Bug 1598131

Summary: OVN network synchronization not working after replacing the RHV-M tls certificate with a commercial one
Product: Red Hat Enterprise Virtualization Manager Reporter: Marian Jankular <mjankula>
Component: ovirt-engineAssignee: Dominik Holler <dholler>
Status: CLOSED ERRATA QA Contact: msheena
Severity: high Docs Contact:
Priority: high    
Version: 4.2.4CC: danken, lsurette, lsvaty, mburman, Rhev-m-bugs, srevivo
Target Milestone: ovirt-4.3.0Keywords: ZStream
Target Release: 4.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.3.0_alpha Doc Type: Bug Fix
Doc Text:
Cause: ovirt-provider-ovn config generated by engine-setup used oVirt Engine's certificate authority in /etc/pki/ovirt-engine/ca.pem to verify oVirt Engine's certificate. Consequence: If the admin replaces the TLS/SSL certificate like described in Administration Guide > Appendix D. Red Hat Virtualization and SSL, he would have to update the path to the new certificate authority file in the engine-setup generated engine-setup /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf manually Fix: ovirt-provider-ovn config generated by engine-setup used webserver certificate authority in /etc/pki/ovirt-engine/apache-ca.pem to verify oVirt Engine's certificate. Result: After an additional systemctl restart ovirt-provider-ovn the procedure works like described in in Administration Guide > Appendix D. Red Hat Virtualization and SSL for new installations. For updated installations a manual check to ensure that ovirt-ca-file in/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf points to /etc/pki/ovirt-engine/apache-ca.pem is required.
 Story Points: ---
Clone Of:
: 1607149 (view as bug list) Environment:
Last Closed: 2019-05-08 12:37:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1602777, 1607149    

Description Marian Jankular 2018-07-04 12:20:16 UTC 
Description of problem:
OVN network synchronization not working after replacing the RHV-M tls certificate with a commercial one

Version-Release number of selected component (if applicable):
4.2.4

How reproducible:
always

Steps to Reproduce:
1. configure ovn as external provider
2. replace web ui certificates for custom ones
3. restart ovirt engine

Actual results:
ovn network synchronization stops with error

2018-07-03 10:20:41,888 root [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
Traceback (most recent call last):
  File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 133, in _handle_request
    method, path_parts, content)
  File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 175, in handle_request
    return self.call_response_handler(handler, content, parameters)
  File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in call_response_handler
    return response_handler(content, parameters)
  File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py", line 62, in post_tokens
    user_password=user_password)
  File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 26, in create_token
    return auth.core.plugin.create_token(user_at_domain, user_password)
  File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/plugin.py", line 48, in create_token
    timeout=self._timeout())
  File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75, in create_token
    username, password, engine_url, ca_file, timeout)
  File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91, in _get_sso_token
    timeout=timeout
  File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54, in wrapper
    response = func(*args, **kwargs)
  File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47, in wrapper
    raise BadGateway(e)
BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)


Expected results:

ovn network synchronization will continue working

Additional info:

workarround 

edit file /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf 
and change the value of ovirt-ca-file from /etc/pki/ovirt-engine/ca.pem to /etc/pki/ovirt-engine/apache-ca.pem
Comment 1 Dan Kenigsberg 2018-07-13 22:23:53 UTC 
Can we use /etc/pki/ovirt-engine/apache-ca.pem instead of /etc/pki/ovirt-engine/ca.pem as suggested in https://access.redhat.com/support/cases/#/case/02133602?commentId=a0aA000000N9KkjIAF ?
Comment 3 Dominik Holler 2018-07-16 17:53:22 UTC 
(In reply to Dan Kenigsberg from comment #1)
> Can we use /etc/pki/ovirt-engine/apache-ca.pem instead of
> /etc/pki/ovirt-engine/ca.pem as suggested in
> https://access.redhat.com/support/cases/#/case/
> 02133602?commentId=a0aA000000N9KkjIAF ?

Yes, this seems to be a nice improvement.
Comment 4 Dominik Holler 2018-07-16 17:55:47 UTC 
We should include the
systemctl restart ovirt-provider-ovn
in Administration Guide > Appendix D. Red Hat Virtualization and SSL
Comment 5 Dominik Holler 2018-07-17 08:47:58 UTC 
We should include the manual check that the admin has to ensure that
ovirt-ca-file in/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf should point to /etc/pki/ovirt-engine/apache-ca.pem
in Administration Guide > Appendix D. Red Hat Virtualization and SSL.
This helps on updated installations with old or manually changed config file.
Comment 7 msheena 2018-10-03 06:27:37 UTC 
Verified on:

4.3.0-0.0.master.20180928133328.git50c4de4.el7
ovirt-provider-ovn-1.2.16-0.20180927112927.git2c9d1d9.el7.noarch
Comment 9 errata-xmlrpc 2019-05-08 12:37:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:1085