Bug 1286429

Summary: If first host deployed in insecure mode, second host deployment failed
Product: [oVirt] ovirt-hosted-engine-setup Reporter: Artyom <alukiano>
Component: Plugins.PKIAssignee: Artyom <alukiano>
Status: CLOSED CURRENTRELEASE QA Contact: Artyom <alukiano>
Severity: high Docs Contact:
Priority: unspecified    
Version: 1.3.1.1CC: bmcclain, bugs, dfediuck, didi, lveyde, mavital, rmartins, sbonazzo, stirabos
Target Milestone: ovirt-3.6.1Keywords: Triaged
Target Release: 1.3.1.1Flags: rule-engine: ovirt-3.6.z+
bmcclain: planning_ack+
sbonazzo: devel_ack+
mavital: testing_ack+
Hardware: x86_64   
OS: Linux   
Whiteboard: integration
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-16 12:17:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1284979    
Attachments:
Description Flags
ovirt-hosted-engine-setup log none

Description Artyom 2015-11-29 11:48:07 UTC 
Created attachment 1100174 [details]
ovirt-hosted-engine-setup log

Description of problem:
If first host deployed in insecure mode, second host deployment failed with error
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/otopi/context.py", line 146, in _executeMethod
    method['method']()
  File "/usr/share/ovirt-hosted-engine-setup/scripts/../plugins/ovirt-hosted-engine-setup/engine/add_host.py", line 568, in _closeup
    self._getSSH()
  File "/usr/share/ovirt-hosted-engine-setup/scripts/../plugins/ovirt-hosted-engine-setup/engine/add_host.py", line 387, in _getSSH
    ohostedcons.EngineEnv.TEMPORARY_CERT_FILE
  File "/usr/lib/python2.7/site-packages/ovirt_hosted_engine_setup/pkissh.py", line 159, in getSSHkey
    ca_certs=ca_certs,
  File "/usr/lib/python2.7/site-packages/ovirt_hosted_engine_setup/ohttpshandler.py", line 69, in fetchUrl
    context.load_verify_locations(cafile=ca_certs)
SSLError: unknown error (_ssl.c:2988)

Version-Release number of selected component (if applicable):
ovirt-hosted-engine-setup-1.3.1-1.el7ev.noarch

How reproducible:
Always

Steps to Reproduce:
1. Start deploy first host, after engine-setup complete, change engine CA certificate according to http://www.ovirt.org/OVirt_Administration_Guide#.E2.81.A0Replacing_oVirt_SSL_Certificate
2. On answer "The REST API cert couldn't be trusted with the custom CA cert
Would you like to continue in insecure mode (not recommended)?
If not, please provide your CA cert at /etc/pki/CA/ovirtcustomcacert.pem before continuing (Yes, No)[No]" answer Yes
3. Finish deployment of first host
4. Deploy second host

Actual results:
Deployment failed with error above

Expected results:
Deployment succeed without any errors

Additional info:
Comment 1 Artyom 2015-12-06 09:57:28 UTC 
Verified on ovirt-hosted-engine-setup-1.3.1.1-1.el7ev.noarch
Comment 2 Sandro Bonazzola 2015-12-16 12:17:39 UTC 
According to verification status and target milestone this issue should be fixed in oVirt 3.6.1. Closing current release.