Description of problem: engine-setup just to configure websocket proxy instructs user with wrong command. ~~~ 2. execute, on the engine host, this command to enroll the cert: /usr/share/ovirt-engine/bin/pki-enroll-request.sh \ --name=websocket-proxy \ --subject="/C=<country>/O=<organization>/CN=websocketproxy.rhev.lab.eng.brq.redhat.com" Substitute <country>, <organization> to suite your environment (i.e. the values must match values in the certificate authority of your engine) ~~~ the wrong thing is '--name=websocket-proxy', as this is default value and thus it would override already existing certificate on engine node (let's suppose most users would just hit <enter> when configuring engine). either put there <whatevertodistinguishyourwebsocketproxycert> or even better just start naming certs based on 'CN'. Version-Release number of selected component (if applicable): ovirt-engine-setup-base-3.5.0-0.0.master.20140629172257.git0b16ed7.el6.noarch ovirt-engine-setup-plugin-ovirt-engine-common-3.5.0-0.0.master.20140629172257.git0b16ed7.el6.noarch ovirt-engine-setup-plugin-websocket-proxy-3.5.0-0.0.master.20140629172257.git0b16ed7.el6.noarch ovirt-engine-setup-plugin-ovirt-engine-3.5.0-0.0.master.20140629172257.git0b16ed7.el6.noarch How reproducible: 100% Steps to Reproduce: 1. (engine host) engine-setup, pidgin style <enter> for everything (just even YES for websocket proxy) 2. (different host) yum install ovirt-engine 3. 'NO' to configure engine, we want just websocket proxy 4. do what you are instruct, just change commands part which have <value> Actual results: existing engine's websocket certs will be silently overwritten Expected results: for sure it should not overwrite existing cert Additional info: (engine)# ls -ltr /etc/pki/ovirt-engine/certs/websocket-proxy.cer -rw-r--r--. 1 root root 5359 Jul 3 15:25 /etc/pki/ovirt-engine/certs/websocket-proxy.cer (engine)# grep websocket-proxy.cer /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer (engine)# ls -l /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf -rw-r--r--. 1 root root 251 Jun 19 09:38 /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
ok, ovirt-engine-setup-plugin-websocket-proxy-3.5.0-0.0.master.20140722232058.git8e1babc.el6.noarch ... /usr/share/ovirt-engine/bin/pki-enroll-request.sh \ --name=websocket-proxy-jb-onqa.rhev.lab.eng.brq.redhat.com \ --subject="/C=<country>/O=<organization>/CN=jb-onqa.rhev.lab.eng.brq.redhat.com" ... # find /etc/pki/ovirt-engine/ -mmin -3 /etc/pki/ovirt-engine/ /etc/pki/ovirt-engine/requests /etc/pki/ovirt-engine/requests/websocket-proxy-jb-onqa.rhev.lab.eng.brq.redhat.com.req /etc/pki/ovirt-engine/.rnd /etc/pki/ovirt-engine/certs /etc/pki/ovirt-engine/certs/1007.pem /etc/pki/ovirt-engine/certs/websocket-proxy-jb-onqa.rhev.lab.eng.brq.redhat.com.cer /etc/pki/ovirt-engine/serial.txt /etc/pki/ovirt-engine/database.txt /etc/pki/ovirt-engine/database.txt.attr
oVirt 3.5 has been released and should include the fix for this issue.