Related to https://bugzilla.redhat.com/show_bug.cgi?id=1336838 , and noting even a bad process is missing from the documentation, the SSL configuration process for ovirt-imageio-proxy is undocumented. Personally, per the official docs, IPA skilz, and that bugs, I got certs for the core engine working. On attempting to upload an image (cli and web UI), it failed with cert errors. Resolved by pointing /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf to the existing working certs, e.g.: ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer Personally, I'm unsure why this would ever need to have different certs then the core engine so am "fine" with reusing them, but have a minor concern that them being different certs has some value. In any case, the process to update these should also be included in the documentation Or just hard coded to point to the same certs as the core engine.
Moving to storage team, who maintains ovirt-imageio-proxy
(In reply to Jeff Warnica from comment #0) > Related to https://bugzilla.redhat.com/show_bug.cgi?id=1336838 , and noting > even a bad process is missing from the documentation, the SSL configuration > process for ovirt-imageio-proxy is undocumented. > > Personally, per the official docs, IPA skilz, and that bugs, I got certs for > the core engine working. On attempting to upload an image (cli and web UI), > it failed with cert errors. > > Resolved by pointing /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf to > the existing working certs, e.g.: > > ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass > ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer > > Personally, I'm unsure why this would ever need to have different certs then > the core engine so am "fine" with reusing them, but have a minor concern > that them being different certs has some value. > > In any case, the process to update these should also be included in the > documentation > > Or just hard coded to point to the same certs as the core engine. Hi Jeff Please tell me if I'm describing your scenario right- You had a fresh oVirt setup, then you installed new certs. After that- you weren't able to upload disk images even when configuring the new certs' CA in your browser? If I understood correctly, then the problem is not about documenting. the ovirt-imageio-proxy keys should have been regenerated after running engine-setup. did you try to rerun setup and upload? Thanks, Amit.
I did not re-run engine-setup. What mentions that as being necessary? The keys for the core engine were replaced directly (and Apache restarted). engine-setup was not mentioned in Appendix D. Aside: regeneration? I don't want engine-setup to re/generate them. I want IPA to. I'm sure others would want RHCertificate Thingy. Or AD. Or whatever. It very well isn't a documentation issue. As I said, I can't quickly come up with why they would be different certificates.
(In reply to Jeff Warnica from comment #3) > I did not re-run engine-setup. What mentions that as being necessary? > > The keys for the core engine were replaced directly (and Apache restarted). > engine-setup was not mentioned in Appendix D. > > Aside: regeneration? I don't want engine-setup to re/generate them. I want > IPA to. I'm sure others would want RHCertificate Thingy. Or AD. Or whatever. Re-generation for keys which rely on the engine's certs, being used by services that the engine uses. > > It very well isn't a documentation issue. As I said, I can't quickly come up > with why they would be different certificates. Didi, I'm not familiar enough with what happens when external certs are being used in oVirt in terms of the services that rely on the engine's cert- I'm guessing that engine-setup will re-generate the services' cert, based on the imported certs. is this correct? if not, how should we install the right CA cert for imageio-proxy?
Can you open a github issue on the oVirt site? https://github.com/oVirt/ovirt-site We can track it there. Closing here for now.
The solution mentioned in comment 0 is correct: Resolved by pointing /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf to the existing working certs, e.g.: # /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf ssl_key_file = /etc/pki/ovirt-engine/keys/my-key.pem ssl_cert_file = /etc/pki/ovirt-engine/certs/my-cert.cer I'm not sure how to create the ovirt-imageio certificate. Didi, can you explain how to do this based on the engine setup code we use today for creating the certificate? I agree we should document how to configure the certificate for users that do not want to use the default certificate created by engine setup.
