Bug 1607793

Summary: [RFE] When RHV uses custom certs for https, Fetch correct ca cert in satellite
Product: Red Hat Satellite Reporter: Sanket Jagtap <sjagtap>
Component: Compute Resources - RHEVAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED WONTFIX QA Contact: Sanket Jagtap <sjagtap>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.4CC: inecas, kbidarka, lhellebr, mshira, orabin, sjagtap
Target Milestone: UnspecifiedKeywords: FutureFeature, Reopened, RFE, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-04 14:03:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sanket Jagtap 2018-07-24 09:41:39 UTC 
Description of problem:
By Default, the RHV uses self signed cert for HTTPS and Ovirt-engine stuff(talking to hypervisors internally).

But, when User decides to only update the HTTPS with his own organization CA, the satellite fetches wrong CACERT from RHV

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Have a RHV using custom cert, (Not self signed) for HTTPS
2. Try to add the RHV as compute resource
3. 

Actual results:
Unable to save
ERF56-1309 [Foreman::FingerprintException]: The remote system presented a public key signed by an unidentified certificate authority. If you are sure the remote system is authentic, go to the compute resource edit page, press the 'Test Connection' or 'Load Datacenters' button and submit
ERF56-1309 [Foreman::FingerprintException]: The remote system presented a public key signed by an unidentified certificate authority. If you are sure the remote system is authentic, go to the compute resource edit page, press the 'Test Connection' or 'Load Datacenters' button and submit


Expected results:
It should Fetch the updated CA cert from RHV

Additional info:
Only workaround possible is from UI
When adding RHV CA , there is a X509 Certification Authorities field where user can paste the content of cert and then Click "Load Datacenters"
Comment 2 Lukáš Hellebrandt 2018-07-24 10:02:51 UTC 
Please note, the field description says "Optionally provide a CA, or a correctly ordered CA chain. If left blank, a self-signed CA will be populated automatically by the server during the first request."

However, I would expect the Satellite to download the cert that is actually used so the current behavior seems undesirable to me.
Comment 6 Ido Kanner 2018-07-25 13:25:49 UTC 

*** This bug has been marked as a duplicate of bug 1602835 ***
Comment 7 Lukáš Hellebrandt 2018-07-25 13:32:11 UTC 
Ido, I don't think these are duplicates. This bug is about Foreman not fetching custom cert when clicking 'Load Datacenters' in the WUI (whether it is a bug or not is another issue) while the other bug is about API not supporting manual CAcert specification.

However, bug 1343391 appears to be related.
Comment 8 Ido Kanner 2018-07-25 13:39:48 UTC 
okay reopened it, i misread the issue, sorry
Comment 10 Shira Maximov 2018-11-29 16:01:32 UTC 
At the moment, when creating ovirt compute resource the behavior is the following :
- If there is no custom certificate - It will fetch the self-signed certificate from here: http://${OVIRT}/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA

- If there is a custom certificate  - then the the custom ca is not fetched.
and nothing filled  at the CA input.

The reason you are are receiving an error is because you are entering a wrong CA. you are putting the self signed ca and not the custom one. 

please, try to  download the root ca:
in chrome:
1. Go to ovirt UL 
2. Next to ovirt URL, in the left side you have a lock icon, click on it
3. click on certificate
4. click on the 'Details' Tab
5. Under the Certificate Hierarchy  select the first one 
6. Export
Comment 11 Sanket Jagtap 2018-12-18 06:29:33 UTC 
Yes, the reason for filling the issue , is to address the same behaviour as mentioned in comment #10 .

Satellite Should be able to fetch the correct CA cert, while adding RHV compute resource. 

We can switch the bug to an RFE to track this.
Comment 12 Shira Maximov 2018-12-18 07:57:38 UTC 
Sanket, please change the bug to RFE, thanks.
Comment 14 Bryan Kearney 2019-11-04 14:03:24 UTC 
Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact Red Hat Technical Support. Thank you.