Red Hat Bugzilla – Bug 1257886
Need trust anchor thing whlie using remote-viewer connect to .vv file to see foreign menu
Last modified: 2017-08-02 03:06:20 EDT
Description of problem:
Need trust anchor thing whlie using remote-viewer connect to .vv file, otherwise foreign menu cannot be seen.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Prepare a rhevm3.6 environment and a running guest on it:the guest can only be seen in admin portal.
1. Download guest file "console.vv" to check 'admin' field in the [ovirt] section of .vv files
1.1 Login rhevm server with rhevm hostname instead of ip, right-click on this guest and select "Console Options" item, then select Console Invocation as "Native client".
1.2. Click the guest and select "Console" item, then save the console file "console.vv" to local machine.
1.3. Open file console.vv check the 'admin' field in the [ovirt] section
# cat console.vv
2. Use remote-viewer launch guest:
# remote-viewer console.vv
3. Download ca.crt file and then do "trust anchor ca.crt" as root before testing, then run step1 & step2 again.
# wget -k https://$rhevm-hostname/ca.crt
# trust anchor ca.crt
After step2, without trusting anchor thing, remote-viewer can launch guest but cannot see foreign menu.
After step3, with trusting anchor thing, remote-viewer can launch guest and foreign menu "Change CD" can be seen.
Without trust anchor thing whlie using remote-viewer connect to .vv file, foreign menu can be seen.
This bug a slim chance for good solution so we're probably left with:
- good error message in virt-viewer
- a good documentation explaining what's needed
Let me explain:
The root cause is RHEV API cert is neither trusted system-wide, nor specified system wide. The issue is complicated however because the certificate used for web can be and frequently is issued by different CA than RHEV CA - and RHEV doesn't have powers to ensure that the CA is even known to RHEV. This is caused by usual CA chain in TLS:
RootCA (trusted) [- intermediateCA_1 [- intermediateCA_n]] - webCertificate
The root CA
- is expected to be included in client system (in ca certificates or among
- is not expected to be included in CA chain
So in configuration with no intermediate CAs, the root CA cert may not even be included in RHEV-M system (in case it is some internal CA) so the only thing that engine can supply to the client is the web cert itself.
To make things more complicated, the TLS in RHEV is provided by apache and what RHEV does is merely a default configuration so getting the web certificate in use is not exactly an easy task to solve (well, by default, reading it from ssl.conf should be enough in most setups - but the only reliable way is to connect to apache and read the cert from ServerHello).
On client side, libsoup - glib's http library used for libgovirt networking - would need to support to add RHEV-M cert as trusted one. I have no idea if it has such a capability
If these two issues are resolved in satisfactory way, then it should be possible to add the web certificate to a new item in vv file [ovirt] section and have libgovirt use it. The room for things not working as expected would however still remain large so the question is if it is worth the hassle.
Current state is that:
- if SPICE CA and web CA are the same, then 'trust anchor' needs to be used
- if SPICE CA and web CA are not the same, then 'trust anchor' needs to be used
The easy fix to #1 so that 'trust anchor' is not needed breaks #2 with no possible workaround, which is not so nice :(
No good solution in sight for 7.3 I'm afraid, moving to 7.4...