Bug 1362222

Summary: vv file via ovirt-shell broken, bad url to ca.crt
Product: [oVirt] ovirt-engine-cli Reporter: Jiri Belka <jbelka>
Component: GeneralAssignee: Ondra Machacek <omachace>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.6.8.0CC: bugs, jbelka, juan.hernandez, mgoldboi, mperina, omachace, oourfali
Target Milestone: ovirt-4.0.6Flags: rule-engine: ovirt-4.0.z+
mgoldboi: planning_ack+
juan.hernandez: devel_ack+
pstehlik: testing_ack+
Target Release: 3.6.9.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-cli-3.6.9.1 Doc Type: Bug Fix
Doc Text:
Cause: oVirt 4.0 has removed ovirt-engine/ca.crt URL endpoint. Consequence: ovirt-shell can't obtain CA certificate, for spice console. Fix: ovirt-shell now connect addtionally to ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA, to obtain CA certificate Result: ovirt-shell can obtain CA certificate, for spice console.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-18 07:28:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jiri Belka 2016-08-01 15:34:29 UTC 
Description of problem:

opening console via ovirt-shell does not work, broken ca handling.

from vv file caught via ovirt-shell

~~~
...
ca=<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p>The requested URL /ca.crt was not found on this server.</p>\n</body></html>\n
...
~~~

~~~
# lynx -dump "http://10-34-60-214.example.com/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA"
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwbDELMAkGA1UEBhMCVVMxJDAiBgNVBAoT
G3JoZXYubGFiLmVuZy5icnEucmVkaGF0LmNvbTE3MDUGA1UEAxMuMTAtMzQtNjAtMjE0LnJoZXYu
bGFiLmVuZy5icnEucmVkaGF0LmNvbS4xNTUzODAeFw0xNjA3MzEwNjQ2NThaFw0yNjA3MzAwNjQ2
NThaMGwxCzAJBgNVBAYTAlVTMSQwIgYDVQQKExtyaGV2LmxhYi5lbmcuYnJxLnJlZGhhdC5jb20x
NzA1BgNVBAMTLjEwLTM0LTYwLTIxNC5yaGV2LmxhYi5lbmcuYnJxLnJlZGhhdC5jb20uMTU1Mzgw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsD7tYbQdr4JcERup7WgvnBk6ZXTKRLL7U
TBslOxC5KW9MoLuO4EimR//rOBveJKpvYXD6sdDFXNvEKSEbsuvAZSpC+ArJAffWDvATG+YrMTUH
fDXubJVDPHiChyQOhGniCIkbbABl+1ySnm4/rkjjzXhQ45mQS2EpE8+ld2sAQe0DiztOplGuvCuc
8O25zWXlAe/NU/+VI4mnSDFDeD5XBIUE69GKZGQl+npQiI6ZjDGas1IKGKEgR/RJ1b2dnKF4hksI
SUnSacRmQmylM1QuSSq9dT1u1CBVFioUvt0GfmXvxJOw1LYMprcCmyXGpotvf75gRwmUvn4PM1Mj
e82PAgMBAAGjgd0wgdowHQYDVR0OBBYEFKZ7726Mhz/1heKbW/0xtcgvJPJWMIGXBgNVHSMEgY8w
gYyAFKZ7726Mhz/1heKbW/0xtcgvJPJWoXCkbjBsMQswCQYDVQQGEwJVUzEkMCIGA1UEChMbcmhl
di5sYWIuZW5nLmJycS5yZWRoYXQuY29tMTcwNQYDVQQDEy4xMC0zNC02MC0yMTQucmhldi5sYWIu
ZW5nLmJycS5yZWRoYXQuY29tLjE1NTM4ggIQADAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
AwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAnnvB9U9tAAK3CMiZjZgCYaAggOVFdIUVSBhWDb/Mx02L
wz8Nvv1dBcFmTujDMEhhLJ26mPoluPPw26ZzN/H1hrde7VabhUL+JsqKwEE9gAwbqLKbWNsdT65T
2vC70j7OIlIw1urRMDDZtjKLTUond+mvc3dHY+A/uuCASQORfRCOK4+R2IObpGRWvibCfWp7s/e4
zjsulApXBbgT+hYOAlkIYo1MprbrD67OXbfvpMj7Gw+jliufcgxikscSMT8dueptvOWLqWCtPLCP
vxQop5EQP7bb9/XJ6i0GxaQU6pmNJsQfQSgJYo87d2IBA4ld2dk5A+CEsuQz4y4OuwjLZw==
-----END CERTIFICATE-----
# lynx -dump "http://10-34-60-214.example.com/ca.crt"
                                   Not Found

   The requested URL /ca.crt was not found on this server.
~~~

Version-Release number of selected component (if applicable):
ovirt-engine-cli-3.6.8.1-1.el7ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. ovirt-shell
2. console $vnmane
3.

