| Summary: | [RFE] tool to configure all services with a customer signed certificate | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Paul Armstrong <parmstro> |
| Component: | RFEs | Assignee: | Scott Herold <sherold> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Gil Klein <gklein> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | unspecified | CC: | gklein, lsurette, parmstro, rbalakri, yeylon, ykaul |
| Target Milestone: | --- | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-03-29 21:21:02 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Description of problem: SSL certificate change procedures and tool interdependency on the SSL certificates causes extremely difficult to resolve errors when configuring RHEVM for a variety of capabilities including, SSL auth, IPA integration, SSO, etc.. We need a **Fool Proof** way of configuring and reconfiguring the entire environment so that these problems are eliminated. RHEVM should integrate with RHEL IdM seamlessly if it is to be considered an enterprise class product. (Hopefully we can rely on IdM for full AD integration??) Version-Release number of selected component (if applicable): 3.6 How reproducible: Always Steps to Reproduce: 1. Deploy Hosted Engine on 3.5 2. Configure RHEVM for a Custom SSL certificate generated by IPA 3. Configure RHEVM for SSO with IPA and aaa 4. Try to upgrade to hosted engine 3.6 Actual results: upgrades fail rhevm can't connect to upgraded hosts if rhevm gets rebooted, it can't restart unwind upgrades to hosts (rhevm vm stays at 3.6) reboot all hosted engine servers restart engine run alternative upgrade using rhevm webui vdsm upgraded, ovirt-ha-agent not upgraded yum update - upgrades ovirt-ha-agents host can now successfully connect to engine, however, no ha ovirt-ha-broker starts successfully ovirt-ha-agent fails to start INFO:ovirt_hosted_engine_ha.agent.hosted_engine.HostedEngine:Failed set the storage domain: 'Failed to set storage domain VdsmBackend try to redeploy the host: hosted-engine --deploy fails on certificate error [ INFO ] Updating hosted-engine configuration [ INFO ] Stage: Transaction commit [ INFO ] Stage: Closing up [ INFO ] Acquiring internal CA cert from the engine [ INFO ] The following CA certificate is going to be used, please immediately interrupt if not correct: [ INFO ] Issuer: C=US, O=parmstro.redhat.com, CN=rhevm.parmstro.redhat.com.60258, Subject: C=US, O=parmstro.redhat.com, CN=rhevm.parmstro.redhat.com.60258, Fingerprint (SHA-1): DCC6DAA7A2CE1449EEB23854A3BCD53A7B9D0DAF [ INFO ] Connecting to the Engine [ ERROR ] Failed to execute stage 'Closing up': [ERROR]::RHEV API connection failure, (60, "Peer's Certificate issuer is not recognized.") [ INFO ] Stage: Clean up [ INFO ] Generating answer file '/var/lib/ovirt-hosted-engine-setup/answers/answers-20160317180831.conf' [ INFO ] Stage: Pre-termination [ INFO ] Stage: Termination [ ERROR ] Hosted Engine deployment failed: this system is not reliable, please check the issue, fix and redeploy Log file is located at /var/log/ovirt-hosted-engine-setup/ovirt-hosted-engine-setup-20160317180705-gozg0i.log Expected results: Upgrades succeed with custom certificate. Additional info: The original premise for making apache-ca.pem and ca.pem the same simplfies things and can potentially decouple the SSL cert requirement from the engine-host enrollment, however, it seems that system utilities are not using the same certificate consistently.