Description of problem: Ovirt's 4.0 authentication framework makes connections to itself over https. This fact adds a new requirement on https setup on engine: the web certificate must be verified as trusted so engine-setup should validate if http service SSL configuration works OK. This might be difficult to do by looking into server configuration (there are at least three TLS modules for apache/httpd, there are other HTTP servers around, the HTTP server might run on different machine) but if we make assumptions that: 1) SSL is configured on the web server 2) http server is running before engine-setup runs 3) engine-setup is given FQDN early in the process 4) java and python trust the same certificates for 3 years already [1] then engine-setup can verify certificate presence in black-boxy way: just do HTTP get on https://fqdn/ [2]. When this HTTP GET passes, engine-setup knows that engine will trust connection to itself so SSO will work, if not, admin can be warned of problems in advance. [1] https://fedoraproject.org/wiki/Features/SharedSystemCertificates [2] on RHEL 7: verification must be turned on explicitly Version-Release number of selected component (if applicable): rhev 4.0.0-0.6 How reproducible: always Steps to Reproduce: 1. configure mod_ssl to use certificate issued by CA unknown to system 2. run engine-setup with Apache SSL set to Manual 3. log in as admin@internal Actual results: (both in engine.log and web UI after logging form) server_error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Expected results: engine-setup will warn admin about incorrect SSO configuration (or unreachable web server) during step 2 Additional info: can't be tested until bug 1336838 gets fixed -------------------------------------------- server name validation in 2.7 can be turned on e.g. this way: import urllib2, ssl ctx = ssl.create_default_context() url = ''.join('https://', fqdn, '/') try: urllib2.urlopen(url, context = ctx) except ssl.CertificateError, urllib2.URLError: # web server not running or with wrong certificate ...
Manual steps to configure custom HTTPS certificate are described in BZ1336838, I think that this one should be changed to RFE for 4.1
This request has been proposed for two releases. This is invalid flag usage. The ovirt-future release flag has been cleared. If you wish to change the release flag, you must clear one release flag and then set the other release flag to ?.
Ansible looks like a good solution to me here.
Testing has indicated this request is declined. You may appeal this decision by reopening this request.
Moving to 4.3.2 not being identified as blocker for 4.3.1.
We didn't get to this bug for more than 2 years, and it's not being considered for the upcoming 4.4. It's unlikely that it will ever be addressed so I'm suggesting to close it. If you feel this needs to be addressed and want to work on it please remove cond nack and target accordingly.
Closing old bug. Please reopen if still relevant/you want to work on it.