Bug 1416232

Summary: [Docs] SSL certificate procedure feedback
Product: Red Hat Enterprise Virtualization Manager Reporter: Tahlia Richardson <trichard>
Component: DocumentationAssignee: Emma Heftman <eheftman>
Status: CLOSED CURRENTRELEASE QA Contact: Tahlia Richardson <trichard>
Severity: unspecified Docs Contact:
Priority: high    
Version: 4.0.0CC: didi, edsilber, eheftman, gveitmic, juwu, lbopf, lsurette, mkalinin, mwest, pvilayat, rbalakri, sbonazzo, srevivo, ykaul, ylavi
Target Milestone: ovirt-4.1.3   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-26 08:49:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Docs RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1156381, 1362573    

Description Tahlia Richardson 2017-01-25 00:44:00 UTC
This is a catch-all bug to collect feedback from various sources on "Replacing the Red Hat Virtualization Manager SSL Certificate"[1], which seems to be receiving a lot of attention lately. 

Please add any further feedback to this bug. 

[1] https://access.redhat.com/documentation/en/red-hat-virtualization/4.0/paged/administration-guide/appendix-d-red-hat-virtualization-and-ssl

Comment 1 Tahlia Richardson 2017-01-25 00:46:43 UTC
Public docs comment[1] feedback:

"Can we add more to this explaining how to generate a compatible P12 from openssl or even a CSR with response. I think some details on key length, algorithm would be beneficial. This appears to be a difficult subject for many end users. Also an export or import indicating the option for -nokeys may be needed.

Why does ovirt seem to be different than instructions here? What about the nopass key? http://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/"


[1] https://access.redhat.com/documentation/en/red-hat-virtualization/4.0/paged/administration-guide/appendix-d-red-hat-virtualization-and-ssl#comment-1140791

Comment 5 Tahlia Richardson 2017-01-31 01:40:30 UTC
*** Bug 1417055 has been marked as a duplicate of this bug. ***

Comment 6 Lucy Bopf 2017-02-07 07:55:12 UTC
*** Bug 1122895 has been marked as a duplicate of this bug. ***

Comment 7 Lucy Bopf 2017-02-07 07:58:24 UTC
*** Bug 1156381 has been marked as a duplicate of this bug. ***

Comment 8 Yaniv Lavi 2017-02-07 08:44:22 UTC
*** Bug 1330754 has been marked as a duplicate of this bug. ***

Comment 9 Eric Silberberg 2017-03-29 20:13:06 UTC
Step 4 is a possible source of confusion.
"Back up your P12 bundle, and then move it to /etc/pki/ovirt-engine/keys/apache.p12."

That's one of the only steps in the document without the followup syntax. Also 'your p12 bundle' is somewhat vague. I'm assuming it is a new p12 file created for the apache server certificate and not the for the root CA certificate. 
Assuming that it requires openssl pkcs12 -export -inkey mynew.key -in mynew.crt  -out apache.p12

Comment 10 Eric Silberberg 2017-03-29 20:21:08 UTC
Also 'Back up your bundle' could imply using existing key and cert combination before applying the new one. I'm still assuming from the reference to apache.p12 in step 5,6 that what step 4 means is 'create a new p12 bundle from your cert and key''

Comment 11 Lucy Bopf 2017-04-24 08:23:22 UTC
From bug 1443225:

The RHV 4.x Administration Guide does not include step to update /etc/pki/ovirt-engine/ca.pem when using self signed certificate under "Appendix D. Red Hat Virtualization and SSL". 

Below are steps to include :

# cd /etc/pki/ovirt-engine
# openssl x509 -in /tmp/<selfed_signed_certifcate> -text -noout > ca.pem
# cat apache-ca.pem >> ca.pem

systemctl restart httpd.service
systemctl restart ovirt-engine.service

Would be good to change the title from 'SSL' to 'SSL/TLS'.

Comment 12 Lucy Bopf 2017-04-24 08:24:14 UTC
*** Bug 1443225 has been marked as a duplicate of this bug. ***

Comment 13 Lucy Bopf 2017-07-13 05:40:52 UTC
Assigning to Emma for review.

Comment 14 Yedidyah Bar David 2017-07-13 09:27:23 UTC
Emma asked me in private to review :-) Setting needinfo on myself for now.

Comment 29 Emma Heftman 2017-07-26 08:49:27 UTC
The updated documentation is available on the Customer Portal:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html-single/administration_guide/#Replacing_the_Manager_SSL_Certificate