1370904 – Engine's rename tool does not re-enroll PKI for engine services

Bug 1370904 - Engine's rename tool does not re-enroll PKI for engine services

Summary: Engine's rename tool does not re-enroll PKI for engine services

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	Setup.Core
Sub Component:
Version:	future
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Lev Veyde
QA Contact:	Jiri Belka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-08-28 08:09 UTC by Amit Aviram
Modified:	2022-02-25 08:25 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2018-06-25 07:29:29 UTC
oVirt Team:	Integration
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1291789	medium	CLOSED	ovirt-engine-rename tool uses hard-coded ca.crt	2021-02-22 00:41:40 UTC
Red Hat Bugzilla	1365840	medium	CLOSED	Wrong CA URI in certs	2021-02-22 00:41:40 UTC
Red Hat Issue Tracker	RHV-44908	None	None	None	2022-02-25 08:25:47 UTC

Internal Links: 1291789 1365840

Description Amit Aviram 2016-08-28 08:09:01 UTC

Description of problem:
When having a setup of the engine, using the "engine-rename" tool does not re-enroll the PKI for engine's services (e.g. ovirt-imageio-proxy). 

Renaming is necessary as the domain name is changing, while the certs still signed by the old domain name. This causes the services' clients to not trust it anymore as the domain name is compared with the certs given.

Version-Release number of selected component (if applicable):
4.0.2

How reproducible:
100%

Steps to Reproduce:
1. Have an ovirt-engine setup.
2. Rename the engine's FQDN, using engine-rename tool
3. Observe the "issuer" record in one of the services' certs, at /etc/pki/ovirt-engine/certs, (e.g. /etc/pki/ovirt-engine/certs/websocket-proxy.cer )

Expected results:
The issuer should be the new engine's FQDN

Comment 1 Yaniv Lavi 2018-06-25 07:29:29 UTC

Closing old bugs.
Please reopen if still relevant.
Patches are welcomed.

Comment 2 Yedidyah Bar David 2018-06-25 07:42:14 UTC

(In reply to Amit Aviram from comment #0)
> Description of problem:
> When having a setup of the engine, using the "engine-rename" tool does not
> re-enroll the PKI for engine's services (e.g. ovirt-imageio-proxy). 

For imageio, we have bug 1575979.

> 
> Renaming is necessary as the domain name is changing, while the certs still
> signed by the old domain name. This causes the services' clients to not
> trust it anymore as the domain name is compared with the certs given.
> 
> Version-Release number of selected component (if applicable):
> 4.0.2
> 
> How reproducible:
> 100%
> 
> Steps to Reproduce:
> 1. Have an ovirt-engine setup.
> 2. Rename the engine's FQDN, using engine-rename tool
> 3. Observe the "issuer" record in one of the services' certs, at
> /etc/pki/ovirt-engine/certs, (e.g.
> /etc/pki/ovirt-engine/certs/websocket-proxy.cer )

Not exactly. The issuer is FQDN.RANDOM, not FQDN.

A client that tries to resolve it will fail, with or without rename.

So if that's your only problem, it's not related to rename.

If your problem is that you want to fully get rid of any mention of the old FQDN, for whatever reason (say, legal reasons), then rename won't help you.

It was decided at rename's design time, ~ 4-5 years ago, to not recreate the CA cert.

Not changing the summary, because not sure what to write there, but it's still WONTFIX.

For problems with specific services, or any conf/data that should be handled by rename, please open new bugs.

> 
> Expected results:
> The issuer should be the new engine's FQDN

Note You need to log in before you can comment on or make changes to this bug.