Bug 1444888
| Summary: | Generate engine certs with X509v3 Subject Alternative Name | ||
|---|---|---|---|
| Product: | [oVirt] ovirt-engine | Reporter: | Andrei Stepanov <astepano> |
| Component: | PKI | Assignee: | Lev Veyde <lveyde> |
| Status: | CLOSED DUPLICATE | QA Contact: | Pavel Stehlik <pstehlik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.1.1.8 | CC: | amureini, bugs, derez, didi, djasa, laravot, ylavi |
| Target Milestone: | ovirt-4.1.3 | Flags: | rule-engine:
ovirt-4.1+
rule-engine: exception+ |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-06-12 07:49:01 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Integration | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1449503 | ||
Interesting, I believe we've had it ages ago... Especially for IE actually. *** Bug 1450629 has been marked as a duplicate of this bug. *** Didi, isn't this a dup of a bug you're already looking into? (In reply to Allon Mureinik from comment #3) > Didi, isn't this a dup of a bug you're already looking into? Yes, and Yaniv closed it as dup of current, see above. I tend to do the opposite and close current, because I prefer having a bug per each specific issue, but I admit I didn't yet actually try chrome, so not sure about its behavior. Specifically, comment 0 mixes ca cert with https cert. I do not think chrome requires SAN for the ca cert, but didn't try yet. *** This bug has been marked as a duplicate of bug 1450629 *** |
As you know "Internal engine certificate" should be manually installed in Browser. There are at least two cases for this: 1. Browser-Based Console Clients (SPICE-HTML5 and noVNC). 2. Qcow2 image uploader. This certificate can be downloaded from: http://<engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA Problem is: current ovirt certificate doesn't have "X509v3 Subject Alternative Name" entry: curl -k 'https://<hostname>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA' | openssl x509 -text | grep -i 'Subject Alternative Name' The certificate must be generated with "X509v3 Subject Alternative Name" extension, like next certificate: openssl x509 -in some.crt -text X509v3 extensions: .... X509v3 Subject Alternative Name: DNS:fully.qualified.domain.name.com Chrome 58 cannot upload any qcow2 image, even browser was told to trust engine certificate. https://www.chromestatus.com/features/4981025180483584 This follows a similar change in Firefox 48.