Description of problem: [root@pb-rh34 11111111-1111-1111-1111-111111111111]# engine-iso-uploader -i ISO_DOMAIN upload /tmp/foo.iso Uploading, please wait... INFO: Start uploading /tmp/foo.iso INFO: /tmp/foo.iso uploaded successfully [root@pb-rh34 11111111-1111-1111-1111-111111111111]# rm -f *.iso [root@pb-rh34 11111111-1111-1111-1111-111111111111]# engine-iso-uploader -i ISO_DOMAIN upload --insecure /tmp/foo.iso ERROR: Unable to connect to REST API. Message: The host name "pb-rh34.rhev.lab.eng.brq.redhat.com" contained in the URL doesn't match any of the names in the server certificate. ERROR: 'NoneType' object is not iterable INFO: Use the -h option to see usage. Version-Release number of selected component (if applicable): How reproducible: av9.2 Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Juan, any change in SDK that may have caused this?
Yes, the Python SDK has changed so that it validates the host name in the server certificate: http://gerrit.ovirt.org/26271 This is disabled when the "insecure=True" parameter is passed to the API constructor, so you need something like this in the ISO uploader: diff --git a/src/__main__.py b/src/__main__.py index 1c4c93a..f17d609 100644 --- a/src/__main__.py +++ b/src/__main__.py @@ -497,7 +497,7 @@ class ISOUploader(object): username=self.configuration.get("user"), password=self.configuration.get("passwd"), ca_file=self.configuration.get("cert_file"), - validate_cert_chain=not self.configuration.get("insecure"), + insecure=self.configuration.get("insecure"), ) That, or make sure that you connect to a host name that corresponds to the server certificate. I guess that the ISO uploader is using "localhost" in the URL.
Simone, please check also if image uploader is affected too and clone the BZ in that case. Juan, can you tell us the SDK version that introduced the change in order to be sure to have proper requires in the spec file?
This was the side effect of a double bug: the secure mode was bugged in the SDK cause it didn't check the real host name against the host name in the cert and so it was always in quasi-insecure mode. On the other side there was a bug in engine-iso-uploader engaging the insecure mode but we didn't notice it before just because it was always in insecure mode. So it's not the effect of a change in SDK and I think we don't need to update the spec file to require a newer SDK version. engine-image-uploader presents the same bug.
[root@pb-rh35 11111111-1111-1111-1111-111111111111]# engine-iso-uploader -i ISO_DOMAIN upload -r localhost /root/test.iso Please provide the REST API password for the admin@internal oVirt Engine user (CTRL+D to abort): ERROR: Unable to connect to REST API. Message: The host name "localhost" contained in the URL doesn't match any of the names in the server certificate. ERROR: 'NoneType' object is not iterable INFO: Use the -h option to see usage. [root@pb-rh35 11111111-1111-1111-1111-111111111111]# engine-iso-uploader -i ISO_DOMAIN upload -r localhost --insecure /root/test.iso Please provide the REST API password for the admin@internal oVirt Engine user (CTRL+D to abort): Uploading, please wait... INFO: Start uploading /root/test.iso INFO: /root/test.iso uploaded successfully [root@pb-rh35 11111111-1111-1111-1111-111111111111]# rpm -qa ovirt-iso-uploader ovirt-iso-uploader-3.5.0-0.0.master.20140605.gite89dcdf.el6.noarch Will report the "'NoneType' object is not iterable" as a separate bug. I consider this bug as verified, since the option --insecure now works for bypassing engine cert verification.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0191.html