1358160 – Dashboard show zeros. reports-interface-proxy doesn't trust externally-issued web certificate in spite of issuer being in system (and java) trust store

Bug 1358160 - Dashboard show zeros. reports-interface-proxy doesn't trust externally-issued web certificate in spite of issuer being in system (and java) trust store

Summary: Dashboard show zeros. reports-interface-proxy doesn't trust externally-issued...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	Backend.Core
Sub Component:
Version:	4.0.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	ovirt-4.0.2
Target Release:	4.0.2.1
Assignee:	Alexander Wels
QA Contact:	meital avital
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-20 08:14 UTC by Konstantin
Modified:	2016-10-27 09:41 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-08-18 06:27:59 UTC
oVirt Team:	UX
Embargoed:
Dependent Products:
Flags:	rule-engine: ovirt-4.0.z+ rule-engine: exception+ rule-engine: planning_ack+ rule-engine: devel_ack+ lsvaty: testing_ack+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	61160	'None'	MERGED	userportal: webadmin: Use correct trust store for HTTPS connections	2020-03-17 20:52:39 UTC
oVirt gerrit	61190	'None'	MERGED	userportal: webadmin: Use correct trust store for HTTPS connections	2020-03-17 20:52:39 UTC
oVirt gerrit	61192	'None'	MERGED	userportal: webadmin: Use correct trust store for HTTPS connections	2020-03-17 20:52:39 UTC

Description Konstantin 2016-07-20 08:14:52 UTC

Description of problem:
reports-interface-proxy doesn't trust externally-issued web certificate in spite of issuer being in system (and java) trust store
Dashboard show only historical data

Version-Release number of selected component (if applicable):
4.0.1

How reproducible:
always

Steps to Reproduce:
1. get certificate for mod_ssl from external CA
2. add the external CA that signed the mod_ssl certificate to the trust store (trust add /path/to/CA.crt or cp /path/to/CA.crt /etc/pki/ca-trust/source/anchors/ && update-ca-trust)
3. make recomeded steps from https://bugzilla.redhat.com/show_bug.cgi?id=1336838
4. Login to Administration portal

Actual results:
Dashboard show 0 in usage params
Log file contains:
2016-07-20 09:03:26,834 ERROR [io.undertow.request] (default task-25) UT005023: Exception handling request to /ovirt-engine/services/reports-interface-proxy: javax.servlet.ServletException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at org.ovirt.engine.core.uutils.servlet.ProxyServletBase.doGet(ProxyServletBase.java:163) [uutils.jar:]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
....


Expected results:
Dashboard show correct data

Additional info:

Comment 1 Martin Perina 2016-07-21 09:17:53 UTC

Hi Konstantin,
we have a fix for the certificate issue, but the root cause of this issue is different: we have removed reports from 4.0, so during upgrade from 3.6 to 4.0 all reports related configuration should be removed. It's obvious we have a bug here, so could you please try to execute following commands which should reveal us leftovers from reports configuration?

  cd /etc/ovirt-engine/engine.conf.d
  grep ENGINE_REPORTS_BASE_URL . -r

Thanks.

Comment 2 Konstantin 2016-07-21 11:44:54 UTC

Hi, 
this is result:

./10-setup-reports-access.conf:ENGINE_REPORTS_BASE_URL=https://ovirt-dwh.DOMAIN:443/ovirt-engine-reports
./10-setup-reports-access.conf:ENGINE_REPORTS_DASHBOARD_URL=${ENGINE_REPORTS_BASE_URL}/flow.html?_flowId=viewReportFlow&viewAsDashboardFrame=true
./10-setup-reports-access.conf:ENGINE_REPORTS_RIGHTCLICK_URL=${ENGINE_REPORTS_BASE_URL}/flow.html?_flowId=viewReportFlow
./10-setup-reports-access.conf:ENGINE_REPORTS_PROXY_URL=${ENGINE_REPORTS_BASE_URL}/ovirt/reports-interface

I must remove this settings?

Comment 3 Martin Perina 2016-07-21 12:00:43 UTC

Could you please try to remove 10-setup-reports-access.conf (please do a backup of the file just to be sure) and restart ovirt-engine service? It should fix your issue ...

Comment 4 Konstantin 2016-07-21 12:29:55 UTC

Something changed. 
No error in log file, but dashboard show incorrect data.
Usage of CPU, Memory and Storage 0.

Screenshot https://postimg.org/image/ukcf1lj0x/

Comment 5 Alexander Wels 2016-07-21 12:32:07 UTC

Is the DWH service still running, that looks like there is no data in the database for the last few hours.

Comment 6 Konstantin 2016-07-21 13:08:07 UTC

It's running on separate host.
It was problem with time. 
After adjusting system time problem is gone.
Thank you for help!

Comment 7 Martin Perina 2016-07-21 13:23:28 UTC

Have you removed 10-setup-reports-access.conf? Or have it started to work just after time sync?

Comment 8 Konstantin 2016-07-21 13:54:14 UTC

Yes i removed 10-setup-reports-access.conf, after that errors like "UT005023: Exception handling request to /ovirt-engine/services/reports-interface-proxy" no longer appear.
And then I sync time on DWH server to get correct current statistics.

Comment 9 Pavel Stehlik 2016-08-18 06:27:59 UTC

Closing due to resources, if still happens please reopen.

Note You need to log in before you can comment on or make changes to this bug.