Description of problem: opening console via ovirt-shell does not work, broken ca handling. from vv file caught via ovirt-shell ~~~ ... ca=<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p>The requested URL /ca.crt was not found on this server.</p>\n</body></html>\n ... ~~~ ~~~ # lynx -dump "http://10-34-60-214.example.com/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA" -----BEGIN CERTIFICATE----- MIIEMjCCAxqgAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwbDELMAkGA1UEBhMCVVMxJDAiBgNVBAoT G3JoZXYubGFiLmVuZy5icnEucmVkaGF0LmNvbTE3MDUGA1UEAxMuMTAtMzQtNjAtMjE0LnJoZXYu bGFiLmVuZy5icnEucmVkaGF0LmNvbS4xNTUzODAeFw0xNjA3MzEwNjQ2NThaFw0yNjA3MzAwNjQ2 NThaMGwxCzAJBgNVBAYTAlVTMSQwIgYDVQQKExtyaGV2LmxhYi5lbmcuYnJxLnJlZGhhdC5jb20x NzA1BgNVBAMTLjEwLTM0LTYwLTIxNC5yaGV2LmxhYi5lbmcuYnJxLnJlZGhhdC5jb20uMTU1Mzgw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsD7tYbQdr4JcERup7WgvnBk6ZXTKRLL7U TBslOxC5KW9MoLuO4EimR//rOBveJKpvYXD6sdDFXNvEKSEbsuvAZSpC+ArJAffWDvATG+YrMTUH fDXubJVDPHiChyQOhGniCIkbbABl+1ySnm4/rkjjzXhQ45mQS2EpE8+ld2sAQe0DiztOplGuvCuc 8O25zWXlAe/NU/+VI4mnSDFDeD5XBIUE69GKZGQl+npQiI6ZjDGas1IKGKEgR/RJ1b2dnKF4hksI SUnSacRmQmylM1QuSSq9dT1u1CBVFioUvt0GfmXvxJOw1LYMprcCmyXGpotvf75gRwmUvn4PM1Mj e82PAgMBAAGjgd0wgdowHQYDVR0OBBYEFKZ7726Mhz/1heKbW/0xtcgvJPJWMIGXBgNVHSMEgY8w gYyAFKZ7726Mhz/1heKbW/0xtcgvJPJWoXCkbjBsMQswCQYDVQQGEwJVUzEkMCIGA1UEChMbcmhl di5sYWIuZW5nLmJycS5yZWRoYXQuY29tMTcwNQYDVQQDEy4xMC0zNC02MC0yMTQucmhldi5sYWIu ZW5nLmJycS5yZWRoYXQuY29tLjE1NTM4ggIQADAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE AwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAnnvB9U9tAAK3CMiZjZgCYaAggOVFdIUVSBhWDb/Mx02L wz8Nvv1dBcFmTujDMEhhLJ26mPoluPPw26ZzN/H1hrde7VabhUL+JsqKwEE9gAwbqLKbWNsdT65T 2vC70j7OIlIw1urRMDDZtjKLTUond+mvc3dHY+A/uuCASQORfRCOK4+R2IObpGRWvibCfWp7s/e4 zjsulApXBbgT+hYOAlkIYo1MprbrD67OXbfvpMj7Gw+jliufcgxikscSMT8dueptvOWLqWCtPLCP vxQop5EQP7bb9/XJ6i0GxaQU6pmNJsQfQSgJYo87d2IBA4ld2dk5A+CEsuQz4y4OuwjLZw== -----END CERTIFICATE----- # lynx -dump "http://10-34-60-214.example.com/ca.crt" Not Found The requested URL /ca.crt was not found on this server. ~~~ Version-Release number of selected component (if applicable): ovirt-engine-cli-3.6.8.1-1.el7ev.noarch How reproducible: 100% Steps to Reproduce: 1. ovirt-shell 2. console $vnmane 3. Actual results: does not work, broken ca cert handling Expected results: must work Additional info:
Ondra - can you take a look?
The problem is inside the "download_ca_certificate" function inside the "spice.py" file of the CLI. It expects the "ca.crt" available in the root of the web server, but that has been removed from version 4 of the engine, without notice. I think we need to change the "download_ca_certificate" function so that it first tries to download it from "http://.../ovirt-engine/ca.crt". If that fails, for whatever the reason (older engine, for example(, then it should try to download it from "http://.../ovirt/engine/ca.crt". Note also that all the certificates that we create contain an "authorityInfoAccess" extension with the following value (see the engine "pki.py" source file): caIssuers;URI:http://.../ca.crt So one could argue that we should preserve the "ca.crt" available in that location, or else fix the process that generates the certificates, and maybe all the certificates themselves.
Jiri, can you confirm that this happened when connecting to version 4 of the engine? There are two workarounds for this issue: 1. In the server side, in the engine machine, copy the /etc/pki/ovirt-engine/ca.pem file to /var/www/html/ca.crt: # openssl x509 -in /etc/pki/ovirt-engine/ca.pem -out /var/www/html/ca.crt This will work for all clients connecting to that server. 2. Copy the server /etc/pki/ovirt-engine/ca.pem file to the ~/.spicec/spice_truststore.pem file: $ mkdir -p ~/.spicec $ scp root.com:/etc/pki/ovirt-engine/ca.pem . $ openssl x509 -in /etc/pki/ovirt-engine/ca.pem -out ~/.spicec/spice_truststore.pem This works only for that server/client combination. Note that use of the "openssl x509" command instead of just "cp", that is necessary to strip the certificate text that may confuse the spice client. As there is a workaround I'm lowering the severity.
(In reply to Juan Hernández from comment #4) > Jiri, can you confirm that this happened when connecting to version 4 of the > engine? > > There are two workarounds for this issue: > > 1. In the server side, in the engine machine, copy the > /etc/pki/ovirt-engine/ca.pem file to /var/www/html/ca.crt: > > # openssl x509 -in /etc/pki/ovirt-engine/ca.pem -out /var/www/html/ca.crt > > This will work for all clients connecting to that server. > > 2. Copy the server /etc/pki/ovirt-engine/ca.pem file to the > ~/.spicec/spice_truststore.pem file: > > $ mkdir -p ~/.spicec > $ scp root.com:/etc/pki/ovirt-engine/ca.pem . > $ openssl x509 -in /etc/pki/ovirt-engine/ca.pem -out > ~/.spicec/spice_truststore.pem > > This works only for that server/client combination. > > Note that use of the "openssl x509" command instead of just "cp", that is > necessary to strip the certificate text that may confuse the spice client. > > As there is a workaround I'm lowering the severity. Yes, it was: ovirt-engine-cli-3.6.8.1-1.el7ev.noarch ovirt-engine-4.0.2.7-0.1.el7ev.noarch and workarounds work fine.
ok, ovirt master - ovirt-engine-cli-3.6.9.2-1.el7.centos.noarch