Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1365840

Summary: Wrong CA URI in certs
Product: [oVirt] ovirt-engine Reporter: Fabrice Bacchella <fabrice.bacchella>
Component: PKIAssignee: Yedidyah Bar David <didi>
Status: CLOSED DUPLICATE QA Contact: Jiri Belka <jbelka>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0.1.1CC: bugs, didi, lsvaty, mperina, sbonazzo, ylavi
Target Milestone: ovirt-4.2.0Flags: ylavi: ovirt-4.2+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-14 13:02:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Fabrice Bacchella 2016-08-10 10:24:06 UTC 
in /etc/pki/ovirt-engine/certs/apache.cer, the dump contains the following line :

            Authority Information Access: 
                CA Issuers - URI:http://ovirt.prod.exalead.com:80/ca.crt

A CA should always be issued behind a secure URI, using https.
Comment 1 Martin Perina 2016-08-10 11:40:55 UTC 
We should also stop using "/ca.crt" (no longer available in 4.0) and use "/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA" instead
Comment 2 Yedidyah Bar David 2016-08-10 11:55:09 UTC 
(In reply to Fabrice Bacchella from comment #0)
> in /etc/pki/ovirt-engine/certs/apache.cer, the dump contains the following
> line :
> 
>             Authority Information Access: 
>                 CA Issuers - URI:http://ovirt.prod.exalead.com:80/ca.crt
> 
> A CA should always be issued behind a secure URI, using https.

No. This CA is self-signed, so you win nothing by getting it over https, where the https connection is using a cert signed by this CA.

If you want to be safe, you should copy the ca cert to your clients using safe means.

(In reply to Martin Perina from comment #1)
> We should also stop using "/ca.crt" (no longer available in 4.0) and use
> "/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-
> CA" instead

We stopped doing this a very long time ago, see bug 961677. But we do not touch this on upgrade.
Comment 3 Martin Perina 2016-08-10 12:00:15 UTC 
(In reply to Yedidyah Bar David from comment #2)
> (In reply to Martin Perina from comment #1)
> > We should also stop using "/ca.crt" (no longer available in 4.0) and use
> > "/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-
> > CA" instead
> 
> We stopped doing this a very long time ago, see bug 961677. But we do not
> touch this on upgrade.

I still see the ca.crt used in packaging/setup/plugins/ovirt-engine-rename/ovirt-engine/pki.py on master ...
Comment 4 Yaniv Lavi 2017-02-06 10:38:11 UTC 
What is the status? any fix needed here?
Comment 5 Yedidyah Bar David 2017-02-14 13:02:09 UTC 
(In reply to Yaniv Dary from comment #4)
> What is the status? any fix needed here?

I think the only issue is in comment 3, and we already have a bug for that. Closing as duplicate.

*** This bug has been marked as a duplicate of bug 1291789 ***