On Mon, Jun 18, 2018 at 9:19 AM, Tomas Jelinek <[email protected]> wrote: > > > On Mon, Jun 18, 2018 at 8:01 AM, Yedidyah Bar David <[email protected]> wrote: >> >> On Sun, Jun 17, 2018 at 6:11 PM, John Florian <[email protected]> >> wrote: >> > I followed the docs at >> > https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/ and >> > all >> > works well from the usual web portal. Went to test moVirt and ran into >> > a >> > snag. It wants to download the CA using >> > >> > http://fqdn/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA, >> >> I never tried movirt, but the user's guide [1] says it can import >> user-supplied certs, so you can supply your own CA's cert, no? > > > correct, you can supply your own certificate, movirt just by default grabs > the one which is provided by engine at: > http://fqdn/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA > > @Ravi: is it correct that after you provide your own CA that the > http://fqdn/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA > is still pointing to the old one?
Yes - check this: https://ovirt.org/develop/release-management/features/infra/pki/#services It does not have a resource "apache-certificate" or anything like that. The assumption is that user that changes httpd's conf to use a 3rd-party CA, is in control of it, not the engine - so the engine can't handle it. This is even if the user followed the documentation, because in principle, the user can do other things - e.g. point SSLCACertificateFile at a different file instead of replacing the content of the existing apache-ca.pem (which defaults to a symlink to ca.pem, which _is_ controlled by the engine (as in "we do not have any documentation about how to replace it, and doing that will break many flows"). > >> >> >> Anyway, patches (to either that web page or movirt, or both) are most >> welcome! >> >> Best regards, >> >> [1] https://github.com/oVirt/moVirt/wiki/User%27s-guide >> >> > but that's grabbing the old CA issued by the engine rather than my >> > custom >> > CA. What else needs to be changed? I'm sure I can finagle my way to a >> > fix >> > here by telling moVirt to use a custom URL or file, but this looks like >> > a >> > bug in the docs that would probably best be fixed. >> > >> > -- >> > John Florian >> > >> > >> > _______________________________________________ >> > Users mailing list -- [email protected] >> > To unsubscribe send an email to [email protected] >> > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >> > oVirt Code of Conduct: >> > https://www.ovirt.org/community/about/community-guidelines/ >> > List Archives: >> > >> > https://lists.ovirt.org/archives/list/[email protected]/message/2DUNW4Y24HW4S5K4VGLIZRVR2K7BF37Z/ >> > >> >> >> >> -- >> Didi >> _______________________________________________ >> Users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >> oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> List Archives: >> https://lists.ovirt.org/archives/list/[email protected]/message/EXKTGCRWIYIGLWFVMWOHBDLAZCEGIOJG/ > > > > _______________________________________________ > Users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/[email protected]/message/BP74SDAVQNA7IJVKAWYHFCNHWOEQYITQ/ > -- Didi _______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/I6DUCLBR7TDJP2DPQKUUWIWCTGWGRLJX/
