Since you replace ca.pem you need to replace the private key of ca.pem Please copy the private key of /etc/pki/ovirt-engine/ca.pem to /etc/pki/ovirt-engine/private/ca.pem and let me know if everything works
On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham <w...@qrk.us> wrote: > > Thanks Ravi, that's helpful and I appreciate the precision and attention > to detail. I performed similar steps to install a custom certificate for > the oVirt Manager GUI. But what about configuring ovirt-engine to trust a > certificate issued by the same CA and presented by the VDSM host? On the > hypervisor host, I used the existing private key to generate the CSR, > issued the server certificate, and installed in three locations before > bouncing vdsmd. > > On the hypervisor Host server (not the Manager/engine server): > /etc/pki/vdsm/certs/vdsmcert.pem > /etc/pki/vdsm/libvirt-spice/server-cert.pem > /etc/pki/libvirt/clientcert.pem > > Now, that host is "non responsive" in Manager because ovirt-engine does > not trust the new certificate even though I already performed all of the > steps that you describe above except that I installed the issuer's CA > certificate as the trusted entity. I've documented all of the steps I took in > this Gist > <https://gist.github.com/qrkourier/9c9ac3e8b190dcb91d3767179d5a39ea>. > > > > On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori <rn...@redhat.com> wrote: > >> Here is a complete set of instructions that works for me >> >> You can skip the first few steps of generating the certificate. >> >> Ravi >> >> >> Generate a self-signed certificate using openssl >> ====================================== >> openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout >> privateKey.key -out certificate.pem >> >> Convert a PEM certificate file and a private key to PKCS#12 (.p12) >> ===================================================== >> openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in >> certificate.pem >> >> Extract the key from the bundle >> ========================= >> openssl pkcs12 -in certificate.p12 -nocerts -nodes > apache.key.nopass >> >> Extract the certificate from the bundle >> ============================== >> openssl pkcs12 -in certificate.p12 -nokeys > apache.cer >> >> Create a new Keystore for testing >> ========================== >> keytool -keystore clientkeystore -genkey -alias client >> >> Convert .pem to .der >> ================ >> openssl x509 -outform der -in certificate.pem -out certificate.der >> >> Import certificates to keystore >> ======================= >> keytool -import -alias apache -keystore ./clientkeystore -file >> ./certificate.der >> >> Create Custom conf for ovirt >> ====================== >> vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf >> >> Set location of truststore and its password >> ================================= >> ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore" >> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456" >> >> Copy the custom certificates >> ====================== >> rm /etc/pki/ovirt-engine/apache-ca.pem >> cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem >> cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12 >> cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer >> cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass >> >> Restart engine and httpd >> =================== >> service httpd restart >> service ovirt-engine restart >> >> On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot <nico...@ecarnot.net> >> wrote: >> >> Le 27/10/2016 à 00:14, Kenneth Bingham a écrit : >> >> I did install a server certificate from a private CA on the engine >> server for the oVirt 4 Manager GUI, but haven't figured out how to >> configure engine to trust the same CA which also issued the server >> certificate presented by vdsm. This is important for us because this is >> the same server certificate presented by the host when using the console >> (e.g. websocket console falls silently if the user agent doesn't trust >> the console server's certificate). >> >> >> Hello, >> >> Maybe related bug : on an oVirt 4, I followed the same procedure below to >> install a custom CA, with *SUCCESS*. >> >> Today, I had to reinstall one of the hosts, and it is failing with : >> "CA certificate and CA private key do not match" : >> >> http://pastebin.com/9JS05JtJ >> >> Which certificate did we (Kenneth and I) did we mis-used? >> What did we do wrong? >> >> Regards, >> >> Nicolas ECARNOT >> >> >> >> On Wed, Oct 26, 2016, 16:58 Beckman, Daniel >> <daniel.beck...@ingramcontent.com >> <mailto:daniel.beck...@ingramcontent.com>> wrote: >> >> We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release. >> I read the release notes (https://www.ovirt.org/release/4.0.4/) and >> noted comment #4 under “Install / Upgrade from previous version”:____ >> >> __ __ >> >> /If you are using HTTPS certificate signed by custom certificate >> authority, please take a look at https://bugzilla.redhat.com/1336838 >> for steps which need to be done after migration to 4.0. Also please >> consult https://bugzilla.redhat.com/1313379 how to setup this custom >> CA for use with virt-viewer clients.____/ >> >> /__ __/ >> >> So I referred to the first bugzilla >> (https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it >> states as follows:____ >> >> __ __ >> >> If customer wants to use custom HTTPS certificate signed by >> different CA, then he has to perform following steps: ____ >> >> __ __ >> >> 1. Install custom CA (that signed HTTPS certificate) into host wide >> trustore (more info can be found in update-ca-trust man page) ____ >> >> __ __ >> >> 2. Configure HTTPS certificate in Apache (this step is same as in >> previous versions) ____ >> >> __ __ >> >> 3. Create new configuration file (for example >> /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with >> following content: ____ >> >> ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" >> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" ____ >> >> __ __ >> >> 4. Restart ovirt-engine service____ >> >> __ __ >> >> I find it humorous that step # 1 suggests reading the “man page” >> which is only slightly better than suggesting to “google” it. ____ >> >> __ __ >> >> Has anyone using a custom CA for their HTTPS certificate >> successfully upgraded to oVirt 4? If so could you share your >> detailed steps? Or can anyone point me to an actual example of this >> procedure? I’m a little nervous about the upgrade if you can’t >> already tell. ____ >> >> __ __ >> >> Thanks,____ >> >> Daniel____ >> >> _______________________________________________ >> Users mailing list >> Users@ovirt.org <mailto:Users@ovirt.org> >> http://lists.ovirt.org/mailman/listinfo/users >> >> >> >> _______________________________________________ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> >> >> >> -- >> Nicolas ECARNOT >> >> _______________________________________________ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> >> >>
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users