Once upon a time, Yedidyah Bar David <d...@redhat.com> said: > On Tue, Jan 29, 2019 at 6:05 PM Chris Adams <c...@cmadams.net> wrote: > > I installed an SSL cert from a public CA (Let's Encrypt) on my engine, > > following this: > > > > https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_CA_Certificate > > > > That gets the regular web UI working, but I can't upload an ISO. I > > assume that I need to do something with the imageio-proxy service on the > > engine, but not sure what... I tried replacing imageio-proxy.cer and > > imageio-proxy.key.nopass, but that didn't work. > > Did you restart the imageio-proxy? > > What didn't work? What happened?
I did restart the service. When I then try to upload an ISO image, I get "Paused by System" and this in engine.log: ######################################################################## 2019-01-30 08:12:15,871-06 ERROR [org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand] (EE-ManagedThreadFactory-engineScheduled-Thread-52) [0052c7ad-38d7-429d-be3a-eb0e496d5ee8] Failed to add image ticket to ovirt-imageio-proxy: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) [jsse.jar:1.8.0_191] at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) [jsse.jar:1.8.0_191] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316) [jsse.jar:1.8.0_191] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) [jsse.jar:1.8.0_191] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) [jsse.jar:1.8.0_191] at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) [jsse.jar:1.8.0_191] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) [jsse.jar:1.8.0_191] at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) [jsse.jar:1.8.0_191] at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) [jsse.jar:1.8.0_191] at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) [jsse.jar:1.8.0_191] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) [jsse.jar:1.8.0_191] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) [jsse.jar:1.8.0_191] at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) [rt.jar:1.8.0_191] at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) [rt.jar:1.8.0_191] at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334) [rt.jar:1.8.0_191] at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309) [rt.jar:1.8.0_191] at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259) [rt.jar:1.8.0_191] at org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.addImageTicketToProxy(TransferImageCommand.java:654) [bll.jar:] at org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.startImageTransferSession(TransferImageCommand.java:579) [bll.jar:] at org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.handleImageIsReadyForTransfer(TransferImageCommand.java:261) [bll.jar:] at org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.handleInitializing(TransferImageCommand.java:232) [bll.jar:] at org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.executeStateHandler(TransferImageCommand.java:167) [bll.jar:] at org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommand.proceedCommandExecution(TransferImageCommand.java:154) [bll.jar:] at org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommandCallback.doPolling(TransferImageCommandCallback.java:21) [bll.jar:] at org.ovirt.engine.core.bll.tasks.CommandCallbacksPoller.invokeCallbackMethodsImpl(CommandCallbacksPoller.java:146) [bll.jar:] at org.ovirt.engine.core.bll.tasks.CommandCallbacksPoller.invokeCallbackMethods(CommandCallbacksPoller.java:107) [bll.jar:] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [rt.jar:1.8.0_191] at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [rt.jar:1.8.0_191] at org.glassfish.enterprise.concurrent.internal.ManagedScheduledThreadPoolExecutor$ManagedScheduledFutureTask.access$201(ManagedScheduledThreadPoolExecutor.java:383) [javax.enterprise.concurrent-1.0.jar:] at org.glassfish.enterprise.concurrent.internal.ManagedScheduledThreadPoolExecutor$ManagedScheduledFutureTask.run(ManagedScheduledThreadPoolExecutor.java:534) [javax.enterprise.concurrent-1.0.jar:] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [rt.jar:1.8.0_191] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [rt.jar:1.8.0_191] at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_191] at org.glassfish.enterprise.concurrent.ManagedThreadFactoryImpl$ManagedThread.run(ManagedThreadFactoryImpl.java:250) [javax.enterprise.concurrent-1.0.jar:] at org.jboss.as.ee.concurrent.service.ElytronManagedThreadFactory$ElytronManagedThread.run(ElytronManagedThreadFactory.java:78) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) [rt.jar:1.8.0_191] at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) [rt.jar:1.8.0_191] at sun.security.validator.Validator.validate(Validator.java:262) [rt.jar:1.8.0_191] at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) [jsse.jar:1.8.0_191] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) [jsse.jar:1.8.0_191] at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) [jsse.jar:1.8.0_191] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) [jsse.jar:1.8.0_191] ... 30 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) [rt.jar:1.8.0_191] at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) [rt.jar:1.8.0_191] at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) [rt.jar:1.8.0_191] at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) [rt.jar:1.8.0_191] ... 36 more ######################################################################## I'm guessing that I affected the engine's ability to validate the public-CA-signed cert on the imageio-proxy? Maybe I just messed something else up? > > I'm trying to avoid ever needing to install a special CA cert in > > browsers. > > Makes sense. > > This is known bug: > > https://bugzilla.redhat.com/show_bug.cgi?id=1637809 > > Before opening it, we had a bug about fixing the documentation you > point at: > > https://bugzilla.redhat.com/show_bug.cgi?id=1385617 > > As mentioned there, what you tried to do should have worked. I saw the second BZ and read through it. I was taking the approach of replacing the imageio-proxy key/cert rather than repointing it; I've switched to just changing the config but have the same issue. -- Chris Adams <c...@cmadams.net> _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/BOYGHA67LAQKUJR35PDYF27O7VI3YQAD/