Seems I had a typo at /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf. I will repeat the test to verify that all services are functional following this process.
On Wed, Nov 18, 2020 at 10:24 AM Alex K <rightkickt...@gmail.com> wrote: > Hi all, > > I am trying to replace the ovirt certificate at ovirt 4.3 following this: > > > https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl > > I am doing the following: > I have engine FQDN: manager.lab.local > > 1. Create root CA private key: > openssl genrsa -des3 -out root.key 2048 > > 2. Generate root certificate: (enter passphrase of root key) > openssl req -x509 -new -nodes -key root.key -sha256 -days 3650 -out > root.pem > cp root.pem /tmp > > 3. Create key and CSR for engine: > openssl genrsa -out manager.lab.local.key 2048 > openssl req -new -out manager.lab.local.csr -key manager.lab.local.key > > 4. Generate a certificate for engine and sign with the root CA key: > > openssl x509 -req -in manager.lab.local.csr \ > -CA root.pem \ > -CAkey root.key \ > -CAcreateserial \ > -out manager.lab.local.crt \ > -days 3650 \ > -sha256 \ > -extensions v3_req > > 5. Verify the trust chain and check the certificate details: > openssl verify -CAfile root.pem manager.lab.local.crt > openssl x509 -text -noout -in manager.lab.local.crt | head -15 > > 6. Generate a P12 container: (with empty password) > openssl pkcs12 -export -out /tmp/apache.p12 \ > -inkey manager.lab.local.key \ > -in manager.lab.local.crt > > 8. Export key and cert: > openssl pkcs12 -in apache.p12 -nocerts -nodes > /tmp/apache.key > openssl pkcs12 -in apache.p12 -nokeys > /tmp/apache.cer > > From the above steps we should have the following: > > /tmp/root.pem > /tmp/apache.p12 > /tmp/apache.key > /tmp/apache.cer > > 9. Place the certificates: > hosted-engine --set-maintenance --mode=global > cp -p /etc/pki/ovirt-engine/keys/apache.p12 /tmp/apache.p12.bck > cp /tmp/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12 > cp /tmp/root.pem /etc/pki/ca-trust/source/anchors > update-ca-trust > rm /etc/pki/ovirt-engine/apache-ca.pem > cp /tmp/root.pem /etc/pki/ovirt-engine/apache-ca.pem > > Backup existing key and cert: > cp /etc/pki/ovirt-engine/keys/apache.key.nopass > /etc/pki/ovirt-engine/keys/apache.key.nopass.bck > cp /etc/pki/ovirt-engine/certs/apache.cer > /etc/pki/ovirt-engine/certs/apache.cer.bck > cp /tmp/apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass > cp /tmp/apache.cer /etc/pki/ovirt-engine/certs/apache.cer > chown root:ovirt /etc/pki/ovirt-engine/keys/apache.key.nopass > chmod 640 /etc/pki/ovirt-engine/keys/apache.key.nopass > systemctl restart httpd.service > > 10. Create a new trust store configuration file: > vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf > > ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" > ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" > > 11. Edit /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf : > vi /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf > > SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer > SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass > > 12. Edit /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf: > vi /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf > > # Key file for SSL connections > ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass > # Certificate file for SSL connections > ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer > > 13. Import the certificate at system-wide java trust store > > update-ca-trust extract > keytool -list -alias ovirt -keystore /etc/pki/java/cacerts > > 14. Restart services: > systemctl restart httpd.service > systemctl restart ovirt-provider-ovn.service > systemctl restart ovirt-imageio-proxy > systemctl restart ovirt-websocket-proxy > systemctl restart ovirt-engine.service > > Following the above I get at engine GUI: > > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > > I have tried also to run engine-setup in case it could fix anything (it > renewed the cert due to missing subjectAltName), and the above error still > persists. > I have tried several other suggestions from similar issues reported at > this list without any luck. > I have run out of ideas. Am I missing anything? > Thanx for any suggestions. > Alex >
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/NADGNIZR53ETECWMNTYN33DQJMOENHS7/
