Bug 1374585

Summary: [Docs] Missing steps to replace SSL Certificate
Product: Red Hat Enterprise Virtualization Manager Reporter: Germano Veit Michel <gveitmic>
Component: DocumentationAssignee: rhev-docs <rhev-docs>
Status: CLOSED DUPLICATE QA Contact: rhev-docs <rhev-docs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.0.2CC: gklein, lbopf, lsurette, nicolas, rbalakri, srevivo, trichard, ykaul
Target Milestone: ovirt-4.0.5   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-05 05:21:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Docs RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Germano Veit Michel 2016-09-09 07:16:00 UTC
Description of problem:

This Guide:
https://access.redhat.com/documentation/en/red-hat-virtualization/4.0/single/administration-guide/#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https

Is missing the steps from the "Doc Text" of this BZ: 
https://bugzilla.redhat.com/show_bug.cgi?id=1336838

Because a fresh install of 4.0 hit the same issue when following the Documentation.

The upgrade guide already contains a note regarding it - look at the BZ. But wouldn't it be preferable if the steps were properly outlined in the Documentation?

https://access.redhat.com/documentation/en/red-hat-virtualization/4.0/single/upgrade-guide/#Upgrading_to_Red_Hat_Virtualization_Manager_4.0

Actual results following the Documentation: 
admin@internal cannot login
ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-2) [] server_error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Expected results:
admin@internal logs in fine

Additional info:

I believe correct steps would be like this:
1. trust anchor /<path>/ca.crt && update-ca-trust
2. Follow the current docs
3. create /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
   ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
   ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
4. service ovirt-engine restart

Comment 1 Tahlia Richardson 2016-10-05 05:21:35 UTC
Closing this bug as a duplicate of BZ#1336845. This bug helped clarify the other one for me, though, so thanks for raising it, Germano.

*** This bug has been marked as a duplicate of bug 1336845 ***