On Wed, Feb 20, 2019 at 6:34 PM Giorgio Biacchi <gior...@di.unimi.it> wrote: > > On 2/20/19 7:47 AM, Yedidyah Bar David wrote: > > On Tue, Feb 19, 2019 at 3:18 PM Giorgio Biacchi <gior...@di.unimi.it> wrote: > >> > >> Hi list, > >> during our datacenter lifetime many things changed. We moved the engine > >> twice on different hosts with, of course, different FQDNs, and many > >> other changes. Now we are stuck with an error when we try to upload an > >> image to a data domain. The error is somehow bound to a failure to > >> validate the ovirt-imageio-proxy certificate and, since the current root > >> CA certificate is still signed with sha1WithRSAEncryption we'd like to > >> regenerate the whole CA. > > > > Is "sha1" all your problem? You might want to check: > > > > https://www.ovirt.org/develop/migrate-pki-to-sha256.html > > Today I repeated the procedure described in the link here above and > finally I was successful. Maybe yesterday I was too quick to fall back > to the original state but my enviroment is in production and I was scared... > > I had some problems while enrolling the new certificate on the > hypervisors, but removing/rebooting/readding did the trick.
If you still have logs of the failure, you might want to open a bug. I think 'Enroll Certificate' should have worked. > > Our engine have an SSO_ALTERNATE_ENGINE_FQDN (before it was the real > engine FQDN) so I found that ImageProxyAddress was still pointing to the > old name. Should be fixed in ovirt-engine-rename in 4.3: https://bugzilla.redhat.com/show_bug.cgi?id=1519194 If you used other means (e.g. only add alternate fqdn but do not run rename), it's up to you to handle, e.g. as you did below. > I'm now able (as before) to access the admin portal with both > names but only one (the one with the green lock in the browser) is the > FQDN in the certificate, so I did: > > engine-config --set ImageProxyAddress=realFQDN:54323 > > and now I have sha256 certs and ovirt-imageio-proxy working as expected. :) Glad to hear that, thanks for the report! Best regards, -- Didi _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/SK4BMV5VGYDDI4S2EMJKGXDG723VQ2V3/
