1286429 – If first host deployed in insecure mode, second host deployment failed

Bug 1286429 - If first host deployed in insecure mode, second host deployment failed

Summary: If first host deployed in insecure mode, second host deployment failed

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-hosted-engine-setup
Classification:	oVirt
Component:	Plugins.PKI
Sub Component:
Version:	1.3.1.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	ovirt-3.6.1
Target Release:	1.3.1.1
Assignee:	Artyom
QA Contact:	Artyom
Docs Contact:
URL:
Whiteboard:	integration
Depends On:
Blocks:	1284979
TreeView+	depends on / blocked

Reported:	2015-11-29 11:48 UTC by Artyom
Modified:	2015-12-16 12:17 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-12-16 12:17:39 UTC
oVirt Team:	---
Embargoed:
Dependent Products:
Flags:	rule-engine: ovirt-3.6.z+ bmcclain: planning_ack+ sbonazzo: devel_ack+ mavital: testing_ack+

Attachments	(Terms of Use)
ovirt-hosted-engine-setup log (275.94 KB, text/plain) 2015-11-29 11:48 UTC, Artyom	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	49360	0	master	MERGED	pki: set TEMPORARY_CERT_FILE to None if we deploy in insecure mode	Never
oVirt gerrit	49437	0	ovirt-hosted-engine-setup-1.3	MERGED	pki: set TEMPORARY_CERT_FILE to None if we deploy in insecure mode	Never

Description Artyom 2015-11-29 11:48:07 UTC

Created attachment 1100174 [details]
ovirt-hosted-engine-setup log

Description of problem:
If first host deployed in insecure mode, second host deployment failed with error
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/otopi/context.py", line 146, in _executeMethod
    method['method']()
  File "/usr/share/ovirt-hosted-engine-setup/scripts/../plugins/ovirt-hosted-engine-setup/engine/add_host.py", line 568, in _closeup
    self._getSSH()
  File "/usr/share/ovirt-hosted-engine-setup/scripts/../plugins/ovirt-hosted-engine-setup/engine/add_host.py", line 387, in _getSSH
    ohostedcons.EngineEnv.TEMPORARY_CERT_FILE
  File "/usr/lib/python2.7/site-packages/ovirt_hosted_engine_setup/pkissh.py", line 159, in getSSHkey
    ca_certs=ca_certs,
  File "/usr/lib/python2.7/site-packages/ovirt_hosted_engine_setup/ohttpshandler.py", line 69, in fetchUrl
    context.load_verify_locations(cafile=ca_certs)
SSLError: unknown error (_ssl.c:2988)

Version-Release number of selected component (if applicable):
ovirt-hosted-engine-setup-1.3.1-1.el7ev.noarch

How reproducible:
Always

Steps to Reproduce:
1. Start deploy first host, after engine-setup complete, change engine CA certificate according to http://www.ovirt.org/OVirt_Administration_Guide#.E2.81.A0Replacing_oVirt_SSL_Certificate
2. On answer "The REST API cert couldn't be trusted with the custom CA cert
Would you like to continue in insecure mode (not recommended)?
If not, please provide your CA cert at /etc/pki/CA/ovirtcustomcacert.pem before continuing (Yes, No)[No]" answer Yes
3. Finish deployment of first host
4. Deploy second host

Actual results:
Deployment failed with error above

Expected results:
Deployment succeed without any errors

Additional info:

Comment 1 Artyom 2015-12-06 09:57:28 UTC

Verified on ovirt-hosted-engine-setup-1.3.1.1-1.el7ev.noarch

Comment 2 Sandro Bonazzola 2015-12-16 12:17:39 UTC

According to verification status and target milestone this issue should be fixed in oVirt 3.6.1. Closing current release.

Note You need to log in before you can comment on or make changes to this bug.