Bug 1125933

Summary: Documentation: provide a way to change /ca.crt for non-self-signed certs
Product: [oVirt] ovirt-engine Reporter: Lukas Zapletal <lzap>
Component: DocumentationAssignee: Brian Proffitt <bproffit>
Status: CLOSED CURRENTRELEASE QA Contact: bugs <bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: ---CC: adahms, baptiste.agasse, bproffit, bugs, didi, gklein, jswensso, lzap, rbalakri, s.kieske, srevivo, vvasilev, ykaul, ylavi
Target Milestone: ovirt-4.1.1Flags: ylavi: ovirt-4.1?
rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-07 07:55:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Docs RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Zapletal 2014-08-01 11:27:29 UTC 
According to RHEV documentation and http://www.ovirt.org/Features/PKI I have changed apache-ca.pem and apache.{p12,key,cer} with my own certificate that was signed by proper CA (it is not self-signed).

Now, I don't know how to configure oVirt (3.4) to return my CA certificate for the /ca.crt URLs. Foreman project (and Satellite 6 product) as well as rbovirt client library does use /ca.crt file for initial CA certificate download. It looks like currently oVirt only returns the server's certificate and there is no way of providing my own CA file (which is a separate file apparently).

Please document how to reconfigure oVirt to do this.

Also http://www.ovirt.org/Features/PKI should be improved with more information how to swap certificates (I had to follow RHEV guide to do this).

If this is not possible, please create a feature request for this as Foreman/Satellite 6 depend on this feature.

Many thanks!
Comment 1 Lukas Zapletal 2014-08-01 11:47:57 UTC 
After some chat with mskrivanek it looks like this is hardcoded and can't be changed. Well, this is highly confusing, the URL should be /server.crt and not /ca.crt.

The proper fix would be to serve the file via httpd allowing users to override this more easily. Please consider renaming /ca.crt to /server.crt (by default symlinking it to the same file) and changing the default configuration so Apache2 httpd serves these files instead of Java application.

WORKAROUND:

Put your proper CA file to /var/www/htdocs and remove the proxy for the /ca.crt url:

  cp your_ca.crt /var/www/html/ca.crt
   (optionally relabel the file)
  sed -iE 's/ca.crt$|//' /etc/httpd/conf.d/z-ovirt-engine-proxy.conf
Comment 2 Sandro Bonazzola 2014-10-17 12:14:29 UTC 
Moving pending bugs not fixed in 3.5.0 to 3.5.1.
Comment 3 Sandro Bonazzola 2015-01-21 16:08:33 UTC 
oVirt 3.5.1 has been released, re-targeting to 3.6.0 as not marked as urgent / high severity or priority
Comment 4 Sandro Bonazzola 2015-09-04 09:02:56 UTC 
This is an automated message.
This Bugzilla report has been opened on a version which is not maintained anymore.
Please check if this bug is still relevant in oVirt 3.5.4.
If it's not relevant anymore, please close it (you may use EOL or CURRENT RELEASE resolution)
If it's an RFE please update the version to 4.0 if still relevant.
Comment 5 Lukas Zapletal 2015-09-11 13:18:29 UTC 
Oh yes, totally relevant.
Comment 6 Yaniv Kaul 2015-09-20 13:16:19 UTC 
If you've used your own CA, why do you need oVirt to provide you the CA certificate?
Comment 7 Yedidyah Bar David 2015-09-20 13:31:05 UTC 
(In reply to Yaniv Kaul from comment #6)
> If you've used your own CA, why do you need oVirt to provide you the CA
> certificate?

Because some tools expect to get it so that they can "verify" the connection. See e.g. bug 1059952.
Comment 8 Red Hat Bugzilla Rules Engine 2015-10-19 10:58:25 UTC 
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 9 Sandro Bonazzola 2016-05-02 10:09:00 UTC 
Moving from 4.0 alpha to 4.0 beta since 4.0 alpha has been already released and bug is not ON_QA.
Comment 11 Sandro Bonazzola 2017-02-01 16:02:57 UTC 
oVirt 4.1.0 GA has been released, re-targeting to 4.1.1.
Please check if this issue is correctly targeted or already included in 4.1.0.
Comment 12 Yaniv Lavi 2017-02-07 07:55:52 UTC 
Please refer to the upstream 4.x docs, that should include a section on this.
Comment 13 Red Hat Bugzilla 2023-09-14 02:45:02 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days