Bug 1119420

Summary: Ovirt compute resource doesn't work with wildcard certs
Product: Red Hat Satellite 6 Reporter: Rich Jerrido <rjerrido>
Component: ProvisioningAssignee: Lukas Zapletal <lzap>
Status: CLOSED NOTABUG QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0.3CC: batkisso, bkearney, jmontleo, ohadlevy, omaciel, rjerrido, vvasilev
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/7516
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-26 12:37:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Rich Jerrido 2014-07-14 18:13:20 UTC
Description of problem:

When configuring Satellite 6 beta with a ovirt/rhevm compute resource that is using a wildcard cert for HTTPS, the user is presented with the following error:

"'ERF56-1309 [Foreman::FingerprintException]: The remote system presented a  public key signed by an unidentified certificate authority. If you are  sure the remote system is authentic, go to the compute resource edit  page, press the 'Test Connection' or 'Load Datacenters' button and  submit'"

The message is repeated each time the user clicks 'submit' and is thus unable to create the compute resource 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure RHEV-M to use a 3rd party cert, such as per (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.3/html-single/Administration_Guide/index.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https)
2. attempt to Configure Sat6 to use an ovirt resource

Actual results:
User is unable to successfully configure an ovirt compute resource

Expected results:
User is able to successfully configure an ovirt compute resource

Additional info:

Comment 1 RHEL Product and Program Management 2014-07-14 18:24:10 UTC
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 3 Rich Jerrido 2014-07-15 12:47:26 UTC
As a temporary workaround, the following works to disable SSL verification:

from Lukas Zapletal <lzap@redhat.com>:

"locate rvovirt.rb file and change the VERIFY_PEER to VERIFY_NONE

[root@hp-sl2x170zg6-01 ~]# locate rbovirt.rb

[root@hp-sl2x170zg6-01 ~]# grep VERIFY_PEER /opt/rh/ruby193/root/usr/share/gems/gems/rbovirt-0.0.28/lib/rbovirt.rb
  verify_options = {:verify_ssl  => OpenSSL::SSL::VERIFY_PEER}

Then restart Satellite 6:

service httpd restart"

Comment 4 Lukas Zapletal 2014-07-22 12:57:19 UTC

can you share with me how you deployed the certificate? Is this documented in RHEV materials? I would like to reproduce.

Comment 5 Rich Jerrido 2014-07-22 15:25:22 UTC
We followed the instructions documented in the RHEV 3.2/3.3 documentation (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.3/html-single/Administration_Guide/index.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https) to replace the default self-signed certificate with the wildcard certificate.

Comment 7 Brian J. Atkisson 2014-09-12 02:18:44 UTC
I'm getting this same error with Satellite 6.0.4 using RHEV 3.4 with a custom certificate, which was issued by IPA/IdM.  This is not a wildcard cert, but it's not the RHEV-generated cert either.  The Compute Resource never actually gets to the point of trying the username/password.

Comment 8 Dominic Cleal 2014-09-18 07:48:04 UTC
Created redmine issue http://projects.theforeman.org/issues/7516 from this bug

Comment 9 Lukas Zapletal 2014-09-26 12:37:30 UTC
Ok I am closing this issue because I am unable to reproduce. I was able to setup my oVirt/RHEV with wildcard certs easily.

There is other issue/bug which is very relevant to this problem:


Until it was not resolved, I was not able to setup *any* other CA than the self-signed cert from RHEV. Therefore I believe the bug solved your error.

In any case, feel free to reopen if you still think this is an issue. The 1143941 is scheduled for 6.1 release.