1334702 – [z-stream clone - 3.6.6] hosted-engine-setup trusts also the system defined CA certs while the oVirt python SDK ignores them

Bug 1334702 - [z-stream clone - 3.6.6] hosted-engine-setup trusts also the system defined CA certs while the oVirt python SDK ignores them

Summary: [z-stream clone - 3.6.6] hosted-engine-setup trusts also the system defined C...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-hosted-engine-setup
Sub Component:
Version:	3.6.3
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	ovirt-3.6.6
Target Release:	3.6.6
Assignee:	Simone Tiraboschi
QA Contact:	Artyom
Docs Contact:
URL:
Whiteboard:
Depends On:	1321381
Blocks:	1330523
TreeView+	depends on / blocked

Reported:	2016-05-10 11:32 UTC by rhev-integ
Modified:	2019-10-10 12:07 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1321381
Environment:
Last Closed:	2016-05-27 14:43:47 UTC
oVirt Team:	Integration
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	2262081	None	None	None	2016-05-10 11:32:52 UTC
oVirt gerrit	56051	master	MERGED	pki: avoid trusting system defined CA certs	2016-05-10 11:32:52 UTC
oVirt gerrit	56853	ovirt-hosted-engine-setup-1.3	MERGED	pki: avoid trusting system defined CA certs	2016-05-10 11:32:52 UTC

Comment 1 Artyom 2016-05-16 10:42:25 UTC

Verified on ovirt-hosted-engine-setup-1.3.6.1-1.el7ev.noarch

1) Deploy hosted-engine on the first host
2) Change apache certificate on engine VM according to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https(do not explain about SELINUX labels)
3) Add custom CA that signed new apache certificate to second host
   * cp my-custom-ca.pem /etc/pki/ca-trust/source/anchors/
   * update-ca-trust
4) Deploy the second host
...
[ INFO  ] The following CA certificate is going to be used, please immediately interrupt if not correct:
[ INFO  ] Issuer: C=US, O=qa.lab.tlv.redhat.com, CN=alukiano-he-1.qa.lab.tlv.redhat.com.86247, Subject: C=US, O=qa.lab.tlv.redhat.com, CN=alukiano-he-1.qa.lab.tlv.redhat.com.86247, Fingerprint (SHA-1): 85DC095268B216C14BBA5F960D8AB09F4E7BF336
          The REST API cert couldn't be trusted with the internal CA cert
          Would you like to continue in insecure mode (not recommended)?
          If not, please provide your CA cert at /etc/pki/CA/ovirtcustomcacert.pem before continuing
          (Yes, No)[No]? Yes
[ INFO  ] Connecting to the Engine
[ INFO  ] Waiting for the host to become operational in the engine. This may take several minutes...
[ INFO  ] The VDSM Host is now operational
...
Deploy succeed without any problems

Note You need to log in before you can comment on or make changes to this bug.