Bug 1059952
| Summary: | hosted-engine --deploy (additional host) will fail if the engine is not using the default self-signed CA | ||
|---|---|---|---|
| Product: | [oVirt] ovirt-hosted-engine-setup | Reporter: | Andrew Lau <andrew> |
| Component: | Plugins.PKI | Assignee: | Simone Tiraboschi <stirabos> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Artyom <alukiano> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 1.2.0 | CC: | alonbl, alukiano, andrew, bugs, didi, fdeutsch, lveyde, mdavis, rbalakri, rmartins, sbonazzo, stirabos, vvasilev, yeylon, ylavi |
| Target Milestone: | ovirt-3.6.1 | Keywords: | Triaged, ZStream |
| Target Release: | 1.3.1 | Flags: | rule-engine:
ovirt-3.6.z+
ylavi: planning_ack+ sbonazzo: devel_ack+ istein: testing_ack+ |
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | integration | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
hosted-engine setup was always using the engine CA cert to trust the signature of the REST API (apache) cert while some user replaced that with an externally signed one. In that case the validation, and so the deployment of additional hosts, will fail.
Let the user specify the local path of an external CA file or let him proceed in insecure mode if the validation with the internal CA cert was failing.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-12-16 12:24:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1199512, 1254838, 1284979 | ||
|
Description
Andrew Lau
2014-01-31 03:58:15 UTC
I thought the certificate authority fingerprint is prompted of the ssl handshake chain is prompted to user and acked before proceeding, so it should not matter what chain is received as long as user confirm it. I had the same problem and as a workaround I removed "ca.crt" from z-ovirt-engine-proxy.conf (LocationMatch) and placed my custom CA to the default DocumentRoot (/var/www/html/ca.crt) It's vervy easy to solve this problem, just run command: vdsm-tool configure --module certificates --force Used this you can rebuild VDSM self-sign cert, and make check: openssl verify -CAfile /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/certs/vdsmcert.pem /etc/pki/vdsm/certs/vdsmcert.pem: OK Then restart the vdsmd service. service vdsmd restart. aiminick, can you explain what this command is doing? Will it replace the default self-signed cert with correct one? And if yes from where it knows to take the cert and CA? (In reply to Andrew Lau from comment #0) > Description of problem: > Per list discussion: Hosted Engine adding host SSL Failure (w/ engine custom > cert) You probably refer to: http://lists.ovirt.org/pipermail/users/2014-January/thread.html#20538 (In reply to Yedidyah Bar David from comment #5) > (In reply to Andrew Lau from comment #0) > > Description of problem: > > Per list discussion: Hosted Engine adding host SSL Failure (w/ engine custom > > cert) > > You probably refer to: > > http://lists.ovirt.org/pipermail/users/2014-January/thread.html#20538 Since the thread does not provide details, assuming a procedure similar to [1] was used. That is, internal CA is untouched, engine<->vdsm traffic still uses it, only httpd on engine machine uses the replaced cert (signed by a third party CA). [1] http://www.ovirt.org/OVirt_Administration_Guide#.E2.81.A0Replacing_oVirt_SSL_Certificate (In reply to Vladimir Vasilev from comment #4) > aiminick, can you explain what this command is doing? > Will it replace the default self-signed cert with correct one? > And if yes from where it knows to take the cert and CA? That's a self-signed for vdsm, do not need for engine, in vdsm program script, it knew you host name, so it can create a CA cert used your host name and self-signed for vdsm a cert then reconfigure it (libvirtd). I've the same problem before, after this operate, problem solved (In reply to Vladimir Vasilev from comment #4) > aiminick, can you explain what this command is doing? > Will it replace the default self-signed cert with correct one? > And if yes from where it knows to take the cert and CA? befor you do vdsm-tool configure --module certificates --force you should delete /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/certs/vdsmcert.pem 2 files above first. This is an automated message. This Bugzilla report has been opened on a version which is not maintained anymore. Please check if this bug is still relevant in oVirt 3.5.4. If it's not relevant anymore, please close it (you may use EOL or CURRENT RELEASE resolution) If it's an RFE please update the version to 4.0 if still relevant. hosted-engine --deploy needs to talk with the engine via the REST API witch are exposed using apache as a front-end. To improve the security level in the communication with the REST API hosted-engine tries to validate the signature of the Apache cert with the only CA it knows, the internal oVirt CA, but it obviously fails cause the new Apache cert it's not signed by that CA. Three different options there: 1. allow (or document how) to use two distinct https certificates for the webadmin interface (signed by your organization CA) and for the REST API (still signed by oVirt internal CA) 2. let you load your CA cert into the engine and made it available on request from the PKI servlet 3. let the user replace (and carefully document how) the oVirt internal CA (and all the related certs) with an intermediate CA issued by your organization CA 4. Change 'hosted-engine --deploy', if validation fails, to not abort, but prompt the user with relevant info and allow "I know what I am doing", like common web browsers do. 5. Change 'hosted-engine --deploy' to also verify against other CA certs, either in a custom place or system-wide. Simone - makes sense? Still relevant, dropping needinfo on reporter. 4. Absolutely makes sense. 5. Could be a bit different: on hosted-engine setup we are just using the CA cert to trust the https connection to the engine REST API via python SDK so checking more than one CA doesn't really make sense, we have just to check the correct one. Maybe it would be enough to let the user manually save his organization CA cert on a specific place before starting the deploy process and having ovirt-hosted-engine-setup not downloading the internal CA cert if another cert is already in place. So, on my opinion, the best solution is 5 but we have to properly couple it also with oVirt node where the file-system is normally read only and so on. Then, to make it more user friendly, on errors we have to: - absolutely avoid interrupting the setup, - explain what happened, - let the user recover: * manually saving his organization CA file on a specified path, * just proceeding in insecure mode as browsers allow you to do, We can continue the work there https://gerrit.ovirt.org/#/c/45270/ and then backport it to 3.6 too Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release. Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release. Verified on ovirt-hosted-engine-setup-1.3.1-1.el7ev.noarch 1) Start deploy on first host, after engine installation Replacing rhevm SSL certificate according to http://www.ovirt.org/OVirt_Administration_Guide#.E2.81.A0Replacing_oVirt_SSL_Certificate (you can install engine vm on other vm with the same hostname to get all necessary items, apache-ca.pem, apache.key.nopass, apache.cer) 2) Place new CA certificate to /etc/pki/CA/ovirtcustomcacert.pem on first host and continue deployment 3) Answer NO on question: "The REST API cert couldn't be trusted with the internal CA cert Would you like to continue in insecure mode (not recommended)? If not, please provide your CA cert at /etc/pki/CA/ovirtcustomcacert.pem before continuing (Yes, No)[No]?" 4) Finish deployment 5) Deploy second host and on the same question answer Yes 6) Finish deployment of second host Deployment on both host succeed without any problem According to verification status and target milestone this issue should be fixed in oVirt 3.6.1. Closing current release. |