On Fri, Aug 2, 2019 at 4:37 PM Dominik Holler <[email protected]> wrote:
> On Thu, 1 Aug 2019 20:45:56 -0500 > Chris Adams <[email protected]> wrote: > > > I figured it out. When ovirt-provider-ovn attempts to connect back to > > the engine via HTTPS, it tells the python requests module to use the > > specified CA cert file... but that won't work with most 3rd-party certs > > because they have an intermediate cert as well. It appears that the > > requests module tries to validate both certs. > > > > Creating /etc/ovirt-provider-ovn/conf.d/99-custom-cert.conf that just > > has: > > > > [OVIRT] > > ovirt-ca-file= > > > > tells the module to use the regular system CA cert file(s), which works. > > > Thanks for your investigation! > Looks like the empty string is converted implicitly to Boolean in > > https://github.com/psf/requests/blob/75bdc998e2d430a35d869b2abf1779bd0d34890e/requests/adapters.py#L215 > Because bool('') is False in python, the certificate should be checked > at all. > > Because bool('') is False in python, the certificate should be* not *checked at all. > Would > ovirt-ca-file=/etc/pki/tls/certs/ca-bundle.crt > work for you? > (It works for https://helloworld.letsencrypt.org) > > > This should probably be added to the oVirt doc for using a 3rd-party > > cert. > > > > Once upon a time, Chris Adams <[email protected]> said: > > > Circling back to an old email... > > > > > > Once upon a time, Yedidyah Bar David <[email protected]> said: > > > > On Wed, Jan 30, 2019 at 10:28 PM Chris Adams <[email protected]> > wrote: > > > > > However, while digging, I also noticed that now the engine is not > > > > > communicating with ovirt-provider-ovn, possibly due to a similar > issue? > > > > > It is having the reverse problem; it rejects the engine's cert. > > > > > > > > Didn't try this yet, adding Dominik. > > > > > > Was anybody able to look at this? I had to use my dev hardware for > > > something else for a bit, so re-installed with 4.3.5 yesterday. The > > > imageio SSL cert issue looks good, but I still can't figure out the > > > ovirt-provider-ovn CA usage. > > > > > > My little bit of digging seems to show that the engine connects to the > > > provider and is using an SSL client cert, and that cert is signed by > > > something... but I'm not sure what. I think the provider side is > trying > > > to validate with the following setting from > > > /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf > > > > > > [OVIRT] > > > ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem > > > > > > Following the general "3rd-party SSL", that is now the Let's Encrypt > CA. > > > I tried changing it to point to the original self-signed oVirt CA (same > > > directory, just "ca.pem"), but that didn't work either. > > > > > > Any suggestions? > > > >
_______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/5HZ42UMK6RQFSETO5ED4ZUKSPFFO5TD4/
