Bug 1370904

Summary: Engine's rename tool does not re-enroll PKI for engine services
Product: [oVirt] ovirt-engine Reporter: Amit Aviram <aaviram>
Component: Setup.CoreAssignee: Lev Veyde <lveyde>
Status: CLOSED WONTFIX QA Contact: Jiri Belka <jbelka>
Severity: medium Docs Contact:
Priority: medium    
Version: futureCC: baptiste.agasse, bugs, didi, lsvaty, ylavi
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-25 07:29:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Amit Aviram 2016-08-28 08:09:01 UTC 
Description of problem:
When having a setup of the engine, using the "engine-rename" tool does not re-enroll the PKI for engine's services (e.g. ovirt-imageio-proxy). 

Renaming is necessary as the domain name is changing, while the certs still signed by the old domain name. This causes the services' clients to not trust it anymore as the domain name is compared with the certs given.

Version-Release number of selected component (if applicable):
4.0.2

How reproducible:
100%

Steps to Reproduce:
1. Have an ovirt-engine setup.
2. Rename the engine's FQDN, using engine-rename tool
3. Observe the "issuer" record in one of the services' certs, at /etc/pki/ovirt-engine/certs, (e.g. /etc/pki/ovirt-engine/certs/websocket-proxy.cer )

Expected results:
The issuer should be the new engine's FQDN
Comment 1 Yaniv Lavi 2018-06-25 07:29:29 UTC 
Closing old bugs.
Please reopen if still relevant.
Patches are welcomed.
Comment 2 Yedidyah Bar David 2018-06-25 07:42:14 UTC 
(In reply to Amit Aviram from comment #0)
> Description of problem:
> When having a setup of the engine, using the "engine-rename" tool does not
> re-enroll the PKI for engine's services (e.g. ovirt-imageio-proxy). 

For imageio, we have bug 1575979.

> 
> Renaming is necessary as the domain name is changing, while the certs still
> signed by the old domain name. This causes the services' clients to not
> trust it anymore as the domain name is compared with the certs given.
> 
> Version-Release number of selected component (if applicable):
> 4.0.2
> 
> How reproducible:
> 100%
> 
> Steps to Reproduce:
> 1. Have an ovirt-engine setup.
> 2. Rename the engine's FQDN, using engine-rename tool
> 3. Observe the "issuer" record in one of the services' certs, at
> /etc/pki/ovirt-engine/certs, (e.g.
> /etc/pki/ovirt-engine/certs/websocket-proxy.cer )

Not exactly. The issuer is FQDN.RANDOM, not FQDN.

A client that tries to resolve it will fail, with or without rename.

So if that's your only problem, it's not related to rename.

If your problem is that you want to fully get rid of any mention of the old FQDN, for whatever reason (say, legal reasons), then rename won't help you.

It was decided at rename's design time, ~ 4-5 years ago, to not recreate the CA cert.

Not changing the summary, because not sure what to write there, but it's still WONTFIX.

For problems with specific services, or any conf/data that should be handled by rename, please open new bugs.

> 
> Expected results:
> The issuer should be the new engine's FQDN