(In reply to Nir Soffer from comment #9) > The solution mentioned in comment 0 is correct: > > Resolved by pointing /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf to > the existing working certs, e.g.: > > # /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf > ssl_key_file = /etc/pki/ovirt-engine/keys/my-key.pem > ssl_cert_file = /etc/pki/ovirt-engine/certs/my-cert.cer > > I'm not sure how to create the ovirt-imageio certificate. Didi, can you > explain > how to do this based on the engine setup code we use today for creating the > certificate? Why would you want to do that? engine-setup should do this for you. The command it uses is: /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=imageio-proxy --password=mypass --subject="${subject}" where $subject is the same as the other certs it creates. > > I agree we should document how to configure the certificate for users that > do not > want to use the default certificate created by engine setup. Sorry, I do not have a full context. Do you mean we need something like bug 1362573, but for imageio-proxy? I agree. I think it should be enough to duplicate step 9 of [1] and adapt it to imageio-proxy as comment 0 suggests. If so, please move the bug to doc team. Otherwise, please clarify. [1] https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl
(In reply to Yedidyah Bar David from comment #10) > > I'm not sure how to create the ovirt-imageio certificate. Didi, can you > > explain > > how to do this based on the engine setup code we use today for creating the > > certificate? > > Why would you want to do that? engine-setup should do this for you. > > The command it uses is: > > /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=imageio-proxy > --password=mypass --subject="${subject}" Thanks, that looks helpful... > where $subject is the same as the other certs it creates. But what is subject? What if you don't have the first cert as a reference? Can we have a simpler tool? > > I agree we should document how to configure the certificate for users that > > do not > > want to use the default certificate created by engine setup. > > Sorry, I do not have a full context. > > Do you mean we need something like bug 1362573, but for imageio-proxy? I do't understand the issue bug 1362573 is handling. What we need is documented procedures for: - Update certificate after renaming hosts - Update certificates after engine CA is modifed for some reason - Generate certificates based on user CA certificate instead of engine default.
(In reply to Nir Soffer from comment #11) > (In reply to Yedidyah Bar David from comment #10) > > > I'm not sure how to create the ovirt-imageio certificate. Didi, can you > > > explain > > > how to do this based on the engine setup code we use today for creating the > > > certificate? > > > > Why would you want to do that? engine-setup should do this for you. > > > > The command it uses is: > > > > /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=imageio-proxy > > --password=mypass --subject="${subject}" > > Thanks, that looks helpful... Not sure - I only wrote it because you asked :-) > > > where $subject is the same as the other certs it creates. > But what is subject? You can copy it from some other cert, e.g.: openssl x509 -in /etc/pki/ovirt-engine/certs/engine.cer -noout -subject See also e.g.: https://www.ovirt.org/documentation/how-to/migrate-pki-to-sha256/ > What if you don't have the first cert as a reference? If ca.pem, the engine's internal CA self-signed cert, is missing, then basically all your PKI is broken. You should run 'engine-setup', and it will hopefully recreate everything, but that very likely won't be enough. Is this related to current bug? > > Can we have a simpler tool? Perhaps we can, please file a bug if needed, and clarify what you need. > > > > I agree we should document how to configure the certificate for users that > > > do not > > > want to use the default certificate created by engine setup. > > > > Sorry, I do not have a full context. > > > > Do you mean we need something like bug 1362573, but for imageio-proxy? > > I do't understand the issue bug 1362573 is handling. Well, perhaps _I_ do not understand what _current_ bug is handling. I _thought_ that current bug is exactly like 1362573, just replace "vmconsole" with "imageio" - meaning, something like: "[Docs][Admin] Extend appe-Red_Hat_Enterprise_Virtualization_and_SSL.html to cover imageio", where "appe-Red_Hat_Enterprise_Virtualization_and_SSL.html" refers to [1] in comment 10. If I got it right, then I already wrote in comment 10 what should be done. > > What we need is documented procedures for: > > - Update certificate after renaming hosts For the changing the engine's FQDN, see bug 1575979. If you meant something else, please clarify. > - Update certificates after engine CA is modifed for some reason Please elaborate. What's "some reason"? What's the modification? engine CA should usually be modified, if at all, only using 'engine-setup' (or ovirt-engine-rename). > - Generate certificates based on user CA certificate instead of engine > default. I think I replied to this in comment 10. Do we really want to generate certs specifically for imageio? And not use apache's?
