This is a catch-all bug to collect feedback from various sources on "Replacing the Red Hat Virtualization Manager SSL Certificate", which seems to be receiving a lot of attention lately.
Please add any further feedback to this bug.
Public docs comment feedback:
"Can we add more to this explaining how to generate a compatible P12 from openssl or even a CSR with response. I think some details on key length, algorithm would be beneficial. This appears to be a difficult subject for many end users. Also an export or import indicating the option for -nokeys may be needed.
Why does ovirt seem to be different than instructions here? What about the nopass key? http://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/"
*** Bug 1417055 has been marked as a duplicate of this bug. ***
*** Bug 1122895 has been marked as a duplicate of this bug. ***
*** Bug 1156381 has been marked as a duplicate of this bug. ***
*** Bug 1330754 has been marked as a duplicate of this bug. ***
Step 4 is a possible source of confusion.
"Back up your P12 bundle, and then move it to /etc/pki/ovirt-engine/keys/apache.p12."
That's one of the only steps in the document without the followup syntax. Also 'your p12 bundle' is somewhat vague. I'm assuming it is a new p12 file created for the apache server certificate and not the for the root CA certificate.
Assuming that it requires openssl pkcs12 -export -inkey mynew.key -in mynew.crt -out apache.p12
Also 'Back up your bundle' could imply using existing key and cert combination before applying the new one. I'm still assuming from the reference to apache.p12 in step 5,6 that what step 4 means is 'create a new p12 bundle from your cert and key''
From bug 1443225:
The RHV 4.x Administration Guide does not include step to update /etc/pki/ovirt-engine/ca.pem when using self signed certificate under "Appendix D. Red Hat Virtualization and SSL".
Below are steps to include :
# cd /etc/pki/ovirt-engine
# openssl x509 -in /tmp/<selfed_signed_certifcate> -text -noout > ca.pem
# cat apache-ca.pem >> ca.pem
systemctl restart httpd.service
systemctl restart ovirt-engine.service
Would be good to change the title from 'SSL' to 'SSL/TLS'.
*** Bug 1443225 has been marked as a duplicate of this bug. ***
Assigning to Emma for review.
Emma asked me in private to review :-) Setting needinfo on myself for now.
The updated documentation is available on the Customer Portal: