Bug 1318776 - [RFE] tool to configure all services with a customer signed certificate
Summary: [RFE] tool to configure all services with a customer signed certificate
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: RFEs
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Scott Herold
QA Contact: Gil Klein
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-17 18:57 UTC by Paul Armstrong
Modified: 2016-03-29 21:21 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-29 21:21:02 UTC
oVirt Team: Infra
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Paul Armstrong 2016-03-17 18:57:11 UTC 
Description of problem: 

SSL certificate change procedures and tool interdependency on the SSL certificates causes extremely difficult to resolve errors when configuring RHEVM for a variety of capabilities including, SSL auth, IPA integration, SSO, etc..
We need a **Fool Proof** way of configuring and reconfiguring the entire environment so that these problems are eliminated. RHEVM should integrate with RHEL IdM seamlessly if it is to be considered an enterprise class product. (Hopefully we can rely on IdM for full AD integration??) 

Version-Release number of selected component (if applicable):
3.6


How reproducible: Always


Steps to Reproduce:
1. Deploy Hosted Engine on 3.5
2. Configure RHEVM for a Custom SSL certificate generated by IPA
3. Configure RHEVM for SSO with IPA and aaa
4. Try to upgrade to hosted engine 3.6

Actual results:
upgrades fail 
rhevm can't connect to upgraded hosts
if rhevm gets rebooted, it can't restart
unwind upgrades to hosts (rhevm vm stays at 3.6)
reboot all hosted engine servers
restart engine
run alternative upgrade using rhevm webui
vdsm upgraded, ovirt-ha-agent not upgraded
yum update - upgrades ovirt-ha-agents
host can now successfully connect to engine, however, no ha
ovirt-ha-broker starts successfully
ovirt-ha-agent fails to start

INFO:ovirt_hosted_engine_ha.agent.hosted_engine.HostedEngine:Failed set the storage domain: 'Failed to set storage domain VdsmBackend

try to redeploy the host:
hosted-engine --deploy
fails on certificate error
[ INFO  ] Updating hosted-engine configuration
[ INFO  ] Stage: Transaction commit
[ INFO  ] Stage: Closing up
[ INFO  ] Acquiring internal CA cert from the engine
[ INFO  ] The following CA certificate is going to be used, please immediately interrupt if not correct:
[ INFO  ] Issuer: C=US, O=parmstro.redhat.com, CN=rhevm.parmstro.redhat.com.60258, Subject: C=US, O=parmstro.redhat.com, CN=rhevm.parmstro.redhat.com.60258, Fingerprint (SHA-1): DCC6DAA7A2CE1449EEB23854A3BCD53A7B9D0DAF
[ INFO  ] Connecting to the Engine
[ ERROR ] Failed to execute stage 'Closing up': [ERROR]::RHEV API connection failure, (60, "Peer's Certificate issuer is not recognized.")
[ INFO  ] Stage: Clean up
[ INFO  ] Generating answer file '/var/lib/ovirt-hosted-engine-setup/answers/answers-20160317180831.conf'
[ INFO  ] Stage: Pre-termination
[ INFO  ] Stage: Termination
[ ERROR ] Hosted Engine deployment failed: this system is not reliable, please check the issue, fix and redeploy
          Log file is located at /var/log/ovirt-hosted-engine-setup/ovirt-hosted-engine-setup-20160317180705-gozg0i.log


Expected results:

Upgrades succeed with custom certificate. 


Additional info:

The original premise for making apache-ca.pem and ca.pem the same simplfies things and can potentially decouple the SSL cert requirement from the engine-host enrollment, however, it seems that system utilities are not using the same certificate consistently.
Note You need to log in before you can comment on or make changes to this bug.