Bug 1116036 - [engine-setup] engine-setup just to configure websocket proxy instructs user with wrong commands
Summary: [engine-setup] engine-setup just to configure websocket proxy instructs user ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: oVirt
Classification: Retired
Component: ovirt-engine-installer
Version: 3.5
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: 3.5.0
Assignee: Simone Tiraboschi
QA Contact: Pavel Stehlik
URL:
Whiteboard: integration
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-03 14:16 UTC by Jiri Belka
Modified: 2014-10-17 12:42 UTC (History)
7 users (show)

Fixed In Version: ovirt-3.5.0-beta2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-17 12:42:55 UTC
oVirt Team: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 29714 0 master MERGED packaging: setup: using a different filename for remote wsp certs Never
oVirt gerrit 30176 0 ovirt-engine-3.5 MERGED packaging: setup: using a different filename for remote wsp certs Never

Description Jiri Belka 2014-07-03 14:16:16 UTC 
Description of problem:

engine-setup just to configure websocket proxy instructs user with wrong command.

~~~
          2. execute, on the engine host, this command to enroll the cert:
           /usr/share/ovirt-engine/bin/pki-enroll-request.sh \
               --name=websocket-proxy \
               --subject="/C=<country>/O=<organization>/CN=websocketproxy.rhev.lab.eng.brq.redhat.com"
          Substitute <country>, <organization> to suite your environment
          (i.e. the values must match values in the certificate authority of your engine)
~~~

the wrong thing is '--name=websocket-proxy', as this is default value and thus it would override already existing certificate on engine node (let's suppose most users would just hit <enter> when configuring engine).

either put there <whatevertodistinguishyourwebsocketproxycert> or even better just start naming certs based on 'CN'.

Version-Release number of selected component (if applicable):
ovirt-engine-setup-base-3.5.0-0.0.master.20140629172257.git0b16ed7.el6.noarch
ovirt-engine-setup-plugin-ovirt-engine-common-3.5.0-0.0.master.20140629172257.git0b16ed7.el6.noarch
ovirt-engine-setup-plugin-websocket-proxy-3.5.0-0.0.master.20140629172257.git0b16ed7.el6.noarch
ovirt-engine-setup-plugin-ovirt-engine-3.5.0-0.0.master.20140629172257.git0b16ed7.el6.noarch

How reproducible:
100%

Steps to Reproduce:
1. (engine host) engine-setup, pidgin style <enter> for everything (just even YES for websocket proxy)
2. (different host) yum install ovirt-engine
3. 'NO' to configure engine, we want just websocket proxy
4. do what you are instruct, just change commands part which have <value>

Actual results:
existing engine's websocket certs will be silently overwritten

Expected results:
for sure it should not overwrite existing cert

Additional info:

(engine)# ls -ltr /etc/pki/ovirt-engine/certs/websocket-proxy.cer 
-rw-r--r--. 1 root root 5359 Jul  3 15:25 /etc/pki/ovirt-engine/certs/websocket-proxy.cer
(engine)# grep websocket-proxy.cer /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf 
SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
(engine)# ls -l /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
-rw-r--r--. 1 root root 251 Jun 19 09:38 /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
Comment 1 Jiri Belka 2014-07-31 09:11:04 UTC 
ok, ovirt-engine-setup-plugin-websocket-proxy-3.5.0-0.0.master.20140722232058.git8e1babc.el6.noarch

...
           /usr/share/ovirt-engine/bin/pki-enroll-request.sh \
               --name=websocket-proxy-jb-onqa.rhev.lab.eng.brq.redhat.com \
               --subject="/C=<country>/O=<organization>/CN=jb-onqa.rhev.lab.eng.brq.redhat.com"
...

# find /etc/pki/ovirt-engine/ -mmin -3
/etc/pki/ovirt-engine/
/etc/pki/ovirt-engine/requests
/etc/pki/ovirt-engine/requests/websocket-proxy-jb-onqa.rhev.lab.eng.brq.redhat.com.req
/etc/pki/ovirt-engine/.rnd
/etc/pki/ovirt-engine/certs
/etc/pki/ovirt-engine/certs/1007.pem
/etc/pki/ovirt-engine/certs/websocket-proxy-jb-onqa.rhev.lab.eng.brq.redhat.com.cer
/etc/pki/ovirt-engine/serial.txt
/etc/pki/ovirt-engine/database.txt
/etc/pki/ovirt-engine/database.txt.attr
Comment 2 Sandro Bonazzola 2014-10-17 12:42:55 UTC 
oVirt 3.5 has been released and should include the fix for this issue.
Note You need to log in before you can comment on or make changes to this bug.