Once upon a time, Yedidyah Bar David <d...@redhat.com> said:
> On Tue, Jan 29, 2019 at 6:05 PM Chris Adams <c...@cmadams.net> wrote:
> > I installed an SSL cert from a public CA (Let's Encrypt) on my engine,
> > following this:
> >
> > https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_CA_Certificate
> >
> > That gets the regular web UI working, but I can't upload an ISO. I
> > assume that I need to do something with the imageio-proxy service on the
> > engine, but not sure what... I tried replacing imageio-proxy.cer and
> > imageio-proxy.key.nopass, but that didn't work.
>
> Did you restart the imageio-proxy?
>
> What didn't work? What happened?
I did restart the service. When I then try to upload an ISO image, I
get "Paused by System" and this in engine.log:
########################################################################
2019-01-30 08:12:15,871-06 ERROR
[org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand]
(EE-ManagedThreadFactory-engineScheduled-Thread-52)
[0052c7ad-38d7-429d-be3a-eb0e496d5ee8] Failed to add image ticket to
ovirt-imageio-proxy: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
[jsse.jar:1.8.0_191]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
[jsse.jar:1.8.0_191]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
[jsse.jar:1.8.0_191]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
[jsse.jar:1.8.0_191]
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
[jsse.jar:1.8.0_191]
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
[jsse.jar:1.8.0_191]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
[jsse.jar:1.8.0_191]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
[jsse.jar:1.8.0_191]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
[jsse.jar:1.8.0_191]
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
[jsse.jar:1.8.0_191]
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
[jsse.jar:1.8.0_191]
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
[jsse.jar:1.8.0_191]
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
[rt.jar:1.8.0_191]
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
[rt.jar:1.8.0_191]
at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)
[rt.jar:1.8.0_191]
at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)
[rt.jar:1.8.0_191]
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259)
[rt.jar:1.8.0_191]
at
org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.addImageTicketToProxy(TransferImageCommand.java:654)
[bll.jar:]
at
org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.startImageTransferSession(TransferImageCommand.java:579)
[bll.jar:]
at
org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.handleImageIsReadyForTransfer(TransferImageCommand.java:261)
[bll.jar:]
at
org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.handleInitializing(TransferImageCommand.java:232)
[bll.jar:]
at
org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.executeStateHandler(TransferImageCommand.java:167)
[bll.jar:]
at
org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.proceedCommandExecution(TransferImageCommand.java:154)
[bll.jar:]
at
org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommandCallback.doPolling(TransferImageCommandCallback.java:21)
[bll.jar:]
at
org.ovirt.engine.core.bll.tasks.CommandCallbacksPoller.invokeCallbackMethodsImpl(CommandCallbacksPoller.java:146)
[bll.jar:]
at
org.ovirt.engine.core.bll.tasks.CommandCallbacksPoller.invokeCallbackMethods(CommandCallbacksPoller.java:107)
[bll.jar:]
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
[rt.jar:1.8.0_191]
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
[rt.jar:1.8.0_191]
at
org.glassfish.enterprise.concurrent.internal.ManagedScheduledThreadPoolExecutor$ManagedScheduledFutureTask.access$201(ManagedScheduledThreadPoolExecutor.java:383)
[javax.enterprise.concurrent-1.0.jar:]
at
org.glassfish.enterprise.concurrent.internal.ManagedScheduledThreadPoolExecutor$ManagedScheduledFutureTask.run(ManagedScheduledThreadPoolExecutor.java:534)
[javax.enterprise.concurrent-1.0.jar:]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[rt.jar:1.8.0_191]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[rt.jar:1.8.0_191]
at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_191]
at
org.glassfish.enterprise.concurrent.ManagedThreadFactoryImpl$ManagedThread.run(ManagedThreadFactoryImpl.java:250)
[javax.enterprise.concurrent-1.0.jar:]
at
org.jboss.as.ee.concurrent.service.ElytronManagedThreadFactory$ElytronManagedThread.run(ElytronManagedThreadFactory.java:78)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
[rt.jar:1.8.0_191]
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
[rt.jar:1.8.0_191]
at sun.security.validator.Validator.validate(Validator.java:262)
[rt.jar:1.8.0_191]
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
[jsse.jar:1.8.0_191]
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
[jsse.jar:1.8.0_191]
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
[jsse.jar:1.8.0_191]
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
[jsse.jar:1.8.0_191]
... 30 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
[rt.jar:1.8.0_191]
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
[rt.jar:1.8.0_191]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
[rt.jar:1.8.0_191]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
[rt.jar:1.8.0_191]
... 36 more
########################################################################
I'm guessing that I affected the engine's ability to validate the
public-CA-signed cert on the imageio-proxy? Maybe I just messed
something else up?
> > I'm trying to avoid ever needing to install a special CA cert in
> > browsers.
>
> Makes sense.
>
> This is known bug:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1637809
>
> Before opening it, we had a bug about fixing the documentation you
> point at:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1385617
>
> As mentioned there, what you tried to do should have worked.
I saw the second BZ and read through it. I was taking the approach of
replacing the imageio-proxy key/cert rather than repointing it; I've
switched to just changing the config but have the same issue.
--
Chris Adams <c...@cmadams.net>
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BOYGHA67LAQKUJR35PDYF27O7VI3YQAD/
