Description of problem: When I access RHEVM by going to FQDN, https://rhvm.example.com, all works as expected. But if I set a CNAME record, say, cname.example.com that points to rhvm.example.com, and then try to access RHVM via the CNAME, it returns, "The client is not authorized to request an authorization. It's required to access the system using FQDN." The customer needs to access RHVM via different CNAMEs, all pointing to the correct FQDN. Version-Release number of selected component (if applicable): 4.1 Beta How reproducible: always Steps to Reproduce: 1. Set up RHVM with both hostname and FQDN, say, rhv41.example.com 2. Set up a DNS CNAME record, say, cname.example.com 3. Try to access the admin portal using https://cname.example.com Actual results: It returns, "The client is not authorized to request an authorization. It's required to access the system using FQDN." Expected results: It should redirect to the FQDN and just work. Additional info:
Sounds like a RFE than a bug to me?
> Sounds like a RFE than a bug to me? Yeah, I was thinking about that last night. It is documented to work this way and the customer needs it to work differently. I'l change the title. - Greg
Greg, did you try setting the alternate FQDN @ /etc/ovirt-engine/engine.conf.d/99-custom-fqdn.conf ? SSO_ALTERNATE_ENGINE_FQDNS="CNAME-OR-ANOTHER-NAME"
Wow - no - I didn't know you could do that. I'll check it out. - Greg
I just tried it - it worked. My FQDN is rhev41beta.infrasupport.local. My cname is cnametest.infrasupport.local. [root@rhevm41beta engine.conf.d]# pwd /etc/ovirt-engine/engine.conf.d [root@rhevm41beta engine.conf.d]# more 99-custom-fqdn.conf SSO_ALTERNATE_ENGINE_FQDNS="cnametest.infrasupport.local" [root@rhevm41beta engine.conf.d]# Tried navigating to cnametest.infrasupport.local in a browser window - still returned the error. I restarted ovirt-engine: [root@rhevm41beta engine.conf.d]# systemctl restart ovirt-engine [root@rhevm41beta engine.conf.d]# systemctl status ovirt-engine ● ovirt-engine.service - oVirt Engine Loaded: loaded (/usr/lib/systemd/system/ovirt-engine.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2017-03-12 12:47:09 EDT; 7s ago Main PID: 30352 (ovirt-engine.py) CGroup: /system.slice/ovirt-engine.service ├─30352 /usr/bin/python /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.py --redirect-output --systemd=notify start └─30384 ovirt-engine -server -XX:+TieredCompilation -Xms3971M -Xmx3971M -Djava.awt.headless=true -Dsun.rmi.dgc.client.gcInterva... Mar 12 12:47:09 rhevm41beta.infrasupport.local systemd[1]: Unit ovirt-engine.service entered failed state. Mar 12 12:47:09 rhevm41beta.infrasupport.local systemd[1]: ovirt-engine.service failed. Mar 12 12:47:09 rhevm41beta.infrasupport.local systemd[1]: Starting oVirt Engine... Mar 12 12:47:09 rhevm41beta.infrasupport.local systemd[1]: Started oVirt Engine. [root@rhevm41beta engine.conf.d]# And now all browser access works just fine. We should document all these .conf file tricks. - Greg
Oh - this will come up - let's say I need multiple aliases pointing to the same FQDN. What's the syntax in /etc/ovirt-engine/engine.conf.d/99-custom-fqdn.conf ? SSO_ALTERNATE_ENGINE_FQDNS="CNAME-OR-ANOTHER-NAME" - can this be a list? If so, what's the separator? thanks - Greg
This feature has already been solved by BZ1325746 in oVirt/RHV 4.0.4, please take a look at Doc Text of the bug to find out all necessary details. I'm closing now as duplicate, feel free to ask if something is unclear or reopen if some functionality is missing. *** This bug has been marked as a duplicate of bug 1325746 ***