I figured it out. When ovirt-provider-ovn attempts to connect back to the engine via HTTPS, it tells the python requests module to use the specified CA cert file... but that won't work with most 3rd-party certs because they have an intermediate cert as well. It appears that the requests module tries to validate both certs.
Creating /etc/ovirt-provider-ovn/conf.d/99-custom-cert.conf that just has: [OVIRT] ovirt-ca-file= tells the module to use the regular system CA cert file(s), which works. This should probably be added to the oVirt doc for using a 3rd-party cert. Once upon a time, Chris Adams <c...@cmadams.net> said: > Circling back to an old email... > > Once upon a time, Yedidyah Bar David <d...@redhat.com> said: > > On Wed, Jan 30, 2019 at 10:28 PM Chris Adams <c...@cmadams.net> wrote: > > > However, while digging, I also noticed that now the engine is not > > > communicating with ovirt-provider-ovn, possibly due to a similar issue? > > > It is having the reverse problem; it rejects the engine's cert. > > > > Didn't try this yet, adding Dominik. > > Was anybody able to look at this? I had to use my dev hardware for > something else for a bit, so re-installed with 4.3.5 yesterday. The > imageio SSL cert issue looks good, but I still can't figure out the > ovirt-provider-ovn CA usage. > > My little bit of digging seems to show that the engine connects to the > provider and is using an SSL client cert, and that cert is signed by > something... but I'm not sure what. I think the provider side is trying > to validate with the following setting from > /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf > > [OVIRT] > ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem > > Following the general "3rd-party SSL", that is now the Let's Encrypt CA. > I tried changing it to point to the original self-signed oVirt CA (same > directory, just "ca.pem"), but that didn't work either. > > Any suggestions? -- Chris Adams <c...@cmadams.net> _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/AG3IN73YZ2WLBLNCA2V42LE5V72XQ6Y6/
