On Wed, Jul 4, 2018 at 11:08 AM Etienne Charlier < [email protected]> wrote:
> Thanks for getting back to me. > > > I wanted to "protect" my ovirt installation with letsencrypt certificates > ( to have a "green" bar in my chrome browser.) > I think there is a misconception here. Using the engine builtin CA is more secure than any other CA, not less secure. You don't protect anything by using another CA. What you really need to do is to import the engine CA certificate to your browser, and this is also required for communicating with the proxy. Unless you know what you are doing, replacing the certificates with your own is going to be hard. > > I set up a bastion host where I configured letsencrypt. > > > I copied the certificates over the ovirt engine machine and ran the > script "convert.sh" ( see attachement). ( still need to automate it to > handle certificate renew..) > > > Once this was in place, the test connection button ( in upload image UI) > gave me "green" "Connection to ovirt-imageio-proxy was successful." > This means that the proxy is configured to use the new CA, but this is not enough to upload. The proxy has its own certificates, and they must be signed by the new CA. So to use your own certificates, you have to regenerate both the engine certificates, and the proxy certificates, and this process is not easy or documented yet. If you created everything correctly, you need to configure the proxy to use the new certificates. Finally, you need to restart ovirt-imgaeio-proxy, since it does not support reloading certificates or configuration changes yet. I think the best solution for you is to use engine builtin PKI, managed by engine-setup. To "protect" your ovirt installation, add the engine CA to your browser using this link: https://my.engine/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA You save this file locally, and then you import this certificate into your browser. Using Chrome, you do: 1. go to: Settings > Advanced > Manage Certificates > Authorities 2. click "Import" 3. select the certificate 4. check "Trust this certificate for identifying web sites" 5. confirm 6. restart the browser > Here a copy of engine.log and ovirt-imageio-proxy log files. The ssl paths > are dumped in the log file > > Thanks for your support > Etienne > > ------------------------------ > *De :* Nir Soffer <[email protected]> > *Envoyé :* mardi 3 juillet 2018 23:31 > *À :* Etienne Charlier > *Cc :* [email protected]; Daniel Erez > *Objet :* Re: [ovirt-users] Cannot import a qcow2 image > > > > On Tue, Jul 3, 2018 at 11:47 PM Nir Soffer <[email protected]> wrote: > >> On Tue, 3 Jul 2018, 15:44 , <[email protected]> >> wrote: >> >>> Hello, >>> >>> I' m trying without success to import a qcow2 file into ovirt. I tried >>> on a ISCSI datadomain and an nfs datadomain. >>> >>> I struggled quite a lot to have the "test connection" succed ( I write a >>> small shell script to "deploy" letsencryt certificates into ovirt engine) >>> >>> Doc is not clear on the fact that certificates for imageio-proxy are >>> different than for main engine… >>> >>> >>> Now, the upload fails with >>> >>> Transfer was stopped by system. Reason: failed to add image ticket to >>> ovirt-imageio-proxy. >>> Image gets stuck in "transfer paused by system" >>> >>> Any idea ? >>> >> >> you probably have bad cretificate configuration in the proxy. Why not use >> the default certificates generated by engine setup? This is how we test the >> proxy. >> > > Can you share the contents of: > /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf > > And the proxy log at > /var/log/ovirt-imageio-proxy/image-proxy.log > Showing the time of the error (failed to add image ticket to > ovirt-imageio-proxy.) > > Nir > > >> >> >>> ovrit is up to date: 4.2.4 on both engine and hosts. >>> _______________________________________________ >>> Users mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>> oVirt Code of Conduct: >>> https://www.ovirt.org/community/about/community-guidelines/ >>> List Archives: >>> https://lists.ovirt.org/archives/list/[email protected]/message/FTC3PBZCRRTI2LBADOPOS2EYRCZ6EQA3/ >>> >>
_______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/Y6LNIS4HV3HXCUCII5SYLBV67S7HVT5E/

