On Wed, Jul 4, 2018 at 6:50 PM, Nir Soffer <[email protected]> wrote:
> On Wed, Jul 4, 2018 at 11:08 AM Etienne Charlier <Etienne.Charlier@ > reduspaceservices.eu> wrote: > >> Thanks for getting back to me. >> >> >> I wanted to "protect" my ovirt installation with letsencrypt certificates >> ( to have a "green" bar in my chrome browser.) >> > I think there is a misconception here. Using the engine builtin CA is more > secure than any other > CA, not less secure. You don't protect anything by using another CA. > Well, not sure I agree, but not sure that's the point... The engine-internal CA is only protected by a unix ACL, on the engine machine. So if you manage to get root on it, you can do anything with the engine CA. Most reasonable CAs (including hopefully most organization-internal ones) have more than one level in the authority chain, with the root cert's key being kept offline in some safe, so it's harder to break. > > What you really need to do is to import the engine CA certificate to your > browser, and this is also > required for communicating with the proxy. > > Unless you know what you are doing, replacing the certificates with your > own is going to be > hard. > Should not be - we have this doc, and should update it as needed: [1] https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/ Actually it's indeed somewhat out-of-date. See also: [2] https://bugzilla.redhat.com/show_bug.cgi?id=1385617 which should be the only thing missing in: [3] https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl which is somewhat more up-to-date than [1] (has websocket-proxy). > >> I set up a bastion host where I configured letsencrypt. >> >> >> I copied the certificates over the ovirt engine machine and ran the >> script "convert.sh" ( see attachement). ( still need to automate it to >> handle certificate renew..) >> >> >> Once this was in place, the test connection button ( in upload image UI) >> gave me "green" "Connection to ovirt-imageio-proxy was successful." >> > This means that the proxy is configured to use the new CA, but this is not > enough > to upload. The proxy has its own certificates, and they must be signed by > the new > CA. > > So to use your own certificates, you have to regenerate both the engine > certificates, > and the proxy certificates, and this process is not easy or documented yet. > Isn't this what above bug [2] is about? You wrote there that it's ok to configure the proxy to use same key/cert as apache. Thanks, > > If you created everything correctly, you need to configure the proxy to > use the new > certificates. > > Finally, you need to restart ovirt-imgaeio-proxy, since it does not > support reloading > certificates or configuration changes yet. > > I think the best solution for you is to use engine builtin PKI, managed by > engine-setup. > > To "protect" your ovirt installation, add the engine CA to your browser > using this link: > https://my.engine/ovirt-engine/services/pki-resource? > resource=ca-certificate&format=X509-PEM-CA > > You save this file locally, and then you import this certificate into your > browser. > > Using Chrome, you do: > 1. go to: Settings > Advanced > Manage Certificates > Authorities > 2. click "Import" > 3. select the certificate > 4. check "Trust this certificate for identifying web sites" > 5. confirm > 6. restart the browser > > >> Here a copy of engine.log and ovirt-imageio-proxy log files. The ssl >> paths are dumped in the log file >> >> Thanks for your support >> Etienne >> >> ------------------------------ >> *De :* Nir Soffer <[email protected]> >> *Envoyé :* mardi 3 juillet 2018 23:31 >> *À :* Etienne Charlier >> *Cc :* [email protected]; Daniel Erez >> *Objet :* Re: [ovirt-users] Cannot import a qcow2 image >> >> >> >> On Tue, Jul 3, 2018 at 11:47 PM Nir Soffer <[email protected]> wrote: >> >>> On Tue, 3 Jul 2018, 15:44 , <[email protected]> >>> wrote: >>> >>>> Hello, >>>> >>>> I' m trying without success to import a qcow2 file into ovirt. I tried >>>> on a ISCSI datadomain and an nfs datadomain. >>>> >>>> I struggled quite a lot to have the "test connection" succed ( I write >>>> a small shell script to "deploy" letsencryt certificates into ovirt engine) >>>> >>>> Doc is not clear on the fact that certificates for imageio-proxy are >>>> different than for main engine… >>>> >>>> >>>> Now, the upload fails with >>>> >>>> Transfer was stopped by system. Reason: failed to add image ticket to >>>> ovirt-imageio-proxy. >>>> Image gets stuck in "transfer paused by system" >>>> >>>> Any idea ? >>>> >>> >>> you probably have bad cretificate configuration in the proxy. Why not >>> use the default certificates generated by engine setup? This is how we test >>> the proxy. >>> >> >> Can you share the contents of: >> /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf >> >> And the proxy log at >> /var/log/ovirt-imageio-proxy/image-proxy.log >> Showing the time of the error (failed to add image ticket to >> ovirt-imageio-proxy.) >> >> Nir >> >> >>> >>> >>>> ovrit is up to date: 4.2.4 on both engine and hosts. >>>> _______________________________________________ >>>> Users mailing list -- [email protected] >>>> To unsubscribe send an email to [email protected] >>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>> oVirt Code of Conduct: https://www.ovirt.org/community/about/community- >>>> guidelines/ >>>> List Archives: https://lists.ovirt.org/archives/list/[email protected]/ >>>> message/FTC3PBZCRRTI2LBADOPOS2EYRCZ6EQA3/ >>>> >>> -- Didi
_______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/DSJJZBHXIPY3GR6REIP26BGDYOBAHQER/
