Bug 1353441

Summary: Docs: replace /ca.crt with "/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA"
Product: Red Hat Enterprise Virtualization Manager Reporter: Yedidyah Bar David <didi>
Component: DocumentationAssignee: Julie <juwu>
Status: CLOSED CURRENTRELEASE QA Contact: rhev-docs <rhev-docs>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 4.0.0CC: cfergeau, didi, gklein, juwu, lsurette, rbalakri, srevivo, ykaul, ylavi
Target Milestone: ovirt-4.0.3   
Target Release: 4.0.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
Previously, the Manager's CA certificate could be downloaded from: http://[engine-fqdn]/ca.crt. With this update, the URL to download the CA certificate has changed to: http://[engine-fqdn]/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA. Existing clients that use the old URL must be updated to use the new one.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-09 01:45:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Docs RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1360991    

Description Yedidyah Bar David 2016-07-07 05:53:12 UTC 
Description of problem:

The URL "http://engine-fqdn/ca.crt" to get the engine's ca cert is deprecated and removed in 4.0 in favor of:

http://engine-fqdn/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA

Please search all docs and replace everywhere. Currently noticed this in:

https://access.redhat.com/documentation/en/red-hat-virtualization/4.0-beta/rhevm-shell-guide/12-tls-ssl-certification

See also e.g.:

https://bugzilla.redhat.com/show_bug.cgi?id=1340130
http://www.ovirt.org/develop/release-management/features/infra/pki/#services
Comment 1 Lucy Bopf 2016-08-04 02:37:41 UTC 
*** Bug 1362617 has been marked as a duplicate of this bug. ***
Comment 4 Yaniv Kaul 2016-08-22 07:25:12 UTC 
Don't we break backwards compatibility this way? Don't we expect older clients to continue try and successfully retrieve the certificate from the old location?
Comment 5 Yaniv Kaul 2016-08-22 07:35:08 UTC 
(In reply to Yaniv Kaul from comment #4)
> Don't we break backwards compatibility this way? Don't we expect older
> clients to continue try and successfully retrieve the certificate from the
> old location?

Example - https://github.com/GNOME/libgovirt/blob/f70802a769baa8113f26ba9287e453b9209d56f5/govirt/ovirt-proxy.c#L55
Comment 6 Yedidyah Bar David 2016-08-22 09:03:05 UTC 
(In reply to Yaniv Kaul from comment #5)
> (In reply to Yaniv Kaul from comment #4)
> > Don't we break backwards compatibility this way? Don't we expect older
> > clients to continue try and successfully retrieve the certificate from the
> > old location?

That's a good question, but too late...

> 
> Example -
> https://github.com/GNOME/libgovirt/blob/
> f70802a769baa8113f26ba9287e453b9209d56f5/govirt/ovirt-proxy.c#L55

It's already affected - 4.0 was released several months ago.

Another question to ask is if we tried hard enough to inform users/3rd-parties about this. No idea about this. The ones that already contacted us and fixed their clients did this, AFAIK, only when they saw they are broken, when trying 4.0 or a beta.
Comment 9 Julie 2016-09-09 01:45:03 UTC 
Documentation Link:
https://access.redhat.com/documentation/en/red-hat-virtualization/4.0/paged/rhevm-shell-guide/12-tls-ssl-certification