When communicating with engine we need to specify CA certificate we trust. Currently script is using insecure method. Also, if the server name is localhost we need to disable host name validation. An example of how to perform url get is available here[1], in any implementation you choose the CA must be checked. Configuration of script should add the following additional two parameters: ENGINE_CA=$PKIDIR/apache-ca.pem ENGINE_VERIFY_HOST=false if engine_host == 'localhost' else true [1] https://gerrit.ovirt.org/#/c/45270/12/src/ovirt_hosted_engine_setup/util.py
If you like you can also add: ENGINE_VERIFY_CERTIFICATE=true/false To enable/disable verification of certificate, default and settings should be true of course.
3.6.0 RC is out, please mark this as blocker for 3.6.0 GA or postpone to a later release
in 3.6 we only support deployment on engine host hence securing the connection is not critical. We do plan to support deployment on other host in the future
aligning target release to target milestone as per https://bugzilla.redhat.com/show_bug.cgi?id=1264479#c3
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
In oVirt testing is done on single release by default. Therefore I'm removing the 4.0 flag. If you think this bug must be tested in 4.0 as well, please re-add the flag. Please note we might not have testing resources to handle the 4.0 clone.
Hi Francesco, Can you provide the exact reproduction steps for the QA please?
From the user's perspective this fix should be transparent, so to verify we could check that the helper is using SSL ports, and that it loads the right certificate. I think this has to be checked using system tools (e.g. strace, netstat...) can't think of a simpler way.
oVirt 3.6.2 RC1 has been released for testing, moving to ON_QA