start from scratch and my coworker watched and
> confirmed every step. It works! No problems at all this time. Further
> evidence that I goofed _something_ up the first time.
>

We should really have an Ansible role that performs the conversion to
self-signed certificates.
That would make the conversion easier and safer.
Y.


>
> Thank you for the suggestion!
> ~Stack~
>
>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Issue with 4.2.1 RC and SSL

2018-02-10 Thread ~Stack~
On 02/08/2018 06:42 AM, Petr Kotas wrote:
> Hi Stack,

Greetings Petr

> have you tried it on other linux distributions? Scientific is not
> officially supported.

No, but SL isn't really any different than CentOS. If anything, we've
found it adheres closer to RH than CentOS does.

> My guess based on your log is there are somewhere missing certificates,
> maybe different path?.
> You can check the paths by the documentation:
> https://www.ovirt.org/develop/release-management/features/infra/pki/#vdsm
>
> Hope this helps.


Thanks for the suggestion. It took a while but we dug into it and I
*think* the problem was because I may have over-written the wrong cert
file in one of my steps. I'm only about 80% certain of that, but it
seems to match what we found when we were digging through the log files.

We decided to just start from scratch and my coworker watched and
confirmed every step. It works! No problems at all this time. Further
evidence that I goofed _something_ up the first time.

Thank you for the suggestion!
~Stack~




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Issue with 4.2.1 RC and SSL

2018-02-08 Thread Yedidyah Bar David
On Thu, Feb 8, 2018 at 2:42 PM, Petr Kotas  wrote:
> Hi Stack,
>
> have you tried it on other linux distributions? Scientific is not officially
> supported.
>
> My guess based on your log is there are somewhere missing certificates,
> maybe different path?.
> You can check the paths by the documentation:
> https://www.ovirt.org/develop/release-management/features/infra/pki/#vdsm
>
> Hope this helps.
>
> Petr
>
>
>
> On Thu, Feb 8, 2018 at 1:13 AM, ~Stack~  wrote:
>>
>> Greetings,
>>
>> I was having a lot of issues with 4.2 and 95% of them are in the change
>> logs for 4.2.1. Since this is a new build, I just blew everything away
>> and started from scratch with the RC release.
>>
>> The very first thing that I did after the engine-config was to set up my
>> SSL cert. I followed the directions from here:
>> https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/
>>
>> Logged in the first time to the web interface and everything worked!
>> Great.
>>
>> Install my hosts (also completely fresh installs - Scientific Linux 7
>> fully updated) and none would finish the install...
>>
>>
>> I can send the full host debug log if you want, however, I'm pretty sure
>> that the problem is because of the SSL somewhere. I've cut/pasted the
>> relevant part.

Please check/share also engine.log of the relevant time frame. Thanks.

