Hi Nir,
sorry for reply late, here we go
ovirt-imageio --show-config
{
"backend_file": {
"buffer_size": 8388608
},
"backend_http": {
"buffer_size": 8388608,
"ca_file": "/etc/pki/ovirt-engine/ca.pem"
},
"backend_nbd": {
"buffer_size": 8388608
},
"control": {
"port": 54324,
"prefer_ipv4": true,
"remove_timeout": 60,
"socket": "/run/ovirt-imageio/sock",
"transport": "tcp"
},
"daemon": {
"drop_privileges": true,
"group_name": "ovirtimg",
"max_connections": 8,
"poll_interval": 1.0,
"run_dir": "/run/ovirt-imageio",
"user_name": "ovirtimg"
},
"formatter_long": {
"format": "%(asctime)s %(levelname)-7s (%(threadName)s) [%(name)s]
%(message)s"
},
"formatters": {
"keys": "long"
},
"handler_logfile": {
"args": "(\"/var/log/ovirt-imageio/daemon.log\",)",
"formatter": "long",
"class": "logging.handlers.RotatingFileHandler",
"kwargs": "{\"maxBytes\": 20971520, \"backupCount\": 10}",
"level": "DEBUG"
},
"handler_stderr": {
"formatter": "long",
"class": "logging.StreamHandler",
"level": "DEBUG"
},
"handlers": {
"keys": "logfile"
},
"local": {
"enable": false,
"socket": "\u0000/org/ovirt/imageio"
},
"logger_root": {
"handlers": "logfile",
"level": "INFO",
"propagate": 0
},
"loggers": {
"keys": "root"
},
"profile": {
"filename": "/run/ovirt-imageio/profile"
},
"remote": {
"host": "::",
"port": 54323
},
"tls": {
"ca_file": "",
"cert_file": "/etc/pki/ovirt-engine/certs/apache.cer",
"enable": true,
"enable_tls1_1": false,
"key_file": "/etc/pki/ovirt-engine/keys/apache.key.nopass"
}
}
Yes, The CA file on engine side (/etc/pki/ovirt-engine/ca.pem) does not
matching with the CA file on the host
(/etc/pki/vdsm/certs/cacert.pem) because we made the changes only on the engine
side ca.pem with third party cert.
we followed this doc from Replacing the oVirt Engine Apache CA Certificate, It
is working for rest all cluster
https://www.ovirt.org/documentation/administration_guide/index.html#appe-Red_Hat_Enterprise_Virtualization_and_SSL
Replacing the oVirt Engine Apache CA Certificate
If you are using a self-hosted engine, put the environment into global
maintenance mode.
# hosted-engine --set-maintenance --mode=global
For more information, see Maintaining the Self-hosted engine.
Add your CA certificate to the host-wide trust store:
# cp /tmp/3rd-party-ca-cert.pem /etc/pki/ca-trust/source/anchors
# update-ca-trust
The Engine has been configured to use /etc/pki/ovirt-engine/apache-ca.pem,
which is symbolically linked to /etc/pki/ovirt-engine/ca.pem. Remove the
symbolic link:
# rm /etc/pki/ovirt-engine/apache-ca.pem
Save your CA certificate as /etc/pki/ovirt-engine/apache-ca.pem:
# cp /tmp/3rd-party-ca-cert.pem /etc/pki/ovirt-engine/apache-ca.pem
Back up the existing private key and certificate:
# cp /etc/pki/ovirt-engine/keys/apache.key.nopass
/etc/pki/ovirt-engine/keys/apache.key.nopass.bck
# cp /etc/pki/ovirt-engine/certs/apache.cer
/etc/pki/ovirt-engine/certs/apache.cer.bck
Copy the private key to the required location:
# cp /tmp/apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass
Set the private key owner to root and set the permissions to 0640:
# chown root:ovirt /etc/pki/ovirt-engine/keys/apache.key.nopass
# chmod 640 /etc/pki/ovirt-engine/keys/apache.key.nopass
Copy the certificate to the required location:
# cp /tmp/apache.cer /etc/pki/ovirt-engine/certs/apache.cer
Set the certificate owner to root and set the permissions to 0644:
# chown root:ovirt /etc/pki/ovirt-engine/certs/apache.cer
# chmod 644 /etc/pki/ovirt-engine/certs/apache.cer
Restart the Apache server:
# systemctl restart httpd.service
Create a new trust store configuration file,
/etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf, with the following
parameters:
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
Copy the /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf file, and
rename it with an index number that is greater than 10 (for example,
99-setup.conf). Add the following parameters to the new file:
SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
Restart the websocket-proxy service:
# systemctl restart ovirt-websocket-proxy.service
If you manually changed the
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf file, or are
using a configuration file from an older installation, make sure that the
Engine is still configured to use /etc/pki/ovirt-engine/apache-ca.pem as the
certificate source.
Enable engine-backup to update the system on restore by creating a new file,
/etc/ovirt-engine-backup/engine-backup-config.d/update-system-wide-pki.sh, with
the following content:
BACKUP_PATHS="${BACKUP_PATHS}
/etc/ovirt-engine-backup"
cp -f /etc/pki/ovirt-engine/apache-ca.pem \
/etc/pki/ca-trust/source/anchors/3rd-party-ca-cert.pem
update-ca-trust
Restart the ovirt-provider-ovn service:
# systemctl restart ovirt-provider-ovn.service
Restart the ovirt-imageio service:
# systemctl restart ovirt-imageio.service
Restart the ovirt-engine service:
# systemctl restart ovirt-engine.service
If you are using a self-hosted engine, turn off global maintenance mode.
# hosted-engine --set-maintenance --mode=none
Your users can now connect to the Administration Portal and VM Portal, without
seeing a warning about the authenticity of the certificate used to encrypt
HTTPS traffic.
_______________________________________________
Users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/[email protected]/message/OETMQ4PNL35AMZOFMTEBQZUWEQUTRQHW/
