Hi, On Sat, May 4, 2019 at 1:24 AM <[email protected]> wrote: > > I fixed this 30 minutes after I posted this. So for anyone else that has > this issue, It turns out that the cert wan't getting imported after running > the command "keytool -import -alias ovirt -keystore ./cacerts -file > <3rdpartycert>.cer" manually, as "update-ca-trust" did not add it > automatically. Also, the default password for the keystore is "changeit", > and I put the keystore password in the "99-custom-truststore.conf" file, not > the "" entry like the article says.
Can you please elaborate? I assume you refer to this doc: [1] https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html I never tried configuring access to LDAP (TLS or not). I think you either mix things a bit, or I fail to follow. In particular: ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD should indeed usually be empty. If you use a custom trust store for this, instead of the system-wide /etc/pki/java/cacerts, it's indeed up to you - you can protect it with a password, and then have to provide that password in this param. "changeit" is the default password for the engine-internal truststore, "/etc/pki/ovirt-engine/.truststore". But above procedure does not suggest to add your 3rd-party CA cert there. If you need to, that's a bug. We recently fixed such a bug: https://bugzilla.redhat.com/1687301 "keytool -import -alias ovirt -keystore ./cacerts -file <3rdpartycert>.cer" is mentioned only in the second part, about LDAP access. It suggests to create another truststore, and use that in the aaa configuration. You should indeed use the same password when creating it and in the aaa conf (but do not need to do that in the engine conf). On Sat, May 4, 2019 at 2:23 AM <[email protected]> wrote: > > It appears I spoke too soon, even though I can now get into the ovirt portal, > I can't connect with the spice console. Even after recopying the cert and > key over and restarting the service. Please provide more details: What exactly did you change when trying to use 3rd-party CA certs? What error do you get and where? What do you see in relevant log files? Thanks and best regards, -- Didi _______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/C25UX6TZNSISXCPPVMXMPZIA73DHSS7M/
