Bug 1445245
| Summary: | ovirt-log-collector should use /etc/pki/ovirt-engine/apache-ca.pem instead of /etc/pki/ovirt-engine/ca.pem | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Olimp Bockowski <obockows> |
| Component: | ovirt-log-collector | Assignee: | Ido Rosenzwig <irosenzw> |
| Status: | CLOSED ERRATA | QA Contact: | Lukas Svaty <lsvaty> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.0.6 | CC: | bburmest, lsvaty, mkalinin |
| Target Milestone: | ovirt-4.2.0 | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ovirt-log-collector-4.2.0-1.el7ev | Doc Type: | Bug Fix |
| Doc Text: |
Ovirt-log-collector now uses /etc/pki/ovirt-engine/apache-ca.pem as the default certificate authority. This prevents errors when the certificate authority is changed.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-05-15 17:31:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Integration | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
verified in ovirt-log-collector-4.2.0-0.0.master.20170903141131.gitbd2607f.el7.centos.noarch [root@ls-engine1 ~]# grep DEFAULT_CA_PEM /usr/lib/python2.7/site-packages/ovirt_log_collector/config.py DEFAULT_CA_PEM = "/etc/pki/ovirt-engine/apache-ca.pem" ovirt-log-collector-4.2.4-5.el7ev.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1465 *** Bug 1146710 has been marked as a duplicate of this bug. *** BZ<2>Jira Resync |
Description of problem: By default log collector points to: /etc/pki/ovirt-engine/ca.pem what is wrong in my honest opinion because I think it should point out to apache-ca.pem (it uses REST API so should depend on apache's cert, not ca.pem) At the beginning (default installation) /etc/pki/ovirt-engine/apache-ca.pem is the same as /etc/pki/ovirt-engine/ca.pem If customer replaces RHV-M SSL certificate with his/her organization's commercially signed certificate, then he experiences an issue: ERROR: Failure fetching information about hypervisors from API. Error (Error): ('Error while sending HTTP request', error(60, "Peer's Certificate issuer is not recognized.")) ERROR: _get_hypervisors_from_api: ('Error while sending HTTP request', error(60, "Peer's Certificate issuer is not recognized.")) Version-Release number of selected component (if applicable): RHV 3.x, 4.x How reproducible: always Steps to Reproduce: 1. replace certificate according to: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.0/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_SSL_Certificate 2. run ovirt-log-collector Actual results: ERROR: Failure fetching information about hypervisors from API. Error (Error): ('Error while sending HTTP request', error(60, "Peer's Certificate issuer is not recognized.")) ERROR: _get_hypervisors_from_api: ('Error while sending HTTP request', error(60, "Peer's Certificate issuer is not recognized.")) Expected results: ovirt-log-collectors uses: /etc/pki/ovirt-engine/apache-ca.pem Additional info: There is easy fix of this problem: vim /etc/ovirt-engine/logcollector.conf cert-file=/etc/pki/ovirt-engine/apache-ca.pem But it should be by default.