After moving and rebooting our Red Hat Virtualization Manager box to another node in our cluster, we are unable to make LDAP login work using StartTLS. No networking or configuration changes were made, but the logs indicate that the TLS negotiation is failing with our Active Directory domain controllers now. Specifically:
"2018-11-13 10:33:12,500-05 WARN [org.ovirt.engineextensions.aaa.ldap.Framework] (ServerService Thread Pool -- 49) [] Exception: The connection reader was unable to successfully complete TLS negotiation: SSLHandshakeException(sun.security.validator.ValidatorException: No trusted certificate found), ldapSDKVersion=4.0.5, revision=b28fb50058dfe2864171df2448ad2ad2b4c2ad58" I have tried everything I can think of. I removed and reimported the certificate for the domain controller in the Java Keystore. I deleted the profile entirely and recreated it. I tried using the full certificate chain and I tried using single certificates from the chain, and all combinations together. For now, we have it working by specifying "pool.default.ssl.insecure = true" in the .properties file, but I'd prefer to have this working again using StartTLS. Is there something I am missing? I want to make sure that I'm not overlooking something before submitting any sort of bug report. Any help is appreciated. Thanks! PS - this is what the properties file looks like: [root@rhvm ~]# cat /etc/ovirt-engine/aaa/liberty.edu.properties include = <ad.properties> vars.domain = liberty.edu vars.user = cn=PREADER,ou=Service Accounts,ou=IS,OU=FSA,dc=University,dc=liberty,dc=edu vars.password = <redacted> pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.ssl.startTLS = true pool.default.ssl.truststore.file = ${local:_basedir}/liberty.edu.jks _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/MZ3I6BOJFKNP3UPIF6WGGTBXJLTAMTPM/