Bug 1445245

Summary: ovirt-log-collector should use /etc/pki/ovirt-engine/apache-ca.pem instead of /etc/pki/ovirt-engine/ca.pem
Product: Red Hat Enterprise Virtualization Manager Reporter: Olimp Bockowski <obockows>
Component: ovirt-log-collectorAssignee: Ido Rosenzwig <irosenzw>
Status: CLOSED ERRATA QA Contact: Lukas Svaty <lsvaty>
Severity: low Docs Contact:
Priority: unspecified    
Version: 4.0.6CC: bburmest, lsvaty, mkalinin
Target Milestone: ovirt-4.2.0   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ovirt-log-collector-4.2.0-1.el7ev Doc Type: Bug Fix
Doc Text:
Ovirt-log-collector now uses /etc/pki/ovirt-engine/apache-ca.pem as the default certificate authority. This prevents errors when the certificate authority is changed.
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-15 17:31:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Olimp Bockowski 2017-04-25 10:45:03 UTC
Description of problem:
By default log collector points to: /etc/pki/ovirt-engine/ca.pem what is wrong in my honest opinion because I think it should point out to apache-ca.pem (it uses REST API so should depend on apache's cert, not ca.pem)
At the beginning (default installation)  /etc/pki/ovirt-engine/apache-ca.pem is the same as /etc/pki/ovirt-engine/ca.pem
If customer replaces RHV-M SSL certificate with his/her organization's commercially signed certificate, then he experiences an issue:

ERROR: Failure fetching information about hypervisors from API.
Error (Error): ('Error while sending HTTP request', error(60, "Peer's Certificate issuer is not recognized."))
ERROR: _get_hypervisors_from_api: ('Error while sending HTTP request', error(60, "Peer's Certificate issuer is not recognized."))


Version-Release number of selected component (if applicable):
RHV 3.x, 4.x

How reproducible:
always

Steps to Reproduce:
1. replace certificate according to:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.0/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_SSL_Certificate
2. run ovirt-log-collector

Actual results:
ERROR: Failure fetching information about hypervisors from API.
Error (Error): ('Error while sending HTTP request', error(60, "Peer's Certificate issuer is not recognized."))
ERROR: _get_hypervisors_from_api: ('Error while sending HTTP request', error(60, "Peer's Certificate issuer is not recognized."))

Expected results:
ovirt-log-collectors uses: /etc/pki/ovirt-engine/apache-ca.pem

Additional info:
There is easy fix of this problem: 
vim /etc/ovirt-engine/logcollector.conf
cert-file=/etc/pki/ovirt-engine/apache-ca.pem
But it should be by default.

Comment 2 Lukas Svaty 2017-09-07 14:57:04 UTC
verified in ovirt-log-collector-4.2.0-0.0.master.20170903141131.gitbd2607f.el7.centos.noarch

[root@ls-engine1 ~]# grep DEFAULT_CA_PEM /usr/lib/python2.7/site-packages/ovirt_log_collector/config.py
DEFAULT_CA_PEM = "/etc/pki/ovirt-engine/apache-ca.pem"

Comment 4 Lukas Svaty 2018-04-20 08:27:29 UTC
ovirt-log-collector-4.2.4-5.el7ev.noarch

Comment 8 errata-xmlrpc 2018-05-15 17:31:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1465

Comment 9 Yedidyah Bar David 2018-06-13 05:57:54 UTC
*** Bug 1146710 has been marked as a duplicate of this bug. ***

Comment 10 Franta Kust 2019-05-16 13:05:17 UTC
BZ<2>Jira Resync