>>
>> Any advice/help, please?
>>
>> Thanks!
>> ~Stack~
>>
>>
>> 2018-02-07 16:56:21,697-0600 DEBUG otopi.plugins.otopi.dialog.machine
>> dialog.__logString:204 DIALOG:SEND   **%EventEnd STAGE misc METHOD
>> otopi.plugins.ovirt_host_deploy.tune.tuned.Plugin._misc (None)
>> 2018-02-07 16:56:21,698-0600 DEBUG otopi.context
>> context._executeMethod:128 Stage misc METHOD
>> otopi.plugins.ovirt_host_deploy.vdsm.vdsmid.Plugin._store_id
>> 2018-02-07 16:56:21,698-0600 DEBUG otopi.plugins.otopi.dialog.machine
>> dialog.__logString:204 DIALOG:SEND   **%EventStart STAGE misc METHOD
>> otopi.plugins.ovirt_host_deploy.vdsm.vdsmid.Plugin._store_id (None)
>> 2018-02-07 16:56:21,699-0600 DEBUG otopi.transaction
>> transaction._prepare:61 preparing 'File transaction for
>> '/etc/vdsm/vdsm.id''
>> 2018-02-07 16:56:21,699-0600 DEBUG otopi.filetransaction
>> filetransaction.prepare:183 file '/etc/vdsm/vdsm.id' missing
>> 2018-02-07 16:56:21,705-0600 DEBUG otopi.plugins.otopi.dialog.machine
>> dialog.__logString:204 DIALOG:SEND   **%EventEnd STAGE misc METHOD
>> otopi.plugins.ovirt_host_deploy.vdsm.vdsmid.Plugin._store_id (None)
>> 2018-02-07 16:56:21,706-0600 DEBUG otopi.context
>> context._executeMethod:128 Stage misc METHOD
>> otopi.plugins.ovirt_host_deploy.vdsmhooks.hooks.Plugin._hooks
>> 2018-02-07 16:56:21,706-0600 DEBUG otopi.plugins.otopi.dialog.machine
>> dialog.__logString:204 DIALOG:SEND   **%EventStart STAGE misc METHOD
>> otopi.plugins.ovirt_host_deploy.vdsmhooks.hooks.Plugin._hooks (None)
>> 2018-02-07 16:56:21,707-0600 DEBUG otopi.plugins.otopi.dialog.machine
>> dialog.__logString:204 DIALOG:SEND   **%EventEnd STAGE misc METHOD
>> otopi.plugins.ovirt_host_deploy.vdsmhooks.hooks.Plugin._hooks (None)
>> 2018-02-07 16:56:21,707-0600 DEBUG otopi.context
>> context._executeMethod:128 Stage misc METHOD
>> otopi.plugins.ovirt_host_common.vdsm.pki.Plugin._misc
>> 2018-02-07 16:56:21,708-0600 DEBUG otopi.plugins.otopi.dialog.machine
>> dialog.__logString:204 DIALOG:SEND   **%EventStart STAGE misc METHOD
>> otopi.plugins.ovirt_host_common.vdsm.pki.Plugin._misc (None)
>> 2018-02-07 16:56:21,708-0600 DEBUG otopi.plugins.otopi.dialog.machine
>> dialog.__logString:204 DIALOG:SEND   ### Setting up PKI
>> 2018-02-07 16:56:21,709-0600 DEBUG
>> otopi.plugins.ovirt_host_common.vdsm.pki plugin.executeRaw:813 execute:
>> ('/usr/bin/openssl', 'req', '-new', '-newkey', 'rsa:2048', '-nodes',
>> '-subj', '/', '-keyout', '/tmp/tmpQkrIuV.tmp'), executable='None',
>> cwd='None', env=None
>> 2018-02-07 16:56:21,756-0600 DEBUG
>> otopi.plugins.ovirt_host_common.vdsm.pki plugin.executeRaw:863
>> execute-result: ('/usr/bin/openssl', 'req', '-new', '-newkey',
>> 'rsa:2048', '-nodes', '-subj', '/', '-keyout', '/tmp/tmpQkrIuV.tmp'), rc=0
>> 2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
>> dialog.__logString:204 DIALOG:SEND   ###
>> 2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
>> dialog.__logString:204 DIALOG:SEND   ###
>> 2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
>> dialog.__logString:204 DIALOG:SEND   ### Please issue VDSM
>> certificate based on this certificate request
>> 2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
>> dialog.__logString:204 DIALOG:SEND   ###
>> 2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
>> dialog.__logString:204 DIALOG:SEND   ***D:MULTI-STRING
>> VDSM_CERTIFICATE_REQUEST --=451b80dc-996f-432e-9e4f-2b29ef6d1141=--
>> 2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine

Re: [ovirt-users] Issue with 4.2.1 RC and SSL

2018-02-08 Thread Petr Kotas
Hi Stack,

have you tried it on other linux distributions? Scientific is not
officially supported.

My guess based on your log is there are somewhere missing certificates,
maybe different path?.
You can check the paths by the documentation:
https://www.ovirt.org/develop/release-management/features/infra/pki/#vdsm

Hope this helps.

Petr



On Thu, Feb 8, 2018 at 1:13 AM, ~Stack~  wrote:

