Bug 1119420 - Ovirt compute resource doesn't work with wildcard certs
Summary: Ovirt compute resource doesn't work with wildcard certs
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Provisioning
Version: 6.0.3
Hardware: Unspecified
OS: Unspecified
unspecified
medium vote
Target Milestone: Unspecified
Assignee: Lukas Zapletal
QA Contact: Katello QA List
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-14 18:13 UTC by Rich Jerrido
Modified: 2017-02-23 21:13 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-26 12:37:30 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 7516 None None None 2016-04-22 16:43:52 UTC
Red Hat Bugzilla 1125933 None None None Never
Red Hat Bugzilla 1143941 None None None Never

Internal Links: 1125933 1143941

Description Rich Jerrido 2014-07-14 18:13:20 UTC
Description of problem:

When configuring Satellite 6 beta with a ovirt/rhevm compute resource that is using a wildcard cert for HTTPS, the user is presented with the following error:

"'ERF56-1309 [Foreman::FingerprintException]: The remote system presented a  public key signed by an unidentified certificate authority. If you are  sure the remote system is authentic, go to the compute resource edit  page, press the 'Test Connection' or 'Load Datacenters' button and  submit'"

The message is repeated each time the user clicks 'submit' and is thus unable to create the compute resource 

Version-Release number of selected component (if applicable):
foreman-ovirt-1.6.0.21-1.el6sat.noarch
ruby193-rubygem-rbovirt-0.0.26-2.el6sat.noarch


How reproducible:
100%

Steps to Reproduce:
1. Configure RHEV-M to use a 3rd party cert, such as per (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.3/html-single/Administration_Guide/index.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https)
2. attempt to Configure Sat6 to use an ovirt resource
3.

Actual results:
User is unable to successfully configure an ovirt compute resource

Expected results:
User is able to successfully configure an ovirt compute resource


Additional info:

Comment 1 RHEL Product and Program Management 2014-07-14 18:24:10 UTC
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 3 Rich Jerrido 2014-07-15 12:47:26 UTC
As a temporary workaround, the following works to disable SSL verification:

from Lukas Zapletal <lzap@redhat.com>:


"locate rvovirt.rb file and change the VERIFY_PEER to VERIFY_NONE

[root@hp-sl2x170zg6-01 ~]# locate rbovirt.rb
/opt/rh/ruby193/root/usr/share/gems/gems/rbovirt-0.0.28/lib/rbovirt.rb

[root@hp-sl2x170zg6-01 ~]# grep VERIFY_PEER /opt/rh/ruby193/root/usr/share/gems/gems/rbovirt-0.0.28/lib/rbovirt.rb
  verify_options = {:verify_ssl  => OpenSSL::SSL::VERIFY_PEER}

Then restart Satellite 6:

service httpd restart"

Comment 4 Lukas Zapletal 2014-07-22 12:57:19 UTC
Rich,

can you share with me how you deployed the certificate? Is this documented in RHEV materials? I would like to reproduce.

Comment 5 Rich Jerrido 2014-07-22 15:25:22 UTC
We followed the instructions documented in the RHEV 3.2/3.3 documentation (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.3/html-single/Administration_Guide/index.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https) to replace the default self-signed certificate with the wildcard certificate.

Comment 7 Brian J. Atkisson 2014-09-12 02:18:44 UTC
I'm getting this same error with Satellite 6.0.4 using RHEV 3.4 with a custom certificate, which was issued by IPA/IdM.  This is not a wildcard cert, but it's not the RHEV-generated cert either.  The Compute Resource never actually gets to the point of trying the username/password.

Comment 8 Dominic Cleal 2014-09-18 07:48:04 UTC
Created redmine issue http://projects.theforeman.org/issues/7516 from this bug

Comment 9 Lukas Zapletal 2014-09-26 12:37:30 UTC
Ok I am closing this issue because I am unable to reproduce. I was able to setup my oVirt/RHEV with wildcard certs easily.

There is other issue/bug which is very relevant to this problem:

https://bugzilla.redhat.com/show_bug.cgi?id=1143941
http://projects.theforeman.org/issues/7522

Until it was not resolved, I was not able to setup *any* other CA than the self-signed cert from RHEV. Therefore I believe the bug solved your error.

In any case, feel free to reopen if you still think this is an issue. The 1143941 is scheduled for 6.1 release.


Note You need to log in before you can comment on or make changes to this bug.