> From: "Andrew Lau" <[email protected]> > To: "users" <[email protected]> > Sent: Wednesday, January 29, 2014 8:38:33 AM > Subject: [Users] Hosted Engine adding host SSL Failure (w/ engine custom > cert)
> Hi, > After running through the new patch posted in BZ 1055153 I'm adding a second > host to the hosted-engine cluster but it seems to fail right before the > finish: > [ ERROR ] Failed to execute stage 'Closing up': [ERROR]::oVirt API connection > failure, [Errno 1] _ssl.c:492: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > Couple Extra Notes: > Engine has a custom SSL cert but the CA has been trusted by the new host. > When I temporarily return the engine's SSL back to the default generated one > the install will succeed. > Setup logs: http://www.fpaste.org/72624/13909770/ > What confuses me is: > curl https://engine.example.net with the custom SSL cert will succeed but > with the original self-signed gives the expected "insecure" message. What > criteria need to be met so the install will pass? Seems like a bug (or a missing feature) - hosted-engine only supports the self-signed cert. Can you please open a bug for this? You might manage to make it work by replacing /etc/pki/ovirt-engine/ca.pem with the certificate of your ca, but this will prevent adding hosts (because it's needed to create a certificate for them). Perhaps other things will break too, I didn't try that. -- Didi
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
