Bug 1125933 - Documentation: provide a way to change /ca.crt for non-self-signed certs [NEEDINFO]
Summary: Documentation: provide a way to change /ca.crt for non-self-signed certs
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Documentation
Version: ---
Hardware: Unspecified
OS: Unspecified
unspecified
medium vote
Target Milestone: ovirt-4.1.1
: ---
Assignee: Brian Proffitt
QA Contact: bugs@ovirt.org
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-01 11:27 UTC by Lukas Zapletal
Modified: 2017-02-07 07:55 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-07 07:55:52 UTC
oVirt Team: Docs
sbonazzo: needinfo? (bproffit)
ylavi: ovirt-4.1?
rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1119420 None None None Never

Internal Links: 1119420

Description Lukas Zapletal 2014-08-01 11:27:29 UTC
According to RHEV documentation and http://www.ovirt.org/Features/PKI I have changed apache-ca.pem and apache.{p12,key,cer} with my own certificate that was signed by proper CA (it is not self-signed).

Now, I don't know how to configure oVirt (3.4) to return my CA certificate for the /ca.crt URLs. Foreman project (and Satellite 6 product) as well as rbovirt client library does use /ca.crt file for initial CA certificate download. It looks like currently oVirt only returns the server's certificate and there is no way of providing my own CA file (which is a separate file apparently).

Please document how to reconfigure oVirt to do this.

Also http://www.ovirt.org/Features/PKI should be improved with more information how to swap certificates (I had to follow RHEV guide to do this).

If this is not possible, please create a feature request for this as Foreman/Satellite 6 depend on this feature.

Many thanks!

Comment 1 Lukas Zapletal 2014-08-01 11:47:57 UTC
After some chat with mskrivanek it looks like this is hardcoded and can't be changed. Well, this is highly confusing, the URL should be /server.crt and not /ca.crt.

The proper fix would be to serve the file via httpd allowing users to override this more easily. Please consider renaming /ca.crt to /server.crt (by default symlinking it to the same file) and changing the default configuration so Apache2 httpd serves these files instead of Java application.

WORKAROUND:

Put your proper CA file to /var/www/htdocs and remove the proxy for the /ca.crt url:

  cp your_ca.crt /var/www/html/ca.crt
   (optionally relabel the file)
  sed -iE 's/ca.crt$|//' /etc/httpd/conf.d/z-ovirt-engine-proxy.conf

Comment 2 Sandro Bonazzola 2014-10-17 12:14:29 UTC
Moving pending bugs not fixed in 3.5.0 to 3.5.1.

Comment 3 Sandro Bonazzola 2015-01-21 16:08:33 UTC
oVirt 3.5.1 has been released, re-targeting to 3.6.0 as not marked as urgent / high severity or priority

Comment 4 Sandro Bonazzola 2015-09-04 09:02:56 UTC
This is an automated message.
This Bugzilla report has been opened on a version which is not maintained anymore.
Please check if this bug is still relevant in oVirt 3.5.4.
If it's not relevant anymore, please close it (you may use EOL or CURRENT RELEASE resolution)
If it's an RFE please update the version to 4.0 if still relevant.

Comment 5 Lukas Zapletal 2015-09-11 13:18:29 UTC
Oh yes, totally relevant.

Comment 6 Yaniv Kaul 2015-09-20 13:16:19 UTC
If you've used your own CA, why do you need oVirt to provide you the CA certificate?

Comment 7 Yedidyah Bar David 2015-09-20 13:31:05 UTC
(In reply to Yaniv Kaul from comment #6)
> If you've used your own CA, why do you need oVirt to provide you the CA
> certificate?

Because some tools expect to get it so that they can "verify" the connection. See e.g. bug 1059952.

Comment 8 Red Hat Bugzilla Rules Engine 2015-10-19 10:58:25 UTC
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

Comment 9 Sandro Bonazzola 2016-05-02 10:09:00 UTC
Moving from 4.0 alpha to 4.0 beta since 4.0 alpha has been already released and bug is not ON_QA.

Comment 11 Sandro Bonazzola 2017-02-01 16:02:57 UTC
oVirt 4.1.0 GA has been released, re-targeting to 4.1.1.
Please check if this issue is correctly targeted or already included in 4.1.0.

Comment 12 Yaniv Lavi 2017-02-07 07:55:52 UTC
Please refer to the upstream 4.x docs, that should include a section on this.


Note You need to log in before you can comment on or make changes to this bug.