On Tue, Sep 1, 2015 at 1:36 PM, Baptiste Agasse < [email protected]> wrote:
> Hi, > > ----- Le 1 Sep 15, à 9:43, Sandro Bonazzola <[email protected]> a écrit > : > > > > On Mon, Aug 31, 2015 at 6:08 PM, Alon Bar-Lev <[email protected]> wrote: > >> >> >> ----- Original Message ----- >> > From: "Baptiste Agasse" <[email protected]> >> > To: "users" <[email protected]> >> > Sent: Monday, August 31, 2015 6:54:28 PM >> > Subject: [ovirt-users] ovirt 3.5 engine web certificate >> > >> > Hi all, >> > >> > I've followed the procedure to replace self signed certificate to one >> issued >> > by our internal PKI to avoid security failure when users access to the >> webui >> > ( >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https >> ). >> > The connection to the webui now works fine without any security warning >> (the >> > internal PKI CA is in the trusted CA of our clients OS). But on the >> other >> > hand, i've some troubles: >> > >> > * I've to specify the --ca-file option for ovirt-shell and >> > engine-iso-uploader (i didn't test the engine-image-upload command), it >> will >> > be nice if the documentation provide a way to replace this by default >> (or >> > use the trusted ca store of the OS ?). This is not a bug just some >> feedback >> > on the certificate change procedure that don't cover these side effects. >> >> This is [1], probably you want to modify the configuration files of these >> tools at /etc so you will have proper defaults. >> >> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1146710 >> > > Thank you for this link. > > >> > * I can't add new ovirt-node anymore. >> >> If ovirt-node was added using previous certificate it "Remembers" that >> certificate. >> You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to >> register again. >> >> > * The ovirt-hosted-engine --deploy fails >> > on new nodes with an SSL error. To workaround this i've to modify the >> file >> > "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around >> line >> > 233 to make an insecure connection to the engine and add the new node. I >> > didn't have tested to add a new node from the ovirt engine cli/webui >> but i >> > think it will be the same issue because the error occurs on the vdsm >> > activation that is common to the 'new hosted engine node' and 'new node' >> > deployment. I've seen >> https://bugzilla.redhat.com/show_bug.cgi?id=1059952 >> > but the workaround noted in the comment #8 didn't work for me. >> >> CC sandro for this. >> > > Can you please share full sos report? > > > The report is a little bit big (about 57MB) to be sent by mail, have you > any procedure i can use to send it to you ? > Can you share it on google drive / dropbox any other file sharing service? > > >> > >> > Someone have more info on this issue or have the same problem ? >> > >> > This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes). >> > >> > Have a nice day. >> > >> > Regards. >> > >> > -- >> > Baptiste >> > _______________________________________________ >> > Users mailing list >> > [email protected] >> > http://lists.ovirt.org/mailman/listinfo/users >> > >> > > > > -- > Sandro Bonazzola > Better technology. Faster innovation. Powered by community collaboration. > See how it works at redhat.com > > > -- > Baptiste > -- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
