On Sat, Sep 9, 2017 at 9:48 PM, Chris Adams <c...@cmadams.net> wrote:
> I'm writing a script to install a new SSL key/cert pair (from Let's
> Encrypt) for the engine web UI on oVirt 4.1.  I'm looking at this, but
> it's a little confusing.
> https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/

You might want to check recent RHV docs:


ovirt.org is still not updated, sorry. Patches are welcome :-)

> It sounds like steps 1 and 3 are referring to the CA-supplied
> intermediate cert(s), not the actual issue cert for the server.  Is that
> right?


> Does anything actually use the PCKS12 format file referred to in step 4?

Currently, AFAIK, no.

> I don't normally see that format from regular CAs; they usually provide
> cert+intermediate(s) in PEM format.

Indeed, that's why in above rhv docs we split it up to two procedures.

> With Apache 2.4, it is normal to just put the cert+intermediate(s) chain
> in one file and configure Apache with SSLCertificateFile.  You aren't
> supposed to put the CA-supplied cert in the SSLCACertificateFile like
> oVirt appears to do; that's intended to be used for validating client
> certs, not the intermediate(s) for the server cert.

Searching the net I also find:


Seems like this was changed in:


But no idea why. Perhaps we wanted the option to allow authentication
by client certs? See e.g.:


If you think that's a problem, please open a bug. Thanks!

> It really just looks like the cert+intermediate(s) should go in
> /etc/pki/ovirt-engine/certs/apache.cer, the corresponding key put in
> /etc/pki/ovirt-engine/keys/apache.key.nopass, and then Apache needs to
> be restarted.  Since oVirt doesn't use the engine web UI cert for
> anything internally (right?),

Mostly right

> do any of the other steps on the above
> page matter?

For step 8, you can searching for 'site:bugzilla.redhat.com
There were several bugs about this.

The log collector always _does_ use the https interface, even on local machine.

Users mailing list

Reply via email to