On Wed, Feb 20, 2019 at 6:34 PM Giorgio Biacchi <gior...@di.unimi.it> wrote:
>
> On 2/20/19 7:47 AM, Yedidyah Bar David wrote:
> > On Tue, Feb 19, 2019 at 3:18 PM Giorgio Biacchi <gior...@di.unimi.it> wrote:
> >>
> >> Hi list,
> >> during our datacenter lifetime many things changed. We moved the engine
> >> twice on different hosts with, of course, different FQDNs, and many
> >> other changes. Now we are stuck with an error when we try to upload an
> >> image to a data domain. The error is somehow bound to a failure to
> >> validate the ovirt-imageio-proxy certificate and, since the current root
> >> CA certificate is still signed with sha1WithRSAEncryption we'd like to
> >> regenerate the whole CA.
> >
> > Is "sha1" all your problem? You might want to check:
> >
> > https://www.ovirt.org/develop/migrate-pki-to-sha256.html
>
> Today I repeated the procedure described in the link here above and
> finally I was successful. Maybe yesterday I was too quick to fall back
> to the original state but my enviroment is in production and I was scared...
>
> I had some problems while enrolling the new certificate on the
> hypervisors, but removing/rebooting/readding did the trick.

If you still have logs of the failure, you might want to open a bug.
I think 'Enroll Certificate' should have worked.

>
> Our engine have an SSO_ALTERNATE_ENGINE_FQDN (before it was the real
> engine FQDN) so I found that ImageProxyAddress was still pointing to the
> old name.

Should be fixed in ovirt-engine-rename in 4.3:

https://bugzilla.redhat.com/show_bug.cgi?id=1519194

If you used other means (e.g. only add alternate fqdn but do not run
rename), it's up to you to handle, e.g. as you did below.

> I'm now able (as before) to access the admin portal with both
> names but only one (the one with the green lock in the browser) is the
> FQDN in the certificate, so I did:
>
> engine-config --set ImageProxyAddress=realFQDN:54323
>
> and now I have sha256 certs and ovirt-imageio-proxy working as expected. :)

Glad to hear that, thanks for the report!

Best regards,
-- 
Didi
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/SK4BMV5VGYDDI4S2EMJKGXDG723VQ2V3/

Reply via email to