I can think of no general use case where foo.corp.com:443 and foo.corp.com:<anything else> would need to be different certificates. To which, ovirt-imageio-proxy should simply use, either with "configuration" files pointing at, or symlinks linked to, the basic Apache reverse proxy. From there, all run time documentation and configuration steps specific to ovirt-imageio-proxy become irrelevant; there is nothing to do. If the core certificate process needs additional code or doc RFE, so be it. For an unimaginable situation where some end user wishes something very weird, the have the option of breaking that, but it would be entirely reasonable to leave such weirdness undocumented and unsupported, just as if the end user hacked up source code.
(In reply to Jeff Warnica from comment #13) > I can think of no general use case where foo.corp.com:443 and > foo.corp.com:<anything else> would need to be different certificates. > > To which, ovirt-imageio-proxy should simply use, either with "configuration" > files pointing at, or symlinks linked to, the basic Apache reverse proxy. This is already supported, we have this configuration file: # cat /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf [proxy] # Key file for SSL connections ssl_key_file = /etc/pki/ovirt-engine/keys/imageio-proxy.key.nopass # Certificate file for SSL connections ssl_cert_file = /etc/pki/ovirt-engine/certs/imageio-proxy.cer # Certificate file used when decoding signed token engine_cert_file = /etc/pki/ovirt-engine/certs/engine.cer # CA certificate file used to verify signed token engine_ca_cert_file = /etc/pki/ovirt-engine/ca.pem
(In reply to Yedidyah Bar David from comment #12) > Do we really want to generate certs specifically for imageio? And not use > apache's? I don't see any reason to complicate configuration by having special certificates. If we can remove special code for proxy certificates and use the same certificate used by engine or apache it will be great.
Moving to Storage, they need to answer if there are any code changes necessary or if this is a doc change only
Hello, I am have a problem with imageio-proxy certificante. A lot of time in ovirt 4.0 I created a new certificate and change name of ovirt. after I created a new 3part certificate and all works fine but now i am try upload a image and have this error : Transfer was stopped by system. Reason: failed to add image ticket to ovirt-imageio-proxy. when I try download the ca: https://myovirt/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA but the certificate is about old ovirt name and no about the actual name. I never chagen this value: # Key file for SSL connections ssl_key_file = /etc/pki/ovirt-engine/keys/imageio-proxy.key.nopass # Certificate file for SSL connections ssl_cert_file = /etc/pki/ovirt-engine/certs/imageio-proxy.cer # Certificate file used when decoding signed token engine_cert_file = /etc/pki/ovirt-engine/certs/engine.cer # CA certificate file used to verify signed token engine_ca_cert_file = /etc/pki/ovirt-engine/ca.pem I will need regerate new certificates ? if yes: how this is? in the engine-setup? I already try chage the locate to : ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer but this not working.
This bug has not been marked as blocker for oVirt 4.3.0. Since we are releasing it tomorrow, January 29th, this bug has been re-targeted to 4.3.1.
FYI: I intend to close current bug as duplicate of bug 1637809, once we fix that one. Feel free to already do that. This also depends on fixing bug 1687301, should happen soon.
Before I forget: We can't close current, because we do need to add a step: systemctl restart ovirt-imageio-proxy.service
Vojta is working updating the documentation here: https://gerrit.ovirt.org/c/110539/ There is also bug 1862107 for adding new configuration.
Please note that the service changed its name in 4.4, so we should add this command to the doc: systemctl restart ovirt-imageio.service
merged changes to 4.4 branch, need to publish
Uptdates affect these guides: doc-Administration_Guide doc-Technical_Reference doc-Upgrade_Guide
Published to 4.4 branch