> Greetings,
>
> I was having a lot of issues with 4.2 and 95% of them are in the change
> logs for 4.2.1. Since this is a new build, I just blew everything away
> and started from scratch with the RC release.
>
> The very first thing that I did after the engine-config was to set up my
> SSL cert. I followed the directions from here:
> https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/
>
> Logged in the first time to the web interface and everything worked! Great.
>
> Install my hosts (also completely fresh installs - Scientific Linux 7
> fully updated) and none would finish the install...
>
>
> I can send the full host debug log if you want, however, I'm pretty sure
> that the problem is because of the SSL somewhere. I've cut/pasted the
> relevant part.
>
> Any advice/help, please?
>
> Thanks!
> ~Stack~
>
>
> 2018-02-07 16:56:21,697-0600 DEBUG otopi.plugins.otopi.dialog.machine
> dialog.__logString:204 DIALOG:SEND   **%EventEnd STAGE misc METHOD
> otopi.plugins.ovirt_host_deploy.tune.tuned.Plugin._misc (None)
> 2018-02-07 16:56:21,698-0600 DEBUG otopi.context
> context._executeMethod:128 Stage misc METHOD
> otopi.plugins.ovirt_host_deploy.vdsm.vdsmid.Plugin._store_id
> 2018-02-07 16:56:21,698-0600 DEBUG otopi.plugins.otopi.dialog.machine
> dialog.__logString:204 DIALOG:SEND   **%EventStart STAGE misc METHOD
> otopi.plugins.ovirt_host_deploy.vdsm.vdsmid.Plugin._store_id (None)
> 2018-02-07 16:56:21,699-0600 DEBUG otopi.transaction
> transaction._prepare:61 preparing 'File transaction for '/etc/vdsm/vdsm.id
> ''
> 2018-02-07 16:56:21,699-0600 DEBUG otopi.filetransaction
> filetransaction.prepare:183 file '/etc/vdsm/vdsm.id' missing
> 2018-02-07 16:56:21,705-0600 DEBUG otopi.plugins.otopi.dialog.machine
> dialog.__logString:204 DIALOG:SEND   **%EventEnd STAGE misc METHOD
> otopi.plugins.ovirt_host_deploy.vdsm.vdsmid.Plugin._store_id (None)
> 2018-02-07 16:56:21,706-0600 DEBUG otopi.context
> context._executeMethod:128 Stage misc METHOD
> otopi.plugins.ovirt_host_deploy.vdsmhooks.hooks.Plugin._hooks
> 2018-02-07 16:56:21,706-0600 DEBUG otopi.plugins.otopi.dialog.machine
> dialog.__logString:204 DIALOG:SEND   **%EventStart STAGE misc METHOD
> otopi.plugins.ovirt_host_deploy.vdsmhooks.hooks.Plugin._hooks (None)
> 2018-02-07 16:56:21,707-0600 DEBUG otopi.plugins.otopi.dialog.machine
> dialog.__logString:204 DIALOG:SEND   **%EventEnd STAGE misc METHOD
> otopi.plugins.ovirt_host_deploy.vdsmhooks.hooks.Plugin._hooks (None)
> 2018-02-07 16:56:21,707-0600 DEBUG otopi.context
> context._executeMethod:128 Stage misc METHOD
> otopi.plugins.ovirt_host_common.vdsm.pki.Plugin._misc
> 2018-02-07 16:56:21,708-0600 DEBUG otopi.plugins.otopi.dialog.machine
> dialog.__logString:204 DIALOG:SEND   **%EventStart STAGE misc METHOD
> otopi.plugins.ovirt_host_common.vdsm.pki.Plugin._misc (None)
> 2018-02-07 16:56:21,708-0600 DEBUG otopi.plugins.otopi.dialog.machine
> dialog.__logString:204 DIALOG:SEND   ### Setting up PKI
> 2018-02-07 16:56:21,709-0600 DEBUG
> otopi.plugins.ovirt_host_common.vdsm.pki plugin.executeRaw:813 execute:
> ('/usr/bin/openssl', 'req', '-new', '-newkey', 'rsa:2048', '-nodes',
> '-subj', '/', '-keyout', '/tmp/tmpQkrIuV.tmp'), executable='None',
> cwd='None', env=None
> 2018-02-07 16:56:21,756-0600 DEBUG
> otopi.plugins.ovirt_host_common.vdsm.pki plugin.executeRaw:863
> execute-result: ('/usr/bin/openssl', 'req', '-new', '-newkey',
> 'rsa:2048', '-nodes', '-subj', '/', '-keyout', '/tmp/tmpQkrIuV.tmp'), rc=0
> 2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
> dialog.__logString:204 DIALOG:SEND   ###
> 2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
> dialog.__logString:204 DIALOG:SEND   ###
> 2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
> dialog.__logString:204 DIALOG:SEND   ### Please issue VDSM
> certificate based on this certificate request
> 2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
> dialog.__logString:204 DIALOG:SEND   ###
> 2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
> dialog.__logString:204 DIALOG:SEND   ***D:MULTI-STRING
> VDSM_CERTIFICATE_REQUEST --=451b80dc-996f-432e-9e4f-2b29ef6d1141=--
> 2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
> dialog.__logString:204 DIALOG:SEND   -BEGIN CERTIFICATE
> REQUEST-
> 2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
> dialog.__logString:204 DIALOG:SEND
> MIICRTCCAS0CAQAwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZm