Bug 1763108

Summary: [downstream clone - 4.3.7] Fix invalid host certificates by filling-in subject alternate name during host installation
Product: Red Hat Enterprise Virtualization Manager Reporter: RHV bug bot <rhv-bugzilla-bot>
Component: ovirt-host-deployAssignee: Martin Perina <mperina>
Status: CLOSED DUPLICATE QA Contact: Lucie Leistnerova <lleistne>
Severity: high Docs Contact:
Priority: high    
Version: 4.3.0CC: bugs, dougsland, lsurette, mperina, Rhev-m-bugs, srevivo, tburke
Target Milestone: ovirt-4.3.7Keywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1763084 Environment:
Last Closed: 2019-10-18 12:31:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1763084    
Bug Blocks:    

Description RHV bug bot 2019-10-18 09:20:59 UTC 
+++ This bug is an upstream to downstream clone. The original bug is: +++
+++   bug 1763084 +++
======================================================================

We currently put Hostname/IP into Common Name (CN) in the host
certificate subject.  This is not good for two reasons:

- Using CN for host name matching in certificates is obsolete and
  should be no longer used [1].

- CN may not contain an IP address.

In the latter case, migrations don't work on el8 since libvirt refuses
to connect to a destination host having invalid data in its
certificate.

The correct way to handle the certificates is to put the host name or
IP addresses to the Subject Alternative Name [2].  This is what this
patch does.

[1] http://wiki.cacert.org/FAQ/subjectAltName
[2] https://libvirt.org/remote.html#Remote_TLS_server_certificates

(Originally by Martin Perina)
Comment 1 Martin Perina 2019-10-18 12:31:16 UTC 
The in ovirt-host-deploy is not needed to cover adding a new host or reinstall existing, we are OK with engine fix only.

*** This bug has been marked as a duplicate of bug 1763109 ***