On Mon, Feb 4, 2019 at 1:21 PM Yedidyah Bar David <[email protected]> wrote: > > On Wed, Jan 30, 2019 at 10:28 PM Chris Adams <[email protected]> wrote: > > > > Digging a little deeper... if I add the Let's Encrypt CA to > > /etc/pki/ovirt-engine/.truststore, imageio-proxy works (I can > > successfully upload an ISO), so I guess the issue is that imageio-proxy > > uses the same cert for web and engine communication and the engine > > wasn't happy with the public-CA-signed cert. > > I think I agree with your analysis. > > I now reproduced this on a test env. > > I started with ovirt-system-tests basic suite deploy, made sure I > can upload an image. > > Then I followed the docs about replacing certs, using a temporarily- > created CA for testing (using openssl, actually using a copy of the > engine's pki scripts), including adding 99-custom-truststore.conf, > imported the CA's cert to the browser, and: > > 1. Connecting with the browser worked, all is green. > > 2. Logged in, pressed "Disks -> Upload -> Start -> Test Connection", > and it failed. > > 3. Edited the ovirt-imageio-proxy conf to point key and cert to a > key and cert I created and signed using my temp ca, restarted it, > "Test Connection" worked. > > 4. Actually uploading the image failed as you describe. > > 5. Imported my CA's cert to /etc/pki/ovirt-engine/.truststore, > using: > > keytool -importcert -trustcacerts -keystore > /etc/pki/ovirt-engine/.truststore -storepass mypass -file > /etc/pki/ovirt-engine/apache-ca.pem > > and restarted the engine, and then upload works. > > Adding Martin and Nir. > > > > > > So, rather than point part of the engine at a separate trust store (as > > the docs recommend), maybe just add the public CA to the engine's > > existing trust store? > > I admit I still didn't try to fully analyze this myself, but I tend > to agree with you. Or rather: Our docs should probably support both > options - tell the engine to trust (and use?) the system-wide store, > or manually add a specific cert. Because I guess you can find people > that will prefer either option.
Decided that only the first makes sense, opened this bug, should be fixed in 4.3.2: https://bugzilla.redhat.com/1687301 This is obviously just one step. The next will be: https://bugzilla.redhat.com/show_bug.cgi?id=1637809 Then, hopefully, following the existing doc to use 3rd-party CA will "just work" also for imageio. BTW, of course you can also create another custom truststore only for https access to the engine, and point ENGINE_HTTPS_PKI_TRUST_STORE at it - but I wouldn't add this to the docs before we have automated testing that makes sure this does not break in the future. Best regards, > > > > > However, while digging, I also noticed that now the engine is not > > communicating with ovirt-provider-ovn, possibly due to a similar issue? > > It is having the reverse problem; it rejects the engine's cert. > > Didn't try this yet, adding Dominik. > > > > > This is all on 4.2.8 BTW. > > I personally tried this on: > > ovirt-engine-4.3.0-0.8.master.20190122121624.git9a8a519.el7.noarch > > I guess the behavior didn't change much between them. > > Thanks for your debugging and report! > > Best regards, > -- > Didi -- Didi _______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/JB2DV6MH6G3UUKSRSUYL4ASO4HJHKCDD/