Actual results:
does not work, broken ca cert handling

Expected results:
must work

Additional info:
Comment 1 Oved Ourfali 2016-08-02 05:18:06 UTC 
Ondra - can you take a look?
Comment 2 Juan Hernández 2016-08-02 07:55:44 UTC 
The problem is inside the "download_ca_certificate" function inside the "spice.py" file of the CLI. It expects the "ca.crt" available in the root of the web server, but that has been removed from version 4 of the engine, without notice.

I think we need to change the "download_ca_certificate" function so that it first tries to download it from "http://.../ovirt-engine/ca.crt". If that fails, for whatever the reason (older engine, for example(, then it should try to download it from "http://.../ovirt/engine/ca.crt".

Note also that all the certificates that we create contain an "authorityInfoAccess" extension with the following value (see the engine "pki.py" source file):

  caIssuers;URI:http://.../ca.crt

So one could argue that we should preserve the "ca.crt" available in that location, or else fix the process that generates the certificates, and maybe all the certificates themselves.
Comment 4 Juan Hernández 2016-08-02 09:21:14 UTC 
Jiri, can you confirm that this happened when connecting to version 4 of the engine?

There are two workarounds for this issue:

1. In the server side, in the engine machine, copy the /etc/pki/ovirt-engine/ca.pem file to /var/www/html/ca.crt:

  # openssl x509 -in /etc/pki/ovirt-engine/ca.pem -out /var/www/html/ca.crt

This will work for all clients connecting to that server.

2. Copy the server /etc/pki/ovirt-engine/ca.pem file to the ~/.spicec/spice_truststore.pem file:

  $ mkdir -p ~/.spicec
  $ scp root.com:/etc/pki/ovirt-engine/ca.pem .
  $ openssl x509 -in /etc/pki/ovirt-engine/ca.pem -out ~/.spicec/spice_truststore.pem

This works only for that server/client combination.

Note that use of the "openssl x509" command instead of just "cp", that is necessary to strip the certificate text that may confuse the spice client.

As there is a workaround I'm lowering the severity.
Comment 5 Jiri Belka 2016-08-23 07:56:58 UTC 
(In reply to Juan Hernández from comment #4)
> Jiri, can you confirm that this happened when connecting to version 4 of the
> engine?
> 
> There are two workarounds for this issue:
> 
> 1. In the server side, in the engine machine, copy the
> /etc/pki/ovirt-engine/ca.pem file to /var/www/html/ca.crt:
> 
>   # openssl x509 -in /etc/pki/ovirt-engine/ca.pem -out /var/www/html/ca.crt
> 
> This will work for all clients connecting to that server.
> 
> 2. Copy the server /etc/pki/ovirt-engine/ca.pem file to the
> ~/.spicec/spice_truststore.pem file:
> 
>   $ mkdir -p ~/.spicec
>   $ scp root.com:/etc/pki/ovirt-engine/ca.pem .
>   $ openssl x509 -in /etc/pki/ovirt-engine/ca.pem -out
> ~/.spicec/spice_truststore.pem
> 
> This works only for that server/client combination.
> 
> Note that use of the "openssl x509" command instead of just "cp", that is
> necessary to strip the certificate text that may confuse the spice client.
> 
> As there is a workaround I'm lowering the severity.

Yes, it was:

ovirt-engine-cli-3.6.8.1-1.el7ev.noarch
ovirt-engine-4.0.2.7-0.1.el7ev.noarch

and workarounds work fine.
Comment 6 Jiri Belka 2016-11-30 16:22:06 UTC 
ok, ovirt master - ovirt-engine-cli-3.6.9.2-1.el7.centos.noarch