Description of problem: The URL "http://engine-fqdn/ca.crt" to get the engine's ca cert is deprecated and removed in 4.0 in favor of: http://engine-fqdn/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA Please search all docs and replace everywhere. Currently noticed this in: https://access.redhat.com/documentation/en/red-hat-virtualization/4.0-beta/rhevm-shell-guide/12-tls-ssl-certification See also e.g.: https://bugzilla.redhat.com/show_bug.cgi?id=1340130 http://www.ovirt.org/develop/release-management/features/infra/pki/#services
*** Bug 1362617 has been marked as a duplicate of this bug. ***
Don't we break backwards compatibility this way? Don't we expect older clients to continue try and successfully retrieve the certificate from the old location?
(In reply to Yaniv Kaul from comment #4) > Don't we break backwards compatibility this way? Don't we expect older > clients to continue try and successfully retrieve the certificate from the > old location? Example - https://github.com/GNOME/libgovirt/blob/f70802a769baa8113f26ba9287e453b9209d56f5/govirt/ovirt-proxy.c#L55
(In reply to Yaniv Kaul from comment #5) > (In reply to Yaniv Kaul from comment #4) > > Don't we break backwards compatibility this way? Don't we expect older > > clients to continue try and successfully retrieve the certificate from the > > old location? That's a good question, but too late... > > Example - > https://github.com/GNOME/libgovirt/blob/ > f70802a769baa8113f26ba9287e453b9209d56f5/govirt/ovirt-proxy.c#L55 It's already affected - 4.0 was released several months ago. Another question to ask is if we tried hard enough to inform users/3rd-parties about this. No idea about this. The ones that already contacted us and fixed their clients did this, AFAIK, only when they saw they are broken, when trying 4.0 or a beta.
Documentation Link: https://access.redhat.com/documentation/en/red-hat-virtualization/4.0/paged/rhevm-shell-guide/12-tls-ssl-certification