Description of problem: Under certain circumstances it can happen that apache p12 key does not match the certificate apache-ca.pm. This is request for feature of setup that would actually check that key-certficate pair is correct and can't cause an outage of service after upgrade Version-Release number of selected component (if applicable): is32.2 How reproducible: 100% Steps to Reproduce: 1. have 3.2 environment 2. corrupt purpusedly /etc/pki/ovirt-engine/apache.p12 3. perform upgrade Actual results: upgrade succeeds, httpd service will not start Expected results: If the corruption is detected we should either warn the user or warn them and generate new certificate-key pair.
Per my previous comment, admins can put key/certificate and skip the PKCS#12 wrapping, so it is incorrect to back-compare it. The root cause of this issue is manual leftover/invalid state of pki artifacts, unsure it worth to be handled automatically.
I am closing this for now as unlikely we do this. If we get more reports for this issue, we reopen it as it is no longer local configuration problem.