Bug 1254838
Summary: | [hsoted-engine] adding second host fails with: "SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Ulhas Surse <usurse> |
Component: | ovirt-hosted-engine-setup | Assignee: | Simone Tiraboschi <stirabos> |
Status: | CLOSED ERRATA | QA Contact: | Artyom <alukiano> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 3.5.3 | CC: | amureini, didi, istein, jhunsaker, lsurette, mavital, mkalinin, sbonazzo, usurse, ykaul, ylavi |
Target Milestone: | ovirt-3.6.1 | Keywords: | Triaged |
Target Release: | 3.6.1 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Previously, hosted-engine setup always used the Manager CA certificate to trust the signature of the REST API (apache) certificate, but some users replaced that with an externally signed one. In that case the validation, and so the deployment of additional hosts, failed. With this release, hosted-engine setup lets the user specify the local path of an external CA file, or proceed in insecure mode, if validation with the internal CA certificate fails.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-03-09 19:14:41 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Integration | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1059952 | ||
Bug Blocks: | 1284979 |
Description
Ulhas Surse
2015-08-19 01:56:07 UTC
*** Bug 1199512 has been marked as a duplicate of this bug. *** Verified on ovirt-hosted-engine-setup-1.3.1-1.el7ev.noarch 1) Start deploy on first host, after engine installation Replacing rhevm SSL certificate according to http://www.ovirt.org/OVirt_Administration_Guide#.E2.81.A0Replacing_oVirt_SSL_Certificate (you can install engine vm on other vm with the same hostname to get all necessary items, apache-ca.pem, apache.key.nopass, apache.cer) 2) Place new CA certificate to /etc/pki/CA/ovirtcustomcacert.pem on first host and continue deployment 3) Answer NO on question: "The REST API cert couldn't be trusted with the internal CA cert Would you like to continue in insecure mode (not recommended)? If not, please provide your CA cert at /etc/pki/CA/ovirtcustomcacert.pem before continuing (Yes, No)[No]?" 4) Finish deployment 5) Deploy second host and on the same question answer Yes 6) Finish deployment of second host Deployment on both host succeed without any problem Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-0375.html |