Bug 1576377

Summary: engine-setup rewrites SSL*File options
Product: [oVirt] ovirt-engine Reporter: Yedidyah Bar David <didi>
Component: Setup.EngineAssignee: Yedidyah Bar David <didi>
Status: CLOSED CURRENTRELEASE QA Contact: Lucie Leistnerova <lleistne>
Severity: high Docs Contact:
Priority: high    
Version: 4.2.3.5CC: bugs, jiri.slezka, lleistne
Target Milestone: ovirt-4.2.4Flags: rule-engine: ovirt-4.2+
rule-engine: exception+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
engine-setup now checks if apache httpd's ssl.conf file needs updates also on upgrades, prompts accordingly, and applies the updates as needed. Now, only parameters that actually require a change are changed - specifically, manual user changes to SSL certificates are not overridden. doc team: Please see bug 1558500 and comment 0 of current. Copied doc text from that bug and added a statement. Feel free to rewrite however you find best. Also, "parameters that actually require a change" are currently only a single one, "SSLProtocol". So if you want to be more specific than we tried to be in the past (and in the code), it's enough to: engine-setup now only updates SSLProtocol in apache httpd's ssl.conf file, if needed, and not other parameters.
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-26 08:41:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Yedidyah Bar David 2018-05-09 10:14:02 UTC
Description of problem:

See bug 1558500.

This means also that a sysadmin changing ssl.conf after setup to use custom certs (probably signed by a 3rd party CA), gets these changes overwritten back to engine-setup's default, which is the internal CA.

This was first reported on the thread starting with:

https://lists.ovirt.org/archives/list/users@ovirt.org/thread/FSREE7KQOZ32IWSYTGIQ5JIJFQM25BV3/

(Current archive seems to not be up-to-date so does not include latest relevent emails).

Version-Release number of selected component (if applicable):

4.2.3

How reproducible:

Always

Steps to Reproduce:
1. Install and setup a 4.1 engine, as in bug 1558500.
2. Manually configure 3rd-party CA certs for apache httpd in ssl.conf
3. Upgrade to 4.2.3

Actual results:

Manual changes to SSLCertificateFile, SSLCertificateKeyFile or SSLCACertificateFile done in step (2.) are reverted

Expected results:

Only changes to SSLProtocol and CustomLog options are done, but not to the SSL*File options.

Additional info:

Comment 1 Lucie Leistnerova 2018-06-12 09:26:12 UTC
engine-setup asks for changes in ssl.conf and then changes only SSLProtocol, CustomLog. SSLCertificate settings are unchanged.

verified in ovirt-engine-setup-4.2.4.2-0.1.el7_3.noarch

Comment 2 Sandro Bonazzola 2018-06-26 08:41:53 UTC
This bugzilla is included in oVirt 4.2.4 release, published on June 26th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.4 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.